Re: [fw-wiz] Security dumming down - the king's clothes

From: Chris Blask (
Date: 12/13/03

  • Next message: JC Marze: "[fw-wiz] PIX inside interface not accessible using CVPN"
    To: "Marcus J. Ranum" <>, Roger Marquis <>,
    Date: Sat, 13 Dec 2003 14:27:56 -0800

    Hi folks!

    At 11:03 AM 12/12/2003 -0500, Marcus J. Ranum wrote:

    > >Anyone in the news media know why this critical security story was
    > >de-indexed so quickly?
    > >
    > > Internet worms and critical infrastructure, Bruce Schneier
    > > <>
    > >
    > >It's a detailed examination of the correlation between MSBlast and
    > >the Aug. 14 power blackout. Recommended reading, however, despite
    > >being published on Dec. 9 it is no longer included in Cnet's front
    > >page index or their security index which goes back to Nov. 25.

    The answer I believe is primarily educational in that it is a reflection of
    the fundamental structure of pragmatism that drives the creation of all
    these networks we have: "it's a trifle chaotic out there". Why is this
    article specifically not where it should be on Either: human
    error - someone at CNET screwed up, or; overzealous Homeland Defense
    employee - that would be the conspiracy, if you could call it that, really
    more human error IMHO however it might have happened.

    The interesting thing about the uber-topic ("how do we keep this thing up
    and running?") is that despite - and to some sense due to - the vast
    imperfections of our combined efforts we (all of us pro-security folks) by
    and large win just about all of the time. If the networks of the world
    aren't out there ticking away day and night and just as likely as sunrise
    to keep doing so forever then I'm a Leopard Frog. "Eternal vigilance is
    the price..." of course (and ho-boy but there's work to be done for anyone
    willing to pitch in), but we've come a long way in the past decade or two -
    and even the last five years. Yes, the ramifications of screwing up
    (blacking-out the East Coast, for example) are more significant than in the
    past, but that's an organic aspect of this stage of this grand endeavor and
    it's our jobs to deal with it.

    The big challenge of implementing security on the Internet is a timing and
    logistics issue, really. It takes X trillion person-hours to develop,
    assemble, ship, deploy, operate and maintain One (1) Internet (batteries
    included). Of that amount of resource, most is dedicated to the
    development, assembly... of the bits that move the data around and do
    interesting things with it at the endpoints. As the total team of folks
    responsible for the security portion of this overall process our
    responsibility is to make it a safe place to be once it's built and see
    that injuries on the work site are minimal. The project is still underway
    and the objective reality of the situation is what it is, so there's only
    so much value in railing against the "stupidity" and "bs" involved.

    At this stage a large part of what we need to do as leaders of the security
    effort is not to simply chastise folks for not being as savvy as we are,
    but to help them want to go in safe directions. If that means helping them
    acquire Firewalls (when savants amongst us tell them "firewalls are no use
    unless you use 1024-bit encryption, biometrics and implement a holistic
    security policy") to move the state of affairs forward, so be it.

    As someone who has played a variety of roles in security it seems clear to
    me that our greatest weakness as an industry is not that our customers are
    too stupid, but that we are often, regrettably, too "smart". We're the
    leading edge of a particularly technical/hobbyist/fanatic area of
    expertise which needs to become common, deployable, consumable and - in
    most cases - mundane if it is to fulfill its purpose. As a group we suffer
    a particular lack of people who both understand the drivers, dynamics and
    technical details necessary to do the job right and who also are capable of
    recognizing a customer at ten paces in a well-lit room, understanding how
    they got there and where their momentum is taking them and not making them
    feel like incompetent dolts in the first five minutes of the conversation.

    A customer is a person who is responsible for choosing, installing or
    running security technologies for the network owned by their
    employer. They have 2-5k work hours per year and a plate full of issues
    past, present and evolving, most of which are largely driven by the
    existing momentum of their environment and almost none of which really has
    anything to do with computer networks, much less security (anyone see that
    IBM ad? "We're a shirt company. We make shirts."). If they don't get what
    we are saying then it is because we aren't speaking clearly enough, or they
    just are not ready to listen to it.

    >Bruce's look at the problem is probably too technical for a lot
    >of journalists. :) Seriously, though, Bruce makes some provocative
    >points but unfortunately, now that the event is over, it's probably not
    >going to be possible to tell exactly what *DID* happen. More interesting
    >broad questions that could have been asked are hidden in Bruce's
    >article, and therefore are ignored namely:
    > 1) If these networks are so critical, why are their controlling
    > systems internet-connected at all!?

    Because that's what folks in those positions do based on their operational
    environment, and we as an industry have not provided them secure ways of
    accomplishing the same goals with solutions they are capable of
    consuming. The scale of the logistic effort doesn't help, either.

    > 2) If these networks are so critical, why has there been no
    > overall systematic design of their security properties?

    Because security is (at best) secondary to the reason the networks were

    > 3) If these backup systems and management systems that
    > Bruce mentions are also critical to the grid networks, why
    > aren't they treated as such?

    Because we as citizens and consumers have not in the past been either
    willing or able to compel them to do so.

    >I guess, to me, it boils down to "what, don't people understand
    >that transitive trust implies transitive failure?" but that's a statement
    >of the obvious. :(
    >When I read something like Bruce's article, I divorce it automatically
    >from Microsoft-related questions - if Microsoft wasn't the issue,
    >some other software vendor would be. As much as we're all
    >jealous of microsoft's wealth and power^H^H^H^H^H^H^H^H^H^H^H^H^H^H
    >concerned by Microsoft's dominance in the software industry, I don't
    >suspect that any of the other O/S vendors out there (Sun? IBM?
    >Apple?) would do a fantastically superior job if they had 99.9% of
    >the desktops in the world, either. So focus on the kind of issues I
    >see above: why are trust boundaries between mission critical and
    >non-critical networks weakly defined and poorly understood?


    > >All of which make me wonder about an article by Fred Avolio in
    > >September's Information Security Magazine.
    > ><,295796,sid6_iss81_art179,00.h
    > tml>
    > >It was, on the surface, an attempt to make a distinction between
    > >"stateful inspection" and "application intelligence", but anyone
    > >who knows Fred can see that the story was dumbed down to a such an
    > >absurd degree that it makes no sense at all, except perhaps to a
    > >marketing or rhetoric PhD. It should be noted that Information
    > >Security Magazine rarely covers anything other than products which
    > >run under operating systems written by the vendor in question and
    > >that they rarely say anything negative about anything.
    >I don't think Fred needs me to stick up for him so I won't. ;)
    >But - if I know Fred, he was probably trying to make a subtle
    >point about marketing bullsh*t applied to computer security. :)
    >After all, "application intelligence" sure sounds like a marketing
    >bullsh*t reinvention of proxy firewalls - which is old old stuff not
    >new new stuff. I don't want to put words into Fred's mouth but I
    >know he sees his job as to educate - to try to get people who are
    >not very technically sophisticated (but who may think they are)
    >to see the fundamentals that they haven' had time to learn.

    And *that* is half of my point/rant here. Rather than take offense at Fred
    or others' "dumbing down" of our favorite hobby, we should encourage the
    iterative explanation of our hobby to non-hobbyist in whatever words are
    small enough to carry the critical information into their brains.

    The other half is to build and offer products that are made to fit these
    same folks' operational realities, as opposed to our own.

    >Part of the "dumbing down" that you're seeing is the result of
    >security's newfound importance as a field. We've got loads of folks
    >who are trying to spin up quickly because they've finally
    >realized they need to worry about it. We've also got tons of
    >new security companies trying to cash in on security's
    >newfound importance - so every one of those companies (most
    >of which sell pretty much the same thing) have marketing
    >idiots who work for them who say "we need to define a NEW
    >CATEGORY OF PRODUCT" so they start messing with the
    >language. Now, all those poor newly-minted security guys have
    >to wade through all this new marketing glop filled with claims
    >that they have to validate the truth or falsity of, and new
    >terminology they have to figure out. To a greater or lesser
    >degree, a lot of us old-timers try to fight the flood of bullsh*t
    >by educating customers and end users so they can identify
    >it themselves. So, yes, Fred probably is dumbing down a lot of

    And again, more power to him and us inasmuch as we can achieve that goal.

    However, the fact that startups with minimal expertise on the marketing
    side may make outrageous claims which mislead and confuse customers is
    again both an immutable artifact of where we are in the process as well as
    a sign of the inability of those with the knowledge to provide correct
    information in a format and volume the greater population can understand.

    >You don't make a lot of friends if you write an article that says
    >"Calling something 'stateful multi-layer inspection' is a ridiculous
    >load of dingoes kidneys when you consider that all it's doing is
    >keeping a state-table entry on which direction you saw the
    >original SYN packet and doing some minimal TCP sequence
    >processing to make sure packets are within a window. Only a
    >marketing idiot would come up with a term like 'stateful multi-layer
    >inspection' for something that's basically a little bit more stateful
    >than router 'established' screening." Of course journalists aren't
    >required to make friends but - it doesn't help a lot if your editors
    >get hate mail each time you write a column. :)

    True, but moreover it doesn't make for many *customers* either. As
    squeamish as we may get about generating actual revenue (and creating
    actual jobs), the best technology is impotent if there are no customers
    gaining from its brilliance. Journalists as you say experience a braking
    action on making such statements, but competitive vendors don't gain much
    from such words, either. Scaring people with (as it happens in this case,
    technically correct) raving rarely serves the purpose of clarifying what in
    fact they do need to do.

    > >The common thread is the amazing degree to which cyber security is
    > >being dumbed-down whenever it applies to this one particular vendor.
    >Can't you say "Microsoft"? Cat got your tongue? ;)
    >I don't think that's the case. There's certainly no broad conspiracy
    >or even a small one. There are a few companies and individuals who
    >look out for their financial interests - but they HAVE to. :)
    >There's also a matter of professional ethics. I happen to believe
    >that if you're taking someone's money you should not publicly
    >throw rocks at them unless that's part of your arrangement. It
    >falls under the old rule of "the customer is always right"
    >@Stake's single largest customer was Microsoft. By doing
    >what he did without telling his boss what he was doing, Geer
    >broke the 3rd law of corporate survival: he surprised his boss
    >with something bad involving a big customer. Whether it's morally
    >justified or not, it's professionally stupid. Dan could have resigned
    >a year or 2 before he published that paper, if that's how he really felt,
    >and then nobody could have faulted him at all.
    >If you work for a man, in heaven's name, work for him. If he pays you
    >wages which supply your bread and butter, speak well of him, stand
    >by him and the institution he represents. If put to a cinch, an ounce of
    >loyalty is worth a pound of cleverness. If you must vilify, condemn and
    >eternally disparage -- resign your position, and when you are outside,
    >damn to your heart's content. But as long as you are a part of the
    >institution, do not condemn it. If you do that, you are loosening the tendrils
    >that are holding you to the institution, and by the first high wind that comes
    >along, you will be uprooted and blown away and probably will never know why.
    > - Elbert Hubbard

    Absolutely agree. (have to do that at least once per flame to keep the
    civility :-)


    > >The logical outcome of this collective failure to to recognize the
    > >king has no clothes will, I fear, be as bad for information security
    > >as it was for the airlines on 9/11/01.
    >A lot of folks recognize that the emperor has no clothes. The
    >question is: why? Microsoft's stuff is certainly PART of the problem
    >but another big piece of the problem is that people insist on buying
    >it and don't manage it right. There's enough blame to go around
    >and just assuming a conspiracy is too simplistic. The truth is a more
    >complex combination of clueless customers, cruddy code, incompetent
    >federal IT workers, consultants out for a buck, marketing idiots, and
    >a dash of denial.

    Generally true enough in regards to the real issue being complexity, and
    "why?" is an important stepping stone leading to answering the real
    question: "how?" How do we go about, as a group and in our individual
    efforts, moving all of this forward? Understanding "why?" - the dynamics
    that lead to cruddy code and the rest (if these are truly appropriate ways
    to define the component problems, which I do not believe they are) - is
    step #0 in deciding what to do about it. Building Marketing (yeah, I said
    it) activities that define executable security products that increment the
    project down the causeway ("inbound" marketing: Product Management et al)
    is Step #1. Building the product (service, best practise...), all the
    while asking folks who look like customers "Can you use it like
    *this*? Will *that* kind of implementation be something you can actually
    get value out of?", is Step #2. Step #3 is (the dread) Outbound Marketing
    - packaging what you've built in a format that people can and will actually
    consume, deploy, implement and add objective security value with, in full
    awareness of who and where they are and what they do for a living.

    o Customers aren't "clueless", they simply know what they know, and almost
    none of that is Holistic Secure Networking. Never will be.
    o Code isn't "cruddy", it's simply written by coders who generally aren't
    skilled at or motivated by writing secure apps.
    o Gov't workers aren't (necessarily ;-) incompetent, they are simply the
    kind of folks who are capable of operating in the environment generated by
    gov't bureaucracy.
    o Consultants are all about making money, it's a Free Market Capitalism thing.
    o Marketing idiocy is balanced in preventing secure networks by technical
    myopia. IMHO more than balanced.
    o Denial I'd relegate to the operational reality bucket. Customers are
    what they are, and inasmuch as we have information in our head that they
    should have and act on - but they don't - then we probably aren't
    communicating well with them.

    These are characteristics of the battlefield. Whether we're soldiers or
    generals we find it as it is, and if we choose to impose our will on it
    we'll have to start from current conditions and exploit opportunities to
    advance our agenda.

    o Where in order to deploy security technologies customers are required to
    know more about the topic of security than will realistically fit in their
    daily world, those technologies will not be deployed whether they are good
    or not. Best we package our understanding in a way they can recognize and
    o Can code be more secure? Sure, with the right development tools. If
    not? Well, there will then obviously have to be another layer implemented
    to snuff insecure apps when they go ballistic. I'm sure we'll come up with
    o Gov't networks? <heavy sigh> Alright, that's a tough one, but the
    answer I bet lies in the direction of: complex social evolutions (that I
    think we are capable of and undergoing now) involved with political
    processes; increasing consumability of security (even a gov't can deploy
    the obvious); learning from Bad Experience; and lagging behind a
    nevertheless improving private market. Don't hold me to that, though... ;-)
    o In a vacuum of tangible and understandable solutions to pragmatic live
    problems, customers will listen to whatever consultant they can find. The
    reverse is also true.
    o Marketing successfully (inbound - understanding customers and building
    products to fit their needs, and outbound - telling potential customers how
    the product fits into their spectrum of pragmatic needs) is key to the
    creation of useful security products (services/best practices) and their
    actual use on actual networks to provide actual security.
    o Forget yourself, imagine you are customer X with background Y
    responsible for activity Z. What could someone say to you that would make
    you actually get the fact that this security stuff is a high priority and
    give you some idea on specifically what to do about it? Answer that one
    and customers will nod and behave (sometimes) like good network citizens.

    We're the old timers, vendors and experts who, if anyone does, should
    understand this stuff. Failure in the overall effort to build security is
    our failure, and its success is our success. Blaming customers for being
    stunned is counterproductive and an act of denial of our own responsibility.

    Fortunately I'm an optimist and I'm sure that It Will All Work Out In The
    End. Each packet that successfully traverses the net is living proof that
    we haven't been catastrophically wrong, yet.



    >firewall-wizards mailing list

    Chris Blask
    Vice President, Business Development
    Protego Networks Inc.

    (1) 416 358 9885 - Direct
    (1) 408 262 5220 - HQ
    (1) 408 262 5280 - Fax

    "The first purpose-built appliance for Real-Time Security Threat Mitigation"

    firewall-wizards mailing list

  • Next message: JC Marze: "[fw-wiz] PIX inside interface not accessible using CVPN"