Re: [fw-wiz] Botnets, IRC servers and firewalls?

From: Stephen P. Berry (
Date: 02/07/04

  • Next message: Bob Alberti: "[fw-wiz] Allowing relay through Watchguard Firebox 1000"
    To: Paul Robertson <>
    Date: Fri, 06 Feb 2004 20:19:41 -0800

    Hash: SHA1

    Paul Robertson writes:

    >The "worst" thing a home user can do
    >is execute a virus or trojan- and the interface presents that in
    >essentially the same way as non-active content- that's not really an
    >end-user problem. Take the execute bit off the place where attachments
    >normally get saved, and you'd remove a huge percentage of the problems.
    >We at some point must come to the place where "breaking" 2% of
    >functionality to save 98% of users is worth doing.

    I think this is a specific instance of a more general infosec desiderata:
    We need to get to the point where we can address problems -in aggregate-
    rather than individually.

    If we look at this as an endluser problem then our solution is going
    to involve (at least in part) things like luser education and training.
    Individually, this is not necessarily a large task[0], but:

            -Educating one luser doesn't help educate other lusers[1]
             (This includes the proposition that me educating my lusers
             doesn't help you educate your lusers)
            -Educating -all- lusers is a large task
            -Single lusers crapping out on their training can be as expensive
             as multiple lusers crapping out[2]

    The point being that solutions to endluser problems (approached from
    the endluser end) don't scale. The reason why this is particularly
    problematic is that bad guy activities tend to scale extremely well.

    I've said things to this effect before (possibly on this list), but
    I think it bears reiteration: On any given day, lots of bad guys are
    probably working on breaking the latest version of any given application
    foo[3]. Even if they aren't all -intentionally- coordinating their efforts,
    their common goals (i.e., to compromise foo) creates -effective- cooperation.

    Unfortunately, the same is not true of the efforts of the good guys[4]. An
    adequate discussion of why this is the case is probably beyond the scope
    of this mailing list. Short version: even if all exploitable bugs
    disappeared overnight this would not necessarily lead to an overall
    improvement in the effective `security' of the internet. This, too, is
    another contention that deserves careful discussion, but consider:
    there were information security problems before anyone was pushing
    data over networks---or even doing mechanical computation, for that matter.
    This implies that removing all the security-related problems of
    the -technology- of a system will not remove all the information security
    problems of the system itself.

    The punchline? Solutions to widespread security problems -must-
    scale or they are not solutions at all[5].

    - -spb

    - -----
    0 Mod a nonzero number of lusers in any given population, for which
            the problem is intractable.
    1 Mod getting the educational infrastructure in place, incremental
            gains derived from end lusers educating each other, u.s.w.
    2 In other words: in the general case the magnitude of risk is not
            linear with respect to the number of untrained lusers (although
            it may be in specific cases). Compare the case of something like
            virus propagation versus something like unintended information
            disclosure (e.g., the shareholder report ends up on Kazaa).
    3 And of course there are other sources of effective cooperation
            among bad guys, mostly deriving from other common goals.
    4 I.e., by having lots of good guys do code auditing together. Again,
            there are other way good guys can cooperate; the point is that
            they tend not to scale as well as does cooperation among the bad
    5 If there was a magic ritual that could render a network device
            or host absolutely `secure' (for some arbitrary definition of `secure')
            but which required a trained shaman and a couple weeks of
            preparation to conduct, it would have no perceptable effect on internet
            security in aggregate.
            Evidence: we -already- have rituals that will eliminate a huge
            portion of known vulnerabilities which takes comparatively
            little time (i.e., staying rev on patches) and expertise, and
            virtually nobody (in aggregate) uses them.
            This suggests that approaches to the problem of this form are
            unlikely to be effective.

    Version: GnuPG v1.2.1 (OpenBSD)

    -----END PGP SIGNATURE-----
    firewall-wizards mailing list

  • Next message: Bob Alberti: "[fw-wiz] Allowing relay through Watchguard Firebox 1000"