Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
From: Chris Blask (chris_at_blask.org)
Date: 06/01/05
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- In reply to: Fritz Ames: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Next in thread: Chris Blask: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Reply: Chris Blask: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Fritz Ames <fritzames@earthlink.net>, Ben Nagy <ben@iagu.net> Date: Tue, 31 May 2005 19:46:58 -0400
Hey Fritz!
At 08:23 AM 5/31/2005, Fritz Ames wrote:
>Ben,
> Along with the part that stays the same is the part about getting
> a business to change its approach to security, or, "How does the security
> zealot at the company sell their position?" Sure it sells faster
> (somewhat, and for a little while) when there is a traumatic event, but
> then the large-scale traumatic events, as you pointed out, have been mere
> nuisances to-date. How does our hero pitch the solution to preventing
> anihilation by the
> "Code-Red-that-steals-your-data-nukes-your-hard-drive-and-then-steals-your-wife,-and-unplugs-the-fridge
> on-the-way-out" trojan?
Well, it isn't easy.
People don't worry about theoretical threats very much, and usually they
are proven right. Even if someone else does lose an arm eventually, they
all pause, someone develop the Arm-Shield [tm], they are installed on all
new Things and people go back to doing the same stuff with new gear.
We got a problem because:
o we haven't designed all the gear we need, yet
o most of what we have isn't finished
o the people using our toy have gotten way ahead of us
o they only vaguely know how to use what we've given them
o and they don't know which bits of flooring are just old particle board
someone threw down on their way to fixing a roller coaster.
But we built the thing for them ("they" include your parents and children,
so don't deny it), therefore we can't get too annoyed with them. We just
hafta keep building as it's being used and trying to get the causualty rate
down from the "Drunk Freehand Rock Climbing" level to somewhere around
bungee jumping...
> It's the same old problem. "Here's your new fire extinguisher
> budget..." I get the sense that *really* going after the education of
> the users is the opportunity to make the biggest difference. (The
> biggest difference? Really?)
Yes.
> Savvy users will be less likely to click on that link to Hades. Savvy
> users who run companies will have better ideas of how to evaluate their
> risks and their mitigations--and spend their dollars more
> carefully. Savvy users who run companies and who read "MJR/Fred/Paul"
> will buy less marketing hype, less BS process and documentation
> masquerading as security, and more secure systems. Savvy network admins
> will... Savvy DB folks will... Savvy Web site folks will... Savvy
> developers will... All those folks out there who are busy doing their
> jobs, getting things done, building real stuff, and who haven't had time
> or inclination to really get security will catch on and...
Sounds corny, eh? :-)
Still true.
> OK, so this has been tried before. ...or has it?
Not really (the Queen of Ants would say "never in the history of time").
.d.
> There's got to be some kind of candy to lure people in to like learning it.
There's lots of candy, it's just a big job. Security is sexy and exciting
- we're lucky in a way because *everyone* has had a conversation about
hackers (or seen a bad movie), and has a base set of memes. Those memes
are as well developed as "green men live on Mars", but at least they know
that Mars is a planet and have some concept of what that means, so giving
them a working understanding of the universe isn't impossible.
[I've been doing this with a series of nieces and nephews for a decade or
so now with general success, despite the dreck of superstition, heresay and
base falsehoods they otherwise vaguely acquire. "Universe go boom, no-one
discernible says 'let there be Helium!', dust clumps up, 1st gen
stars=Heavy Metals, 2nd gen stars=Michelangelo. Welcome to Entropy, enjoy
your stay." :-]
> So increasing security awareness isn't directly relevant to
> firewall technology ...in the hardware sense. But if not us, who? If
> not now, when? Ah! To heck with it. I can't make it work if better
> minds than mine haven't succeeded in this area. Please pass the fire
> extinguisher...
There aren't better minds than yours, and if there are, half an effort by
ten people carrying Clue badges is likely to have more effect than heroic
efforts by an Einstein.
It's just a long bloody walk carrying a really heavy pack with pointy bits
in the wrong places while occasionally getting yelled at for it by people
who don't know where you are going, what you are carrying or why, but who
benefit from your efforts. If you notice, people say thanks and bring you
a beer sometimes as well - and you like the work or you wouldn't be dong
it, so it's not all that bad a lifestyle.
Go sailing for a year if you have to, but don't give up the fight. As far
as work goes, infosec beats coding business apps (or carrying heavy packs)
by a mile.
-cheers!
-chris
Chris Blask
chris@blask.org
http://blaskworks.blogspot.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- In reply to: Fritz Ames: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Next in thread: Chris Blask: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Reply: Chris Blask: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
