Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)

From: R. DuFresne (
Date: 06/09/05

  • Next message: Victor Williams: "Re: [fw-wiz] Strange Pix behavior."
    To: Chris Blask <>
    Date: Wed, 8 Jun 2005 19:54:13 -0400 (EDT)

    Hash: SHA1

    Let's see the CIO for my present employer won, I believe the ISE award
    last fall, and her competition consisted of the CISO for the now infamous
    choicepoint amongst others. I'd say much more, but well, let it rest
    with my <cough> congrats on this 'award'...

    Point being, we tend to award those that demonstrate minor accomplishments
    in this industry, at this time, overlooking that high profile systems and
    project these folks manage are fraught with exposures, compromises, and
    latent lack of accountability, so the processes to clean up are down the
    road of enlightenment.

    And, yes, I'm trying to be as obtuse as possible here to avoid being made
    a scapegoat once again...


    Ron DuFresne

    On Thu, 2 Jun 2005, Chris Blask wrote:

    > Hey, Scott!
    > At 04:28 PM 6/2/2005, Scott Stursa wrote:
    > .d.
    >> So I held my ground and we did it my way. The result - no compromised
    >> hosts since then (beginning of March).
    >> But I've paid for that. Two months ago he did a performance appraisal on
    >> me, giving me the first "unsatisfactory" rating I've received in 26 years
    >> of working for the university. I'm on probabtion and having to document
    >> literally every minute of my day. Not that it will make any difference - I
    >> fully expect to be unemployed when my contract expires in August.
    >> This is the price I'm paying for *not* being a "sissy".
    > That sucks! I mean, it is quite possible he is just the breed of pencil-neck
    > career-monkey that occur so often in the wild and you would never be able to
    > live with him, anyway, but this is precisely the kind of situation that
    > occurs again and again and grinds us down as a group. Of course it's
    > grinding you now specificially, but I bet you a bottle of Jameson's that you
    > end up making more money this time next year than you are now (and maybe more
    > than your petty boss :-) and enjoy your work more.
    > I've been following the accountability thread, and it occurs to me that the
    > one thing we desparately lack is the ability to deliver good practices that
    > people can follow and be held accountable for following. In a Perfect World
    > it would be a piece of paper that Scott could take to his boss's boss and say
    > "I insisted we follow this, as is my responsibility, and Rung Lemur here is
    > all pissy about it."
    > o I know good classes are being taught, but obviously it isn't enough and/or
    > we have other issues (and Quantity < Need, certainly).
    > - The scale thing is certainly a big part of the problem, even most CTOs are
    > working with a barbaric understanding of security.
    > - the sheer newness of all this IP stuff (and buried in that is their first
    > confrontation with Security) creates a dynamic load of issues for any CTO
    > doing their job, so even the very few who have had a first-hand conversation
    > with a well-spoken Clue Club Member most likely never hear the wisdom again
    > and the message is plowed under.
    > - I'd like to find some one-liner to address the problem, but it looks like
    > just lots more work developing and delivering education (pick a medium) and
    > allowing the passage of time to inculcate the masses with some experience.
    > - One metric that gives me hope on the Edumacation front is my endless
    > Brownian Public Survey, and I see the savvy-factor in the average Joe going
    > up consistently. I poll people ceaselessly about (well, everything, but
    > among that:) their interaction with information technology. I still can't
    > have an in-depth useful conversation about security with the least capable of
    > computer clickers, but today those folks are now the very last of the
    > living-in-the-woods (literally) people who said they would "never own a
    > confuser". Mom still has a hard time following the thread if I get too
    > enthusiastic about details, but she gets all the basics and can apply them to
    > her own experiences using 'puters and the net. The average
    > plane-seat-neighbor can usually play a good foil for thinking out loud about
    > an issue - but it's always the first time they've considered it that closely,
    > even if they are IT folks.
    > o Product classes and categories have shifted around enough that even we
    > have to pay attention, everyone else is like the cancer patient listening to
    > two doctors disagree on his treatment.
    > o There obviously isn't a given Best Practices Precedent out there, or
    > lawyers would have found it and sued the crap out of people by now. Without
    > such precedent, it's impossible to hold management types accountable for
    > following it, and it's impossible to nail mismanagement mid-weasles like
    > Scott's boss for gross incompetence. We could use a good sue-able
    > precendent...
    > o Auditing tools need to get better. If it could be clearly shown that a
    > commonly accepted practice was not followed, leading to losses to the
    > oragnization involved, then the accountability chain can be established and
    > Paul's lawyerfests can be directed at creating Darwinistic impulses among
    > CTOs, and thereby creating same in high-expectation-having, upward-managing,
    > lickspittles like Scott's Uberviser. Fixing auditing is not my problem
    > anymore at the moment, but Marcus and tbird and Partha and the rest need to
    > keep plugging until the next Scott can have a leg to stand on against his
    > Hindmost.
    > Scott's boss still needs a swift kick. I'm leaving for Disney tomorrow, can
    > I stop by and rough him up for you... :-)
    > -grrrrr
    > -chris
    > PS - somebody get Scott a better job!
    > Chris Blask
    > _______________________________________________
    > firewall-wizards mailing list

    - --
             admin & senior security consultant:
    Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

    ...We waste time looking for the perfect lover
    instead of creating the perfect love.

                     -Tom Robbins <Still Life With Woodpecker>
    Version: GnuPG v1.2.4 (GNU/Linux)

    -----END PGP SIGNATURE-----
    firewall-wizards mailing list

  • Next message: Victor Williams: "Re: [fw-wiz] Strange Pix behavior."

    Relevant Pages

    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... I've been following the accountability thread, and it occurs to me that the ... World it would be a piece of paper that Scott could take to his boss's boss ... are working with a barbaric understanding of security. ...
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... >If you want to minimize compromise, increase accountability. ... IT manager needs to be fired" whenever there's an article about some ... new security failure in a federal agency. ... construction of a network that's so lame it can't resist a worm? ...
    • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
      ... If you want to minimize compromise, increase accountability. ... securing networks and systems leads me to conclude that improving ... security is a lot like raising children, ...
    • Re: Single logon for entire network
      ... accountability, and I believe the biz owner will make the correct decision. ... Which security model helps us with this? ... presenting the facts to client. ...
    • Re: SSH as root
      ... > I don't think that it is a security risk, ... You cannot have any real security without accountability -- i.e. the ... (It's the same for bank vaults: ...