RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
From: Paul Melson (pmelson_at_gmail.com)
To: "'Behm, Jeffrey L.'" <BehmJL@bvsg.com>, "'Marcus J. Ranum'" <email@example.com>, "'David Lang'" <firstname.lastname@example.org> Date: Tue, 21 Jun 2005 10:16:22 -0400
It's a failed analogy all around, though. In the case of bear vs. runner,
one bear can only maul one runner at one time. I've got screens and screens
worth of alert data that show that a single e-bear can chase and maul
thousands of runners at the same time.
I agree that doing something is better than doing nothing. I also agree
that 2-factor AAA is viable and definitely worth the effort and expense for
some organizations (including mine). But if your goal for securing your
organization is to be better than you think your "neighbors" (whether
they're in physical, logical, or market proximity) are, then all you can
hope to achieve is to not suffer a compromise at the same time in the same
way as your neighbors.
As far as making my network a "hard target" in the military sense (Google
for "hard target interdiction" or HTI), no thank you. :)
Subject: RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
And you (and others) assume there's only two runners.
I still think I'll make an attempt to out run the bear and be as tough a
target as I can afford, and hope the bear is smart enough to pursue the easy
The point is, don't make yourself the _easy_ target, when there are things
you can do that the other (easier targets) aren't doing.
When there are enough bears and few targets, everyone will get attacked, but
don't lightly toss aside the benefit of making yourself as hard a target as
you can afford. Right now, there are still plenty of honey-soaked targets
for the bears to enjoy.
I'm not necessarily saying this is a completely fail-safe way to secure your
environment, but from what I have seen of other environments, at least the
honey isn't dripping off you and leaving a trail for the bear to easily
follow. Let it drip off the other guy(s).
firewall-wizards mailing list