Re: Food for Thought

From:
Date: 07/13/02 

Date: Sat, 13 Jul 2002 16:02:27 GMT

"HC" <keydet89@yahoo.com> wrote in message
news:3D3026A9.6070308@yahoo.com...
>
> > I can think of no other government in the world that can even come close
to
> > the spending power of the US
>
>
> That's why we're the only super power left in the world.

Thank you for agreeing!

>
> > if this is "near
> > obsolete" then I guess you could say most people run "near obsolete"
boxes.
> > Smart cards, retinal scanners, fingerprint readers are not uncommon and
> > hardly "near obsolete."
>
>
> I have no doubt that some of this stuff exists, but where is it? The
> truth of the matter is that it's not pervasive throughout the federal
> gov't IT infrastructure. Sure, the gov't is getting into biometrics,
> I've worked on contracts for the DoD myself. However, these things are
> used particular areas. Most of the federal gov't, to include elements
> of the DoJ, are still running P5 systems.

I disagree, although I would well imagine there is a blend of old and new.

>
> As far as spending power goes, do you know where a great deal of that
> moeny is going? Waste. I worked for a consulting firm near Fort
> Monmouth. Our primary customer at that time was the Army, and we had
> ties to the Air Force. We sold the same exact work to several different
> "customers"...sometimes these "customers" were different offices on the
> base, or even within the same command. I also had the opportunity to
> review some work done by other organizations, as well as previous work
> done before I arrived in my company. Thousands of dollars are being
> paid for what amounts to Google web searches, and no real analysis.
>

I agree with you here, however, that does not mean the spending power is not
there, only that it is being misused.

>
> > So the government hired a contractor (undoubtedly with the money you say
> > they don't have)
>
>
> I never said the gov't doesn't have money...I simply do not agree w/
> your characterization of it, that's all.
>

I said the US Govt has the financial muscle to buy the best - no more - no
less. Waste and hairbrained schemes notwithstanding.

> > to do a job and the contractor staffs themselves with
> > perhaps less than ideal candidates - and this has what to do with the
> > governments spending ability?
>
>
> Everything. Look at the Navy-Marine Corps Internet (NMCI), a contract
> won by EDS. I know folks at the Quantico NOC who have said that the
> contract calls for 2 "senior consultants", and two kids right out of
> college show up on site. They can't really do anything...they simply
> follow a script and return to the mother ship with the data they
> collect. Paying "senior consultant" rates...over $200 per hour...for
> what you should be paying almost half that for is a waste of money.
>

Same as above.

> To me, wasting money is not a good use of that money. But then, that's
> just my opinion.
>
>

We still appear to be in agreement.

> > Unless you are trying to say that system owners wanted their systems
messed
> > with then it makes no difference if it is a website or a top secret
> > database. Security is secuirty and penetration means exactly that. If
you
> > can't secure something as simple as a website then . . . . . .
>
>
> It's not that simple, and if with your self-proclaimed 20 yrs of
> experience, you know that. Like any other site, the federal gov't has
> to prioritize it's activities. Databases containing top secret
> information are more likely to be heavily protected, whereas a web
> server connected to the non-classified network usually won't get
> attention until it's broken into.

In many cases the non-secured provides a pathway to the secured. My point
was that if you cannot secure a simple website then why should I believe
that you will do any better with more important information?

>
> It sounds to me as if you've fallen prey to the attempts by the media to
> sensationalize these web page defacings. In many cases, particularly
> the IIS ones, the defacings do not result in a "penetration", per se.
> Yes, access is gained, but that access is very limited. Some of the
> exploits only allow the attacker to issue 'echo' commands, and then only
> at Guest-level privileges.
>

I dissagree. This is why I did not name attackers. I have no interest in
giving them credit. Care to comment on the recent breakins by the "dynamic
duo"? While the data they posted was not TS it was certainly senstive and
not the type the govt would really want to see plastered all over the web.

> If a higher level of access is gained, I'd be one of the first ones to
> raise my hand and suggest something more surriptitious than a publicly
> embarassing web page defacing...but this just isn't happening. And in
> some cases where admin-level access is achieved (oddly enough, it's the
> worms that seem more capable of doing this, rather than the manual
> attacks), all the attacker seems to be capable of doing is changing a
> web page.

See dynamic duo.

>
> Again, there was never any proof provided by Pimpshiz that he and his
> cohort were able to gain access to top secret data. They defaced web
> pages that were sitting out on non-classified networks, and were the
> lowest priority for admins. Is that an excuse? Not at all. It's just
> a fact.
>
>
> > You are incorrect. GAO does, in fact, send people out to audit other
> > agencies.
>
>
> You're entitled to your opinion.

Whatever.
>
>
> > Experts do not make dumb mistakes. SANS calims to have a LOT of experts
> > (they are, after all, a "certifying" org).
>
>
> Yes, they do. One cannot be an expert without being a human being, a
> person. People make mistakes.
>
> And I'm sure you know that SANS experts (not defending them) have a
> specific role within SANS that has nothing to do with admining the web
> server. None of them...Gene Schultz, Eric Cole, Rob Lee, Steve
> Northcutt, Ed Skoudis...have ever (that I'm aware of) administrated the
> SANS web server. That's b/c these "experts" all teach, and speak at the
> SANS conferences.
>
> It sounds like you're trying to build a case where there isn't one.
>
>

A "high-end" professional security research/teaching org gets cracked. I
see a problem with this.

> > I believe the issue is incompetence caused by Personal Computer
Mentality.
>
>
> That's fine. You're entitled to your opinion.
>

Can you offer a better explannation? How can so many . . . with different
backgrounds/orgs . . .get it wrong?

>
> > Again, you are incorrect. All govt. agencies do have computer security
> > policies - required by law.
>
>
> I'm sorry, but that statement sounds very niave. There are a lot of
> things "required by law" that are also "in the works" or "in process".
> You're telling me that I can go to any gov't agency and anyone there can
> provide me with either the policies, or where I can get them. That's
> odd, b/c even now, friends of mine work for companies who are producing
> these documents. Work I have done in the past has been hampered by a
> lack of policies.
>
>

Computer security act 1987, omb a130, etc, etc, etc.

> > Do a search on "government computer security spending" and you will find
> > numerous sources.
>
>
> Okay, that's where your arguement falls apart, as well as the
> credibility of your statements (not a personal attack). I'm simply
> saying that by requiring the reader to conduct his own search for
> sources, your statements lack any credibility at all. If I do such a
> search, how am I to know which of the returned sources you used?

Has nothing at all to do with my arguments, per se. Have better things to
do than quote sources all day long (there are sooo many).

>
> Of course, this also explains why your original post doesn't appear in
> any publications. I may not agree with your statements, but I think
> that, for the most part, your original post was well written and has a
> great deal of potential. However, having been published myself, I know
> that telling the reader to do a Google search for sources isn't going to
> fly w/ the editor.
>

This is myopic arrogance Harlan - they have never been published because I
have never submitted these them for publication (not that they would have
been had I done so)! for me, this is not about money.

>
> > Again, do a search - you might start by looking at CSI.
>
>
> <Gong!> Thank you for playing!
>
> You just hit a sore spot w/ me...the CSI/FBI survey. The survey is just
> that...a survey. B/c of how it's conducted, you have no idea who is
> filling the survey out. In most cases, it's probably an admin who has
> to deal with folks who think every pop-up on their screen is a
> virus...heaven forbid they get the dreaded "Dr Watson" virus! Also,
> there is nothing in the survey that validates any of the data...do the
> respondant companies have the ability to identify attacks, successful or
> otherwise?

I did not quote CSI - I merely suggested that as a starting place for doing
some research.

>
> I've had to deal w/ admins who would get a "tagged" FTP server and tell
> the customer that their SAM database was copied and cracked. When asked
> why that statement was made to the customer with no evidence whatsoever
> that it occurred, the admin responded, "that's what 'hackers' do."
> Again, there was no evidence that this occurred...while at the same time
> there was plenty of evidence that the admin had left anon. FTP access w/
> write permissions to the drive. It's these sorts of folks who are
> filling out the form.
>
> Companies like Cisco and RipTech have gotten it right by reporting
> numbers based on hard data collected from assessments and managed IDS.
> All they need to do is sanitze the data, removing anything that
> identifies specific customers, and boom...they have hard, verifiable
> data. There is nothing verifiable about the CSI survey.
>

OK, so use them as a source.

>
> > Again - do a search - try "personal use internet" You will find numerous
> > govt (state/federal) policy statments.
>
>
> Again w/ the "find your own sources". Maybe you can at least tell me
> what kind of statements these are. For instance, when I was in the
> military, I know that all organizations were given a mandate to link any
> military or fed. gov't site to standard AUP and Privacy statements. So,
> while a search may pull up thousands of hits, they are all either links
> to or copies of the same statement.
>

Many are policy statements describing how employees may use the Net for
personal use.

>
> > I am one of them and I agree with what you say, however, my point
remians
> > unchanged.
>
>
> Nor does mine. I think you're on the right track, but that you're just
> not taking it far enough.
>
>
> >>Again, your opinion. In my opinion and experience, the biggest thing
> >>wrong with these guides, particularly the NSA guides, is that too many
> >>admins, even MCSE+I's, know very little about their systems. They
> >>implement _all_ of the NSA recommendations blindly, and then wonder why
> >>users cannot login.
> >>
> >
> > The reccomendations are faulty unless the basic principals of security
have
> > suddenly changed.
>
>
> Not at all. There is nothing wrong w/ the recommendations within the
> NSA guide(s). It's the implementation that is faulty. Any admin who
> blindly implements all of the recommendations in the NSA guide is a
> dangerous admin...b/c he *is* an admin, but not knowledgeable of his
> infrastructure and systems to know what is affected.
>
>
> >>While the guides do have deficiencies, they are fairly comprehensive.
> >>It does take some work to identify the commonalities and discrepancies
> >>between them all, but they are just that...guides. There are not all
> >>inclusive, nor should they be considered as such. If an organization
> >>wants a configuration policy for their architecture, they should either
> >>do it themselves, or hire a consulting firm, for no other reason than by
> >>paying the firm, they can hold them legally liable via the contract.
> >>
> >
> >
> > Again, the reccomendations are contrary to the fundamental principals of
> > security.
>
>
> Would you care to qualify that statement, elaborate, or at least give
> one or two examples? Take one or two of the recommendations from, say,
> the NSA's configuration guide for Win2k, and describe how they're
> "contrary to the fundamental principles of security."
>

It was in my original post/paper. Essentially they all assume an "open"
environment and lock down that which they see as "dangerous" as opposed to
assuming a closed environment and opening it up based on need.

>
> >>I'm not disagreeing with you, per se, except for your base assumption.
> >>Also, to be clear and fair, in several cases I simply think you haven't
> >>taken your statements far enough...some of your thoughts have some real
> >>potential.
> >>
> >
> >
> > Talk about being vague - looks like a case of the pot calling the kettle
> > black!
>
>
> Well, I don't know how to be more specific...should I use HTML tags like
> "<complement>" or "<agreeing with you>" to qualify or disqualify my
> statements?
>

WHAT STATEMENTS! WHERE DO YOU THINK THEY SHOULD GO? HOW ARE THEY UNFAIR?

>
> >>I'm more than a little surprised that after all that, with your 20 years
> >>of stated industry experience, that not only do you NOT provide a
> >>solution, but in the end we have nothing more than a really long
> >>advertisement. An ad for a book that I haven't even seen the title
of...
> >>
> >>
> >
> > Actually I did, and had you read and considered what I said carefully,
you
> > would have known that.
>
>
> I read the original post several times before hitting the reply button.
> I did not find anything that looked like a solution...but I could have
> missed it.

The soultion is to stop treating business environments with the same liazze
faire attitudes as home PCs. We need to get back to basics, i.e., "Least
privilege" etc.

> > The level of detail you seem to need will come
> > later - this was an introduction intended to lay the groundwork. When
you
> > are bucking the system (and I will be doing just that) you first need to
set
> > up a case for why the system is wrong and provide at least some
anecdotal
> > evidence to back it up. I guess you can say it is nothing more than an
> > advertisement for something that does not yet exist and you would, in a
> > sense, be correct although this was not really my intent - hopefully at
> > least one or two out there who can think out of the box and will
consider
> > what I have to say and build on it.
>
>
> Well, to be quite honest, this is nothing that hasn't already come up
> for ages around the water cooler at consulting/contracting firms, as
> well as within the federal gov't itself.

So where is it? I have never seen any writing suggesting mass failure
caused by PCM - Perhaps you would like to quote your sources????

>
> Anecdotal evidence isn't needed. If you're looking at making changes,
> then just do it. Like I said, I think some of your thoughts have merit,
> and I think others need refining.
>
> > As I publish my experiments I hope that
> > people will duplicate and build on them.
>
>
> We'll see. If you publish your experiments without any references or
> sources, and require the reader to conduct their own web searches, then
> your experiments will lack credibility. However, if you identify the
> sources that you do use, then your experiments will at least be
> reproduceable.

My experiments are to do with compartmentalization and other system
configurations. Full source/instructions will be given. There will be no
sources to quote as it will be original work.

>
> > We are in very bad shape with
> > regard to computer security and I intend to do whatever I can to change
> > that. I fully understand that I am going against the rest of my
profession
> > in (figuratively) claiming that the world is not really flat after all,
> > however, we as a profession have not performed very well at all
(horribly
> > would probably be more accurate), and I believe that I know the reasons
why
> > (either that or I have wasted many years of research). Yes, Harlan, I
fully
> > intend to try to change the world!
>
>
> This is one of the statements I disagree with. You're not necessarily
> going against the rest of the profession at all...you're really trying
> to go head-to-head against the mentality of the people who sign the
> checks. Therein lies the power...the people who authorize payment for
> consultants, as well as hire/pay their own internal security officers.
> It's these people you need to go against.

I am against much of the crap promoted by the profession, for example,
strong passwords, password cracking, anti-virus software, content filtering
software, etc. I think most is snake oil that does not stand up to analysis.

>
> I do agree that the profession needs some...shall we simply say
> "upgrading"? I've worked with far too many "security professionals" who
> see everything as a technical problem or solution...when all you have is
> a hammer in your toolbox, everything looks like a nail.

I think it IS a technical problem for the most part, or at least one that
can be easily solved with technology.

Lohkee!

Quantcast