Re: Food for Thought

From: HC (keydet89@yahoo.com)
Date: 07/13/02 

From: HC <keydet89@yahoo.com>
Date: Sat, 13 Jul 2002 09:10:01 -0400

> I can think of no other government in the world that can even come close to
> the spending power of the US

That's why we're the only super power left in the world.

> if this is "near
> obsolete" then I guess you could say most people run "near obsolete" boxes.
> Smart cards, retinal scanners, fingerprint readers are not uncommon and
> hardly "near obsolete."

I have no doubt that some of this stuff exists, but where is it? The
truth of the matter is that it's not pervasive throughout the federal
gov't IT infrastructure. Sure, the gov't is getting into biometrics,
I've worked on contracts for the DoD myself. However, these things are
used particular areas. Most of the federal gov't, to include elements
of the DoJ, are still running P5 systems.

As far as spending power goes, do you know where a great deal of that
moeny is going? Waste. I worked for a consulting firm near Fort
Monmouth. Our primary customer at that time was the Army, and we had
ties to the Air Force. We sold the same exact work to several different
"customers"...sometimes these "customers" were different offices on the
base, or even within the same command. I also had the opportunity to
review some work done by other organizations, as well as previous work
done before I arrived in my company. Thousands of dollars are being
paid for what amounts to Google web searches, and no real analysis.

> So the government hired a contractor (undoubtedly with the money you say
> they don't have)

I never said the gov't doesn't have money...I simply do not agree w/
your characterization of it, that's all.

> to do a job and the contractor staffs themselves with
> perhaps less than ideal candidates - and this has what to do with the
> governments spending ability?

Everything. Look at the Navy-Marine Corps Internet (NMCI), a contract
won by EDS. I know folks at the Quantico NOC who have said that the
contract calls for 2 "senior consultants", and two kids right out of
college show up on site. They can't really do anything...they simply
follow a script and return to the mother ship with the data they
collect. Paying "senior consultant" rates...over $200 per hour...for
what you should be paying almost half that for is a waste of money.

To me, wasting money is not a good use of that money. But then, that's
just my opinion.

> Unless you are trying to say that system owners wanted their systems messed
> with then it makes no difference if it is a website or a top secret
> database. Security is secuirty and penetration means exactly that. If you
> can't secure something as simple as a website then . . . . . .

It's not that simple, and if with your self-proclaimed 20 yrs of
experience, you know that. Like any other site, the federal gov't has
to prioritize it's activities. Databases containing top secret
information are more likely to be heavily protected, whereas a web
server connected to the non-classified network usually won't get
attention until it's broken into.

It sounds to me as if you've fallen prey to the attempts by the media to
sensationalize these web page defacings. In many cases, particularly
the IIS ones, the defacings do not result in a "penetration", per se.
Yes, access is gained, but that access is very limited. Some of the
exploits only allow the attacker to issue 'echo' commands, and then only
at Guest-level privileges.

If a higher level of access is gained, I'd be one of the first ones to
raise my hand and suggest something more surriptitious than a publicly
embarassing web page defacing...but this just isn't happening. And in
some cases where admin-level access is achieved (oddly enough, it's the
worms that seem more capable of doing this, rather than the manual
attacks), all the attacker seems to be capable of doing is changing a
web page.

Again, there was never any proof provided by Pimpshiz that he and his
cohort were able to gain access to top secret data. They defaced web
pages that were sitting out on non-classified networks, and were the
lowest priority for admins. Is that an excuse? Not at all. It's just
a fact.

> You are incorrect. GAO does, in fact, send people out to audit other
> agencies.

You're entitled to your opinion.

> Experts do not make dumb mistakes. SANS calims to have a LOT of experts
> (they are, after all, a "certifying" org).

Yes, they do. One cannot be an expert without being a human being, a
person. People make mistakes.

And I'm sure you know that SANS experts (not defending them) have a
specific role within SANS that has nothing to do with admining the web
server. None of them...Gene Schultz, Eric Cole, Rob Lee, Steve
Northcutt, Ed Skoudis...have ever (that I'm aware of) administrated the
SANS web server. That's b/c these "experts" all teach, and speak at the
SANS conferences.

It sounds like you're trying to build a case where there isn't one.

> I believe the issue is incompetence caused by Personal Computer Mentality.

That's fine. You're entitled to your opinion.

> Again, you are incorrect. All govt. agencies do have computer security
> policies - required by law.

I'm sorry, but that statement sounds very niave. There are a lot of
things "required by law" that are also "in the works" or "in process".
You're telling me that I can go to any gov't agency and anyone there can
provide me with either the policies, or where I can get them. That's
odd, b/c even now, friends of mine work for companies who are producing
these documents. Work I have done in the past has been hampered by a
lack of policies.

> Do a search on "government computer security spending" and you will find
> numerous sources.

Okay, that's where your arguement falls apart, as well as the
credibility of your statements (not a personal attack). I'm simply
saying that by requiring the reader to conduct his own search for
sources, your statements lack any credibility at all. If I do such a
search, how am I to know which of the returned sources you used?

Of course, this also explains why your original post doesn't appear in
any publications. I may not agree with your statements, but I think
that, for the most part, your original post was well written and has a
great deal of potential. However, having been published myself, I know
that telling the reader to do a Google search for sources isn't going to
fly w/ the editor.

> Again, do a search - you might start by looking at CSI.

<Gong!> Thank you for playing!

You just hit a sore spot w/ me...the CSI/FBI survey. The survey is just
that...a survey. B/c of how it's conducted, you have no idea who is
filling the survey out. In most cases, it's probably an admin who has
to deal with folks who think every pop-up on their screen is a
virus...heaven forbid they get the dreaded "Dr Watson" virus! Also,
there is nothing in the survey that validates any of the data...do the
respondant companies have the ability to identify attacks, successful or
  otherwise?

I've had to deal w/ admins who would get a "tagged" FTP server and tell
the customer that their SAM database was copied and cracked. When asked
why that statement was made to the customer with no evidence whatsoever
that it occurred, the admin responded, "that's what 'hackers' do."
Again, there was no evidence that this occurred...while at the same time
there was plenty of evidence that the admin had left anon. FTP access w/
write permissions to the drive. It's these sorts of folks who are
filling out the form.

Companies like Cisco and RipTech have gotten it right by reporting
numbers based on hard data collected from assessments and managed IDS.
All they need to do is sanitze the data, removing anything that
identifies specific customers, and boom...they have hard, verifiable
data. There is nothing verifiable about the CSI survey.

> Again - do a search - try "personal use internet" You will find numerous
> govt (state/federal) policy statments.

Again w/ the "find your own sources". Maybe you can at least tell me
what kind of statements these are. For instance, when I was in the
military, I know that all organizations were given a mandate to link any
military or fed. gov't site to standard AUP and Privacy statements. So,
while a search may pull up thousands of hits, they are all either links
to or copies of the same statement.

> I am one of them and I agree with what you say, however, my point remians
> unchanged.

Nor does mine. I think you're on the right track, but that you're just
not taking it far enough.

>>Again, your opinion. In my opinion and experience, the biggest thing
>>wrong with these guides, particularly the NSA guides, is that too many
>>admins, even MCSE+I's, know very little about their systems. They
>>implement _all_ of the NSA recommendations blindly, and then wonder why
>>users cannot login.
>>
>
> The reccomendations are faulty unless the basic principals of security have
> suddenly changed.

Not at all. There is nothing wrong w/ the recommendations within the
NSA guide(s). It's the implementation that is faulty. Any admin who
blindly implements all of the recommendations in the NSA guide is a
dangerous admin...b/c he *is* an admin, but not knowledgeable of his
infrastructure and systems to know what is affected.

>>While the guides do have deficiencies, they are fairly comprehensive.
>>It does take some work to identify the commonalities and discrepancies
>>between them all, but they are just that...guides. There are not all
>>inclusive, nor should they be considered as such. If an organization
>>wants a configuration policy for their architecture, they should either
>>do it themselves, or hire a consulting firm, for no other reason than by
>>paying the firm, they can hold them legally liable via the contract.
>>
>
>
> Again, the reccomendations are contrary to the fundamental principals of
> security.

Would you care to qualify that statement, elaborate, or at least give
one or two examples? Take one or two of the recommendations from, say,
the NSA's configuration guide for Win2k, and describe how they're
"contrary to the fundamental principles of security."

>>I'm not disagreeing with you, per se, except for your base assumption.
>>Also, to be clear and fair, in several cases I simply think you haven't
>>taken your statements far enough...some of your thoughts have some real
>>potential.
>>
>
>
> Talk about being vague - looks like a case of the pot calling the kettle
> black!

Well, I don't know how to be more specific...should I use HTML tags like
"<complement>" or "<agreeing with you>" to qualify or disqualify my
statements?

>>I'm more than a little surprised that after all that, with your 20 years
>>of stated industry experience, that not only do you NOT provide a
>>solution, but in the end we have nothing more than a really long
>>advertisement. An ad for a book that I haven't even seen the title of...
>>
>>
>
> Actually I did, and had you read and considered what I said carefully, you
> would have known that.

I read the original post several times before hitting the reply button.
  I did not find anything that looked like a solution...but I could have
missed it.

> The level of detail you seem to need will come
> later - this was an introduction intended to lay the groundwork. When you
> are bucking the system (and I will be doing just that) you first need to set
> up a case for why the system is wrong and provide at least some anecdotal
> evidence to back it up. I guess you can say it is nothing more than an
> advertisement for something that does not yet exist and you would, in a
> sense, be correct although this was not really my intent - hopefully at
> least one or two out there who can think out of the box and will consider
> what I have to say and build on it.

Well, to be quite honest, this is nothing that hasn't already come up
for ages around the water cooler at consulting/contracting firms, as
well as within the federal gov't itself.

Anecdotal evidence isn't needed. If you're looking at making changes,
then just do it. Like I said, I think some of your thoughts have merit,
and I think others need refining.

> As I publish my experiments I hope that
> people will duplicate and build on them.

We'll see. If you publish your experiments without any references or
sources, and require the reader to conduct their own web searches, then
your experiments will lack credibility. However, if you identify the
sources that you do use, then your experiments will at least be
reproduceable.

> We are in very bad shape with
> regard to computer security and I intend to do whatever I can to change
> that. I fully understand that I am going against the rest of my profession
> in (figuratively) claiming that the world is not really flat after all,
> however, we as a profession have not performed very well at all (horribly
> would probably be more accurate), and I believe that I know the reasons why
> (either that or I have wasted many years of research). Yes, Harlan, I fully
> intend to try to change the world!

This is one of the statements I disagree with. You're not necessarily
going against the rest of the profession at all...you're really trying
to go head-to-head against the mentality of the people who sign the
checks. Therein lies the power...the people who authorize payment for
consultants, as well as hire/pay their own internal security officers.
It's these people you need to go against.

I do agree that the profession needs some...shall we simply say
"upgrading"? I've worked with far too many "security professionals" who
see everything as a technical problem or solution...when all you have is
a hammer in your toolbox, everything looks like a nail.