Firewall Wizards mailing list archives

RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Joseph Steinberg <Joseph () whale-com com>
Date: Tue, 7 Aug 2001 16:31:00 -0400


There are "air bags and seat belts" out there. The various application-level
inspection tools (Whale's e-Gap being among them) add the safety you are
looking for; you do not need to accept application-level vulnerabilities (in
the case of the e-Gap O/S and Network level as well).

As far as "accepting" patching as a part of life -- but is it really being
done (the patching)? Code Red proved that many organizations had not
installed a simple patch even a month Microsoft released it and warned sys
admins to apply it.

Patching introduces all sorts of problems -- problems with patches that
interfere with other software, that contain old files, that themselves are
vulnerable. (Take a look at MS01-030 -- Microsoft had to patch its patches
for its patches...) Because patches can themselves be problematic,
organizations need to decide whether to install patches in the production
environment and run the risk of system problems, or to test patches in a
staging environment before deploying to production -- in which case the
production systems remain vulnerable during the testing. Either way,
patching, as a solution to software bugs, presents major risks.

There is a cute (and somewhat comical) short presentation called about this
problem available at:

http://www.whalecommunications.com/weekinthelife/weekinthelife_files/frame.h
tm

As I mentioned in my previous post, we at Whale Communications have come up
with a solution to this issue that reduces the urgency of applying most
patches. I will not go into a product pitch on this mailing list -- there is
more information available on our website www.whalecommunications.com.

Joseph

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr com]
Sent: Tuesday, August 07, 2001 9:59 AM
To: Darren Reed; Joseph () whale-com com
Cc: rcwash () concentric net; firewall-wizards () nfr com
Subject: Re: [fw-wiz] Re: Code Red: What security specialist don't
mention in warnings(Frank Knobbe)


Darren Reed wrote:

How much does it cost the world to patch these problems up vs the developer
to put in place proper testing to find and eliminate these problems before
it goes out the door?  How can we allow such a critical piece of modern

life

to be such a pile of rubbish?


Safety technology is _consistently_ one of the last things we apply to
any new technology. And we usually apply it only after the lack has been
clearly documented, and it's obvious that a high level of damage results
from not applying it reasonably consistently.

Take my favorite example: cars.   In the 1920's you could purchase a
"commercial off the shelf car" that could do 60+MPH with relative
ease. Never mind the fact that the roadway infrastructures weren't
safe for those speeds (until the 1950's) they didn't come with seat
belts. Seatbelts were not mandatory until the 1960's. Shoulder straps
didn't come in until the 1970's, and airbags in the 1980s/90s. In the
late 1970's Lee Iaccoca, the CEO of General Motors, said that they
would never put airbags in their cars because customers wouldn't
pay for them. So, for the first 20-30 _years_ of the history of personal
automobiles, it must have been _accepted_ and even taken for
granted that when you ditched your car at speeds approaching 50MPH
you _were_ going to eat that big bakelite steering wheel and you _were_
going to need reconstructive surgery. Bummer that reconstructive
surgery hadn't been invented, yet...  For some reason this was
considered "acceptable."

Today we consider it acceptable that administrators have to manually
install patches on a regular basis. Today we consider it acceptable
that our operating environments are trivially hackable out of the box.
Today we consider it acceptable that Windows crashes once or twice
a day if you're trying to do anything tricky like read Email while you're
writing a CD or accessing a digital camera.

We're still in the infancy of computers. Darren, you're just ahead of the
time. :)

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
  - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)