Firewall Wizards mailing list archives
offtopic - drivers Re: Botnets, IRC servers and firewalls?
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 05 Feb 2004 14:22:22 -0500
I hesitate to get into this tired analogy once again but I never learn :) Mike McNutt wrote:
Not locking a car *may* be irresponsible, but to my knowledge it isn't illegal. Making a law that says cars must remain locked at all times to thwart car thieves would be oppresive IMO - because now [decent] people could be considered criminals that may not lock their car for <insert plausible excuse/reason here> ... How different is it for a computer that isn't "locked down"? It doesn't make sense to me that we should we go down the path of considering people criminals because they do not (or cannot) lock down their computers. I like the energy being expended on fixing the vulnerabilities and finding the hackers, but not oppressing normal people for their [lack of] computer knowledge.
Nobody is suggesting making not having a password or having an open file share illegal. It may, however, be grounds for limited network access. Note that those cars: a) Must have a yearly safety and smog inspection before they can be driven on the public roads. b) Can only be driven by drivers who have passed a test before they are allowed on the public roads. c) Are registered for identification purposes before they are allowed on the public roads. Very similar to requirements for transmitting on the public airways. Marcus said it all when he said
What I think is confusing this issue is that most people aren't comfortable with the concept that there's plenty of blame to go around. We want it to all land on one party.
Vendors: If your car had a security defect every other month for the past three years, would it still be on the road? Vendors should be required to ship CDs and provide X minutes of free telephone support when a security defect is discovered that can result in a system wide compromise without any user interaction in a default configuration. I can assure you that the cost involved in doing that will result in more careful business decisions about what ports are open to the network by default and what types of decisions and priorities go into feature/functionality/integration decisions. Buyers/management/decision makers/designers: If your car/bus/plane came with a disclaimer that said the vendor didn't claim suitability of the product for any purpose and that damages would be limited to $5.00 or the loss, whichever is less, would we be so quick to fork out our money to implement these products in electronic banking, voting, ERP, critical infrastructure, etc. ? I belive the primary problem is the dichotomy between expectations/assumptions and the underlying designs and architecture of the technology we're using. Prime among the assumptions: - that a device that allows an operator to do anything can be secured from that operator or software run by that operator - that a device that allows an operator to do anything within the realm of a programmable computer and its almost infinite possibilities AND DECISIONS, can be made simple - that an electronic community of 300 million people with no borders, no customs, and no identification is somehow immune from what those characteristics would lead to in a similar physical community Corollary - that connecting those people in milliseconds and mouse clicks isn't going to create opportunities for, and lead to abuse beyond compare - that anyone is going to write tens of millions of lines of perfect code -- Gary Flynn Security Engineer - Technical Services James Madison University _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Botnets, IRC servers and firewalls?, (continued)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 05)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 05)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 05)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 05)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 05)
- Re: Botnets, IRC servers and firewalls? Gadi Evron (Feb 05)
- Re: Botnets, IRC servers and firewalls? Paul Robertson (Feb 05)
- Re: Botnets, IRC servers and firewalls? Stephen P. Berry (Feb 21)
- Re: Botnets, IRC servers and firewalls? R. DuFresne (Feb 21)
- offtopic - drivers Re: Botnets, IRC servers and firewalls? Gary Flynn (Feb 05)