offtopic - drivers Re: Botnets, IRC servers and firewalls?

[Gary Flynn <flynngn () jmu edu>]

I hesitate to get into this tired analogy once again
but I never learn :)

Mike McNutt wrote:
> Not locking a car *may* be irresponsible, but to my knowledge it isn't illegal.  Making a law that says cars must remain locked at all times 
> to thwart car thieves would be oppresive IMO - because now [decent] people could be considered criminals that may not lock their car for 
> <insert plausible excuse/reason here> ... How different is it for a computer that isn't "locked down"?
> It doesn't make sense to me that we should we go down the path of considering people criminals because they do not (or 
> cannot) lock down their computers.  I like the energy being expended on fixing the vulnerabilities and finding the hackers, 
> but not oppressing normal people for their [lack of] computer knowledge.

Nobody is suggesting making not having a password
or having an open file share illegal. It may, however,
be grounds for limited network access.

Note that those cars:

a) Must have a yearly safety and smog inspection
   before they can be driven on the public roads.
b) Can only be driven by drivers who have passed a
   test before they are allowed on the public
   roads.
c) Are registered for identification purposes before
   they are allowed on the public roads.

Very similar to requirements for transmitting on the
public airways.

Marcus said it all when he said

> What I think is confusing this issue is that most people aren't comfortable
> with the concept that there's plenty of blame to go around. We want it to
> all land on one party.

Vendors:

If your car had a security defect every other month for
the past three years, would it still be on the road?
Vendors should be required to ship CDs and provide X
minutes of free telephone support when a security defect
is discovered that can result in a system wide compromise
without any user interaction in a default configuration.
I can assure you that the cost involved in doing that
will result in more careful business decisions about
what ports are open to the network by default and what
types of decisions and priorities go into
feature/functionality/integration decisions.

Buyers/management/decision makers/designers:

If your car/bus/plane came with a disclaimer that said the
vendor didn't claim suitability of the product for any
purpose and that damages would be limited to $5.00 or the
loss, whichever is less, would we be so quick to fork
out our money to implement these products in electronic
banking, voting, ERP, critical infrastructure, etc. ?

I belive the primary problem is the dichotomy between
expectations/assumptions and the underlying designs and
architecture of the technology we're using.

Prime among the assumptions:

 - that a device that allows an operator to do anything
   can be secured from that operator or software run
   by that operator

 - that a device that allows an operator to do anything
   within the realm of a programmable computer and its
   almost infinite possibilities AND DECISIONS, can be
   made simple

 - that an electronic community of 300 million people with
   no borders, no customs, and no identification is somehow
   immune from what those characteristics would lead to in
   a similar physical community

   Corollary - that connecting those people in milliseconds
   and mouse clicks isn't going to create opportunities for,
   and lead to abuse beyond compare

 - that anyone is going to write tens of millions of lines
   of perfect code


--
Gary Flynn
Security Engineer - Technical Services
James Madison University

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards