Re:Vulnerability Response (was: BGP TCP RST Attacks)

[Brian Ford <brford () cisco com>]

Marcus,

Wow.  That was quite a chunk.

I agree with a lot of what you have said here.  But the patient hasn't 
died.  We all just live too near a place where it stinks.  Sometimes when 
the smell gets real bad we do something; like close the windows or open an 
air freshener.  Other times we just grin and bear it.

You said:
> After a while, the folks who are busy
> fighting the bug-of-the-week club down in the trenches are
> going to say, "hey! look! that guy over there doesn't have this
> problem!" and they'll adapt. Or they'll die out or just keep
> cheerfully pounding their heads against the wall. But eventually
> it will become clear that their approach is loserly.

I don't agree that best practices are flowing through the community. Lots 
of folks are using stuff that isn't working well.  They don't know what 
else is out there or how anything else other than how "their thing" works.

We need to raise awareness about what is out there; what is good and what 
is bad.  Not by labelling technology or products but by talking about 
practices.  We can start by just focusing on people on lists like 
this.  What's working well for you and why?  I don't see many messages like 
that here (or at any of the conferences) any more.

We need to think about how to grow smarter practitioners.  I thought last 
year it might be via CISSP or some other "certification".  I gave that a 
shot.  Before that I thought the SANs direction (again with certifications) 
was good. I don't know if this will work for as large a portion of the 
population as is needed.

Patching isn't great.  But it is what we have right now and many folks who 
insist on sitting in front of computers can use it.  Hey, I wish we didn't 
depend on oil for energy.  But we do.

The sad reality is that many user type folks insist on doing stuff that is 
bad for themselves.  They read email they shouldn't read.  They surf to 
sites they shouldn't surf to.  They don't use good passwords.  They don't 
backup data.

If we really want to make the Internet a better place we should solve these 
problems.
- Create strong, effective, cross country laws and go after spammers and 
phishers.
-  Ditto that with  web sites that feed the problem.
- Push the strong password issue back on the organizations that require 
them. Don't allow the costs of fraud to be assumed by customers.  If 
financial institutions had to pay damages to their customers or others for 
info leakage incidents or fraud then financial institutions would work on 
developing better password technology.
- Develop an OS that has backup built into the OS.

There is no easy path here.  We're somewhere in an unpleasant swamp and we 
have to _continue_ to try and find a way out.

Liberty for All,

Brian


At 12:00 PM 6/1/2004 -0400, firewall-wizards-request () honor icsalabs com wrote:

> Message: 1
> Date: Tue, 01 Jun 2004 10:38:07 -0400
> To: "Ben Nagy" <ben () iagu net>, <firewall-wizards () honor icsalabs com>
> From: "Marcus J. Ranum" <mjr () ranum com>
> Subject: RE: [fw-wiz] Vulnerability Response (was: BGP TCP RST Attacks)
>
> Ben Nagy wrote:
> >> As I said, I think time will tell. :)
> >I'm horribly torn here. I completely agree with you, but I just don't see
> >any evidence of change. Essentially what you are claiming, when you say that
> >"time will tell", is that little green men from the Planet Clue are going to
> >invade earth with their rectal clue applicators and drag most of the IT
> >industry in the world off to re-education camps.
>
> I didn't say that!!! I didn't even *THINK* that!!
>
> What I think is going to happen is that people are going to
> keep spending huge amounts of money on approaches that
> don't work. Some, a small number, are going to say, "well, Duh!
> and solve the problem." After a while, the folks who are busy
> fighting the bug-of-the-week club down in the trenches are
> going to say, "hey! look! that guy over there doesn't have this
> problem!" and they'll adapt. Or they'll die out or just keep
> cheerfully pounding their heads against the wall. But eventually
> it will become clear that their approach is loserly.
>
> Remember, loserly behavior is not a function of population
> size. Just because lots of people are doing something dumb
> doesn't make it any less dumb. It only means that there are
> more people doing it.
>
> I *hope* that in 10 years security practitioners will look back
> at the days of "the system-wide patching fad" and laugh.
>
> We're a society of fads and "get rich quick" schemes. We'd
> rather pay 3X as much for special food that has 1/2 the calories
> of normal food - instead of eating 1/2 as much of the normal
> food (which actually has real flavor). We'd rather follow a fad
> diet that destroys our body with saturated fats than simply
> "eat lots. work hard. burn lots of energy."  We're still in the
> era of get.rich.quick low-carb Internet security - perhaps it
> will be the aliens with their clue probes that get us out of it, but
> it's more likely we'll either stay there or wise up.
>
>
> >> >Take a look at the recent security record of MS RPC endpoints. You
> >> >can't turn them off. You can't secure them. Windows will break.
> >>
> >> Yes. So? YOU ARE INSANE IF YOU ARE RELYING ON WINDOWS FOR
> >> INTERNET-FACING CRITICAL SYSTEMS.
> >
> >Trouble is that it's not just internet facing systems that get owned. This
> >idea of crunchy outside chewy centre has GOT to change. It's dead. Didn't
> >work. Bye-bye.
>
> I'm not advocating a perimeter-only defense!!! I *NEVER* have.
> But it's the first and best place to start. If you don't do something
> sensible at the perimeter - or you don't have a perimeter at all -
> then all your systems are internet-facing. We've seen how well
> *THAT* works, too.
>
> Let me try some different logic on you:
>         - Every year there are more internet-facing systems by
>                 some huge number, as more homes go online
>         - Many of those systems rely on endpoint mitigation and
>                 patching as their sole security
>         - Every year, the number of systems compromised keeps
>                 going up
>
> What does that tell you? That the attackers are getting smarter?
> No - they're doing the "same old same old".   That the attackers
> are working harder? Maybe, but it's largely automated. So
> if you have largely automated attacks succeeding wildly against
> system that are using low-carb security - well.... What do you
> conclude?
>
> >> What do you think? If we install JUST ONE MORE PATCH it's
> >> gonna be SECURE? Heck, no. The only way to secure this crap
> >> is to hold it down and hammer a stake through its heart.
> >
> >Ah c'mon.
>
> I'm serious.
> Back in 1997 (blackhat keynote, you can hear the audio on
> http://www.ranum.com/security/computer_security/audio/mjr-blackhat-97.mp3
>  - it's a cruddy recording and I was a bit hung over when I did
> the talk, but the idea remains. There's one major "bug" in the
> talk, and here's the patch:
> s/"it would be funny if I wasn't kidding"/"it would be funny if I wasn't 
> serious"/)
>
> Are you trying to tell me that operating systems are holy
> writ that cannot be discarded and replaced with something
> better? Ever hear of TOPS-10, MULTICS, OS/9, VMS? They
> are operating systems that people used to use. O/S' come
> and go. Windows is "just a phase" (as my parents used to
> say when I wanted to dye my hair weird colors in high
> school)  it will pass. Maybe.
>
> >Given that we can't go back to the abacus, we need to work from where we
> >are, and it is happening.
>
> Why do we need to wok from where we are? Where we are is
> not good!!! Working harder on it may not make it better. In fact
> the preponderance of evidence is that it's getting WORSE.
> Do you want to work harder on a situation where hard work
> may be rewarded with worsening results? I'm not being
> facetious; I am deadly serious. Trying to fix Windows security
> has *ONLY* paid off in the stock prices of security companies
> and not improved end user experience or system reliability
> one iota.
>
> > I see MS doing GOOD WORK in improving the
> >fundamental security core of their OS.
>
> I see MS doing GOOD MARKETING in attempting to
> unscrew that which is permanently screwed.
>
> > I nearly passed out when I saw
> >support for NX memory
>
> It's a nice kludge. Making the stack grow *up* into memory
> like MULTICS did this in ~1965 - around the time I was learning
> to walk upright. It's a little harder to code that kind of thing in
> your kernel if you're smarter than a chimpanzee but it means
> you never have buffer overruns.
>
> You've all probably heard the old joke, "if computer programmers
> built bridges like they write code, the first rainstorm we had would
> collapse civilization" - it's wrong. If computer programmers built
> bridges like they write code, they'd start off by re-inventing the I-beam
> for each bridge - and they'd never get anything done because
> they'd be arguing about the relative merits of whatever strongly-hyped
> metal alloy was popular that week (XML? couldn't we use XML for that?)
>
> > no anonymous RPC and host firewall enabled by default
> >in a general purpose service pack. They've come a long way from VMS. :)
>
> Yes, they have. VMS was so much better, and the gap is growing
> rapidly. :)
>
> >The other option to burning it all and starting again is to "get there from
> >here". I say it's possible (eventually). Until that happens, we need
> >auxilliary solutions to prop things up.
>
> I thing it's time to start grabbing our stakes and hammers
> and getting to work!!
>
> >> Well, yeah. If you're using the wrong OS you're an idiot. The
> >> fact that there are a lot of idiots out there doesn't make
> >> them any less idiotic, either.
> >
> >This line brings a smile to my face every time I read it.
> >
> >You're right, of course, but lots of people aren't going to admit it when
> >you rub their nose in it like that. I'm writing this on a Windows box - and
> >you just told me that your work box is Windows too. I vote that us "idiots"
> >deserve security too.
>
> I have fabulous security!!! My machine is isolated so that its
> manifest weaknesses don't bother me. I accepted the fact
> that I have a dumb O/S and because I am smart guy I
> designed around it. I also have terrific backups "just in case" ;)
> It's what I mean about understanding your risks and working
> around them. The problem is that people don't want to
> understand 'em and work around them. They just get as
> far as "well, there are risks." and start patching.
>
> >[...]
> >> The idea that code needs to be patched frequently and often
> >> is predicated on the flawed concept that cruddy code is
> >> exposed to untrusted network. That's just dumb.
> >
> >So this is, again, where we differ in opinion. The desktop - also known as
> >Cruddy Code Central - is what is causing the problem. You "old school"
> >genuises have been telling us "newbies" to build super duper amazing transit
> >points between networks of different trust levels, which we have been trying
> >to do.
>
> NO you haven't!!! You're like the guys who want to eat 3 gallons
> of ice cream a day and still lose weight using some fad diet.
> Those things many people call "firewalls" are just low-carb
> feel-good half-hearted nods toward security. Their policies
> have been set up by committees with marketing people on
> them, and their security posture depends more on which business
> unit brings in more money than on actually protecting the
> network. I mean these darned things allow attachments
> through; they allow ActiveX through, they allow IM through,
> etc, etc, etc. That's not a firewall. That's a "slow router."
> And these "firewalled" networks are full of users who come
> and go with laptops that they just plug in wherever they
> want whenever they want and are given an IP address and
> off they go. Those "mobile users" are on common segments
> with mission critical servers and the only "authentication" they
> use is the fact that they're physically there. Did I just describe
> the typical corporate network? Can you tell me what is
> "firewalled" about *THAT*!?!!?    That's not firewalled. That's
> low-carb-fat-free-firewalled.
>
> > The trouble is that malware still gets in. Poot. Them dang worms is
> >like roaches, I tell ya. Looks 'ifn that there trusted network weren't quite
> >so trusted after all...
>
> Peter Neumann likes to make sure people use the words "trusted"
> and "trustworthy" properly. :)   That was a trusted network but not
> a trustworthy network. :)  oops.
>
> >There comes a point where we have to admit that "the security architecture
> >operation was a complete success, but the patient died" is of limited value.
>
> The patient died AND IS STARTING TO SMELL!
>
> mjr.


Brian Ford, CISSP
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://wwwin.cisco.com/corpdev/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards