Re: Ok, so now we have a firewall, we're safe, right?

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 2 Jun 2005, Marcus J. Ranum wrote:

> I wonder if the router's manual said anything about it. I wonder
> if the customer read the fine manual. They shouldn't be relieved
> of responsibility for understanding what they are doing. If society

They understood what they were doing- ordering DSL service.  Not too
surprisingly many people don't know that having the capability to do $foo
in a consumer product doesn't mean it will or it's on by default.

Do you honestly think the documentation that comes with a DSL router gives
the average consumer without wireless equipment enough information to make
a real risk judgment?

> relieves the end user of responsibility for what they do with a
> tool, we're propagating the ridiculous situation where someone
> buys a chainsaw, doesn't use it properly because they didn't
> read the directions, sues the manufacturer, and wins.

I think there's a happier ground that's somewhere in the middle- and I
think that absolving vendors of any of the downfall of their products is
just as bad as making them responsible for all of it...

In this case, the product is shipped open so the vendors in question don't
have to take the expense of support calls.  In that case, I think it's
reasonable to have them bear the brunt of the cost of that
configuration choice.

> > The issue with taking the high road is that the target has to know it's
> > the high road.
>
> I don't agree. All that matters is that _you_ know what's
> the high road. Put differently: are you suggesting that because
> your listener doesn't know what's the right thing to do, you
> should immediately compromise?

Ah grasshopper, you miss the point.  The *life* of a security admin is to
take the high road, but the *job* of a security admin is to get his
organization to take the high road.  That can only be done by ensuring
that the executive level knows when it's doing the right thing.

In other words, I'm saying if they don't know it's the high road, you have
to beat them about the head and shoulders about it, and events are really,
really good for doing that in a way they can understand.

> >  I've found taking published events such as the one I've
> > pointed out very helpful in building a case for having a road at all, high
> > or low.  It turns out that CTOs seem to spend more effort on things they
> > can use to ridicule their other CTO buddies at golf games- "Sure, we
> > blocked EXE files after that Israeli thing- only someone as bad off as you
> > would both end up in a sand trap *and* have a salesweasel infect your
> > network" is much more effective than "that firewall guy's laughing at me
> > again!"
>
>
> Isn't the situation pathetic when smart people need to bend
> over backwards in order to appease, cajole, manipulate, and
> stroke their clueless "superiors"?  What a waste of time and
> energy that could be spent on better pursuits!!

That's what we call society- doesn't look like it's getting replaced by
anything better any time soon.

I've never been accused of being appeasing, cajoling or stroking by anyone
I've ever worked for.  I suppose manipulative works when you have to go
explain the auditor's conclusions for them in a meeting with the CIO.

I've known more than a few IT execs who've expressed a willingness to do
the right thing, but they've got to know it's the right thing to do.  Same
with CEOs.  CFOs are generally the problem cases (though I've come by some
recently that were more risk averse than money averse.)

Heck, I got to hang out in a vacation resort in Florida once because the
CIO of a large corporation I worked for wanted someone to come beat down
the CIO of another corporation who was having his folks do a presentation
on how great life was with their newfangled VPN all over (this was before
VPN vendors had even tried to solve split tunneling.)

This was good for illustrating three things-

1.  If they _know_ they're taking the high road, they'll crow about it.
2.  Ridiculing their buddies is important to them.
3.  CIOs have better conferences than techies.

> You know the old saw about "you can lead a horse to water,
> but you can't make him drink?"  It ignores an important fact,
> namely: horses will always drink if they need to, and won't if
> they don't need to. They're smart like that, unlike most people.

You can teach a parrot to communicate verbally with you too- but it takes
work and a good bird.  You can either wait for the parrots to evolve, or
you can do the work...

> This whole information security thing is eventually going
> to filter into everyone's consciousness as relevant, but
> only after there's lots of pain. Unfortunately, it's usually
> the innocent who bear the brunt of the cost of the great
> "learning experience"

Ah, but you've said they're not innocent.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards