Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 2 Jun 2005 15:19:49 -0400 (EDT)
On Thu, 2 Jun 2005, Marcus J. Ranum wrote:
I wonder if the router's manual said anything about it. I wonder if the customer read the fine manual. They shouldn't be relieved of responsibility for understanding what they are doing. If society
They understood what they were doing- ordering DSL service. Not too surprisingly many people don't know that having the capability to do $foo in a consumer product doesn't mean it will or it's on by default. Do you honestly think the documentation that comes with a DSL router gives the average consumer without wireless equipment enough information to make a real risk judgment?
relieves the end user of responsibility for what they do with a tool, we're propagating the ridiculous situation where someone buys a chainsaw, doesn't use it properly because they didn't read the directions, sues the manufacturer, and wins.
I think there's a happier ground that's somewhere in the middle- and I think that absolving vendors of any of the downfall of their products is just as bad as making them responsible for all of it... In this case, the product is shipped open so the vendors in question don't have to take the expense of support calls. In that case, I think it's reasonable to have them bear the brunt of the cost of that configuration choice.
The issue with taking the high road is that the target has to know it's the high road.I don't agree. All that matters is that _you_ know what's the high road. Put differently: are you suggesting that because your listener doesn't know what's the right thing to do, you should immediately compromise?
Ah grasshopper, you miss the point. The *life* of a security admin is to take the high road, but the *job* of a security admin is to get his organization to take the high road. That can only be done by ensuring that the executive level knows when it's doing the right thing. In other words, I'm saying if they don't know it's the high road, you have to beat them about the head and shoulders about it, and events are really, really good for doing that in a way they can understand.
I've found taking published events such as the one I've pointed out very helpful in building a case for having a road at all, high or low. It turns out that CTOs seem to spend more effort on things they can use to ridicule their other CTO buddies at golf games- "Sure, we blocked EXE files after that Israeli thing- only someone as bad off as you would both end up in a sand trap *and* have a salesweasel infect your network" is much more effective than "that firewall guy's laughing at me again!"Isn't the situation pathetic when smart people need to bend over backwards in order to appease, cajole, manipulate, and stroke their clueless "superiors"? What a waste of time and energy that could be spent on better pursuits!!
That's what we call society- doesn't look like it's getting replaced by anything better any time soon. I've never been accused of being appeasing, cajoling or stroking by anyone I've ever worked for. I suppose manipulative works when you have to go explain the auditor's conclusions for them in a meeting with the CIO. I've known more than a few IT execs who've expressed a willingness to do the right thing, but they've got to know it's the right thing to do. Same with CEOs. CFOs are generally the problem cases (though I've come by some recently that were more risk averse than money averse.) Heck, I got to hang out in a vacation resort in Florida once because the CIO of a large corporation I worked for wanted someone to come beat down the CIO of another corporation who was having his folks do a presentation on how great life was with their newfangled VPN all over (this was before VPN vendors had even tried to solve split tunneling.) This was good for illustrating three things- 1. If they _know_ they're taking the high road, they'll crow about it. 2. Ridiculing their buddies is important to them. 3. CIOs have better conferences than techies.
You know the old saw about "you can lead a horse to water, but you can't make him drink?" It ignores an important fact, namely: horses will always drink if they need to, and won't if they don't need to. They're smart like that, unlike most people.
You can teach a parrot to communicate verbally with you too- but it takes work and a good bird. You can either wait for the parrots to evolve, or you can do the work...
This whole information security thing is eventually going to filter into everyone's consciousness as relevant, but only after there's lots of pain. Unfortunately, it's usually the innocent who bear the brunt of the cost of the great "learning experience"
Ah, but you've said they're not innocent. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Going meta (was RE: Ok, so now we have a firewall...), (continued)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? ArkanoiD (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? R. DuFresne (Jun 10)
- Re: Ok, so now we have a firewall, we're safe, right? Dave Piscitello (Jun 10)
- RE: Ok, so now we have a firewall, we're safe, right? Brian Loe (Jun 13)