Re: Ok, so now we have a firewall, we're safe, right?

["Marcus J. Ranum" <mjr () ranum com>]

Paul D. Robertson wrote:
> They understood what they were doing- ordering DSL service.

You neatly sidestepped answering my important question, which
is whether or not their product documentation might have included
information that there was also a wireless access point included
(and possibly even how to secure it) with the router. By that logic
someone who chooses to remain ignorant about safe chainsawing
techniques is not at fault if they cut their foot off because "all
they needed to know was that they were cutting wood."   I think
that the laws on the books regarding vehicular manslaughter, etc,
indicate that society has established an expectation of understanding
and expertise on the part of users of tools that need expertise and
knowledge.

Perhaps the ISP's lawyers should have included a big red
sticker on the router that read "BEFORE PLUGGING THIS IN
YOU MUST HAVE A CLUE." But that's obvious. In fact, it
probably also came with adminitions to "read the fine manual."
Just like my chainsaw does.

> Do you honestly think the documentation that comes with a DSL router gives
> the average consumer without wireless equipment enough information to make
> a real risk judgment?

Of course it doesn't. But that's an explanation, not an excuse.

> I think there's a happier ground that's somewhere in the middle- and I
> think that absolving vendors of any of the downfall of their products is
> just as bad as making them responsible for all of it...

I agree with that. So does the law. If a vendor sells something based
on deceptive claims it's against the law and vendors of various products
(including a few cases involving computer security products) have
been hauled in by the FTC for deceptive claims or marketing.   *
The only effect of getting lawyers involved in this kind of thing would
be to have the DSL router come with 30 pages of legal warnings
written by the providers' lawyers, disclaiming all liability for incorrect
use of the product and/or service. In fact I bet if we researched this
particular incident more closely we'd discover that the customers
*already* had gotten and ignored such warnings. Maybe we could
require that the ISP sell the product with a big red sticky WARNING
label on it for the customer to peel off and ignore.

In the best of all possible worlds, of course, the product would
ship with unneccessary everything turned off, and a tight policy
enabled by default. Requiring the customer to take a deliberate
action to bring about their downfall is a good approach. I.e.: "Click
> > HERE<< to install new Spyware."   Which, of course, they
will do.

If you push this point to the legal system, all products will
ship with a flourescent sticker that reads "RTFM" on it. And
that's about it. I think that'd be funny but it won't help.

> In this case, the product is shipped open so the vendors in question don't
> have to take the expense of support calls.  In that case, I think it's
> reasonable to have them bear the brunt of the cost of that configuration choice.

I think neither of us know enough to say. Do you actually know
that it shipped open for the vendors' convenience? Do you know
whether the customer received any admonition to read the fine
manual? For all I know, the customer might have paid $20 extra
for a DSL router with "wireless" thinking that sounded Very Cool.

We just don't know enough to say.

I do know one thing: if CNN covered the story about some family
of clueless yutzes having their door kicked in by gun-weilding
law enforcement officers because they had their DSL mis-configured,
*and* CNN covered the fact that the family had to *pay* for the
expenses of the SWAT team, and the door, and their legal
defense and the spackle to fix the bullet holes - - well, I bet a
few more people would ask their providers, "this hasn't got that
wireless stuff that attracts SWAT teams, does it? I don't want
any of that..."

> Ah grasshopper, you miss the point.  The *life* of a security admin is to
> take the high road, but the *job* of a security admin is to get his
> organization to take the high road.  That can only be done by ensuring
> that the executive level knows when it's doing the right thing.

I got that. I think we're violently in agreement on this point.

Security experts should help their constituents understand that
there is a true path, and help them walk it. Yet, above and
beyond that is a truer path, still, which is that of telling people
"the true path is for YOU to understand the path, and stop
asking ME."  :)

Put differently: we're too busy trying to explain to lots of
execs why the front of their trousers are all damp. Option
#1 is to tell them "unzip before you p*ss"   Option #2 is to
tell them, "you should think before you p*ss"  Option #3
is to tell them, "you should understand what you're doing
as it affects yourself and others."   Which is the true path,
sensei?

> I've never been accused of being appeasing, cajoling or stroking by anyone
> I've ever worked for.  I suppose manipulative works when you have to go
> explain the auditor's conclusions for them in a meeting with the CIO.

I know you haven't. :) That's why I'll share beers with you any time. :)

> > This whole information security thing is eventually going
> > to filter into everyone's consciousness as relevant, but
> > only after there's lots of pain. Unfortunately, it's usually
> > the innocent who bear the brunt of the cost of the great
> > "learning experience"
>
> Ah, but you've said they're not innocent.

In that case, I was thinking of the poor suckers who were getting
spammed as the "innocent"

mjr.
---
(* which begs the question of why Microsoft has not been hauled in
by the FTC for claiming on the Windows XP box that you can now
"safely and securely access the Internet".  Excuse me? Bill, I've
got news for you...)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards