Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

["Adam Vollmer" <volmarias () gmail com>]

Good god, thats a lot of rant.

> You also forget that big business takes an attitude that they will sick a swarm of
> lawyers after your butt if you do anything to harm their networks and systems.
> Case in point is the recently posted article about someone who found a flaw
> within a system environment, broke in, logged everything, told them about it, gave
> them the necessary information, and asked for *nothing* in return, only to be
> arrested for digital trespassing.

Since you can't link to the story in question, I can only guess, but I
expect that's just as much fun as coming home and seeing a note in
your bed that reads:

"Hey guy, you're using a model X46 type lock, which was recently
found to have a design flaw making it quite weak! Bad guys could break
in and steal everything! Use a X47 type lock instead! Hope this helps!
- Ted (555) 555 - 1234"

Reaction #1 is to call the police.
Reaction #2 is to call the locksmith after taking care of reaction #1.

I love to screech about "the corporations" as much as the next guy,
but your example sucks.

On 5/11/06, Bob Radvanovsky <rsradvan () unixworks net> wrote:
> Read below for my 'soapbox' version...  (you have been warned)
>
> -r
>
> ----- Original Message -----
> From: Jason Muskat [mailto:Jason () TechDude Ca]
> To: "Sadler, Connie" [mailto:Connie_Sadler () brown edu],
> email () securityabsurdity com, security-basics () securityfocus com
> Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
> Total Failure of Information Security."
>
>
> > Hello,
> >
> > Most of the time, security, any security, is about bringing that feel good
> > feeling to the customer; having somebody to blame when something goes bad
> is
> > a plus as well.
> >
> > Real security is very rare as it costs a lot. Most people think they are
> > secure because of a policy, or something just as silly like a sign on the
> > wall.
>
> You also forget that big business takes an attitude that they will sick a
> swarm of lawyers after your butt if you do anything to harm their networks
> and systems.  Case in point is the recently posted article about someone who
> found a flaw within a system environment, broke in, logged everything, told
> them about it, gave them the necessary information, and asked for *nothing*
> in return, only to be arrested for digital trespassing.  Corporations feel
> that they control everything, and so, therefore, in the eyes of their
> attorneys, anything you do on their networks becomes their property.  Their
> policies are reflected of these principles and cultures (meaning, way of
> thinking and how they 'do' things).  Yes, the securification process costs
> money, and yes, it is a never-ending cycle (contrary to some belief, it is a
> 'circular' cycle, rather than a straight line); however, executive
> management want immediate resolution.  They lack the conceptualization that,
> what is secure now, *might be* unsecure a hour from now, a day from now, a
> week, a month...you get the picture, right?  And, executives are getting
> tired of the "Chicken Little Symdrome" of that the sky is falling, or the
> "Driver'd Ed Symdrome" of "*THIS*...COULD...HAPPEN...TO **YOU**!" with its
> cheesey sound effects from the days of 35-38mm film projectors (sound fading
> in and out, or the jittered sounds....ah, the days of bad films gone bad in
> the film projector days).  Go back to previous sentence: they want
> resolution -- NOW!!!
>
> You have to look at the entire hollistic aspect of everything.  It's not
> just about a policy, or a placard on a wall.  It's about the culture of the
> corporation, and how they view and feel about securing their environment.
> If they take security seriously, the corporation appears to be too tightly
> controlled, some even going to the extreme of stating that its a
> dictatorship.  If they don't consider security as an issue, and take a $400
> million general insurance policy out, then their attitude is the "swarm and
> kill" method of sicking their teams of lawyers after you if you digitally
> trespass or smear/discredit the name and reputation of the corporation.
> Either way, you loose.
>
> There's nothing silly about having a placard on a wall.  It indemnifies them
> against liability.  Remember: liability....bbbaaaaaaaadddd;
> money....ggggooooooooooddd.
>
>
> > I think it is imperative that government set and regulate minimal real
> > information security standards especially in sectors that provide
> essential
> > services such as power, telecomm, and banking, and such. The regulations
> > will allow the security people to enforce security despite a line of
> > business not  wanting to 'implement" a secure solution. People are still
> > building new applications and workflows that use telnet and refuse to use
> > SSH or any secure other secure methods such as telnet over SSL.
>
> How would having yet another thing that our government would bolox up, be a
> "good thing" for *US*???  Tell me how????  Imposing more regulations,
> controls and governances -- which don't work -- add nothing but more
> headaches and TONS more paperwork that *YOU* will have to fill out!!!  Think
> you fill out alot of formed requests right now?  Wait.  If you impose
> sanctions for having government control of business, (1) corporations will
> baulk at the whole idea, (2) if there's a will, there's a way, and both
> corporations -- and hackers -- will find ways of circumventing everything
> (which they already do -- look at HIPAA and SOX; only a small percentage of
> healthcare providers actually give a damn about HIPAA -- most of them,
> DON'T), and (3) impose an authoritarian control over people, which again,
> will mean that there will be uprisings, etc.  If you want to control the
> masses, you MUST convince them that they *want* to be controlled, that they
> *need* to be controlled, etc.  Rules of engagement for American Dictatorship
> 101.
>
> OK, let ms ask you a few more questions...does security work?  Heck, does
> auditing work?  I've been in a heated debate now for well over a year about
> *how* IT auditing should work.  For one thing, just casually observing it,
> it doesn't.  For one thing you've got non-technical people making technical
> observations based on a set of criteria established by some other party
> elsewhere.  How is that "auditing" (per se)?  I do this because there are a
> few people out there who are vehemently opposed to the so-called audits
> conducted by the Big 4 these days.  They all run the same sets of Open
> Source tools and scripts, shlopp the company's name, some bits and pieces of
> data into a 500-600 page template, and VOILA! -- instant IT audit assessment
> of your company!!!  ("That'll be $150,000 for your assessment, please.")
> Nevermind the remediation aspect of it where they bring in busloads of
> people who will do *nothing*, but sit at meetings, drinks lots of *your*
> coffee and tell you that you're unsecure.  No resolution, just alot of
> fluff.  If you ask specific questions to the auditors, you get blanks
> stares, similar to that of a deer in headlights look.  In the same sense,
> you've got yer corporate Gestapo (er, um...I mean "security folks") who come
> up the ranks of a rent-a-cop security company, or just recently passed their
> blah-blah-blah certification -- no degree, no long-term experience -- now
> telling you that YOU MUST, or YOU SHOULD -- do this, that and something
> else.  Are you *really* sure that to want to give this to an individual, or
> group of individuals, who have absolutely no idea on what "security" is?
>
> Better yet...let's use this analogy...
>
> You own a company that processes toxic waste from a manufacturing plant to a
> "waste processing center" (which in this case, is an open pit, say,
> someplace out in Nevada).  You're company has hired a trucking company to
> haul this stuff, upon which any contact of any flesh (animal, plant, or
> human), literally *melts* instantly.  The trucking company won the RFP
> contact from your company because they were the lowest bid in the contract
> process (typical of both corporations and government...it's the "How Low Can
> You Go" game), to hire a trucking company with a long history of traffic
> violations, hiring foreign nationals from other countries (who speak very
> little English, and barely understand the traffic signs) and have been given
> a 3-8 hour course of how to drive a semi-tractor trailer.  Now...   Putting
> it into *that* context, would you want to be the one who's responsible for
> that company that just hired that waste hauler?  And, of course, it's been
> mandated -- by law -- that you must use a certified waste hauler, of which,
> these people are licensed and certified -- barely -- but still legal.
>
> The same would hold true of imposing hiring an outside security company,
> which -- more than likely -- would be an "American" company, with call
> centers elsewhere in the world, along with their "technicians", who are
> completely oppose whatever timezone you are in (if it's daytime for you,
> it's nighttime for them).  The only "Americans" you'd see are the marketing
> and sales reps that want to you sign a contract for monitoring your network
> from a foreign country.  Of course, there's also the "incident management"
> aspect of it in terms of the SLA (that's "Service Level Agreements"),
> stipulating the amount of work that <X> needs to perform if <Y> happens,
> only to have them tell you that your contract doesn't stipulate that level
> of support, and that it would cost an additional $500,000 to get it.  Your
> corporate executives could *swear* that they read all of the fine print, and
> now suddenly have a vacation to take in Haiti with their (er) "family".
>
> Interesting note though...we have 5 or 6 times more security today now than
> we did in 1998 and 1999.  Yet... we have nore intrusion "incidents" today
> than ever.  Yet, we're more "secure".  Would imposing more regulation
> actually *fix* the problem?  I'd say 'no'...
>
> "Security" is a matter of perception.  If the companies don't see it as an
> issue, it (quite simply) is *not* an issue.
>
> >
> > Regards,
> >
> > --
> > Jason Muskat  | GCUX - de VE3TSJ
> > ____________________________
> > TechDude
> > e. Jason () TechDude Ca
> > m. 416 .414 .9934
> >
> > http://TechDude.Ca/
> >
> >
> > > From: "Sadler, Connie" <Connie_Sadler () brown edu>
> > > Date: Wed, 10 May 2006 13:01:06 -0400
> > > To: <email () securityabsurdity com>, <security-basics () securityfocus com>
> > > Conversation: Article: "Security Absurdity: The Complete,
> Unquestionable,
> > And
> > > Total Failure of Information Security."
> > > Subject: RE: Article: "Security Absurdity: The Complete, Unquestionable,
> > And
> > > Total Failure of Information Security."
> > >
> > >
> > > I think there is a *lot* more to this, but don't have the time to fully
> > > respond. Good things to think about - yes! But InfoSec has never had the
> > > authority to do what's best. Ideas are floated and quickly rejected, and
> > > the "balance" we all try to provide is as much as many of us can "push"
> > > out against a very resistant culture.
> > >
> > > Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
> > > Director, IT Security, Brown University
> > > Box 1885, Providence, RI 02912
> > > Office: 401-863-7266
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: email () securityabsurdity com [mailto:email () securityabsurdity com]
> > > Sent: Wednesday, May 10, 2006 12:54 AM
> > > To: security-basics () securityfocus com
> > > Subject: Article: "Security Absurdity: The Complete, Unquestionable, And
> > > Total Failure of Information Security."
> > >
> > >
> > > Security Absurdity: The Complete, Unquestionable, And Total Failure of
> > > Information Security.
> > >
> > >
> > > A long-overdue wake up call for the information security community.
> > >
> > >
> > > Article: http://www.securityabsurdity.com/failure.php
> > >
> >
> >
> >