RE: Lloyds to offer hacker insurance

[Matthew Patton <patton () sysnet net>]

> I think I can safely say (paraphrasing Kevin) that the prevailing
> management attitude is, "Hey, I passed the C&A so I can back-burner
> security until the next C&A cycle." And then they get whacked. Not their
> fault - they passed the C&A.

Funny this should come up. But digging back into the archives of history
let us recall the most embarrassing hack of www.af.mil circa Jan 1996. So,
purhaps the readership has forgotten (or did I fail to post) that just DAYS
before the hack, DTIC's computer systems underwent a 'security checkup' by
none other than DISA's ASSIST intrusions tiger team. Said team asked DTIC
to point out their internet connected boxes and ran a set of tools against
them and upon finishing, blessed their health. Seems nobody at DTIC
mentioned the nifty new IRIX box sitting off in a corner playing dumb and
happy to the address of 'www.af.mil'. So the DTIC guys went happily on
their way, forgetting all about certain builtin accounts not having
passwords (default out of box setup) or that some flaming bozo had set the
root password to "1234". So you see audit or not who says the auditors will
do a complete job? The fact that the intrusion team didn't "find" the irix
box is a bit troubling no?

> "Insurance" in the .mil/.gov arena usually translates to
> "Plausible Deniability" or some other form of Vogon poetry.

Precisely!! So who in the Pentagon do we want to hack today???
'Flippergate' got to love it.

--------
"There are no significant bugs in our released software that any
significant number of users want fixed." - Bill Gates in an interview with
Focus magazine, Oct 23, 1995.