RE: Castles and Security (fwd)

["Robert Graham" <robert_david_graham () yahoo com>]

Hhhmm.

Ancient castles weren't about "defense", but "offense". A castle served as a
base of operations from which warriors could sally forth, strike their
enemies, then retreat back to safety. Castles were placed on hills
overlooking key commerce areas (e.g. rivers) as a way of extracting tolls
from passersby. Even in cases where castles were primarily defensive
(Carcasonne), they were designed for temporary refuge for peasants to come
in from the fields while the troops could sally forth/attack/retreat.
Indeed, a synonym for "castle" is "retreat". The common people didn't live
in castles, they were primarily designed as temporary refuges and positions
of power to control the surrounding region. (I.e. a good offense is having a
good defense).

When you think about it, major cities of the ancient world were not built
like castles. The reason for the city's existence was trade and commerce.
Fortifications that would keep out a major army would only impede commerce,
removing the purpose the cities existence in the first place. A city's
protection lay not in the flimsy walls that surrounded it, but in the
ability for its army to meet the approaching army. This is why Rome was
sacked - it was wide open to the invaders. As Marcus points out, large
cities are not defensible using a castle mentality.

Neither are networks. This is a source of great conflict within companies as
business people want to open up their networks. They are in constant
conflict with their own security people. The firewall nazis want to pull up
the drawbridge and hide behind their castle walls. But your network isn't a
refuge that you hide behind, but an open marketplace. Your goal isn't to
defend the network, but to defend commerce.

I really dislike the entire class of military analogies. Warfare is about
battles, well-known enemies, two parties fighting and responding to each
other. There are occasional "battles" like the IRC wars, but most "hacking"
has little in common with the military. There is a love of the cyber-warfare
analogy that leads to natural conclusions like the outlawing of
cyber-weaponry. However, most people don't quite get the difference between
an analogy and the real thing. There is no spoon. Cyber-weaponry doesn't
really exist as such, though it is certainly a fun way of talking about it.
(Most cyberlaw these days deals with these imagined stories that appeal to
the masses, little applies to the real thing).

Personally, I feel a better analogy is something like the dikes in the
Netherlands. They hold back the tide. The ocean isn't the "enemy" you are
battling, but a fact of life you have to deal with; a force of nature. You
don't get mad when the dike breaks and the ocean floods your village, you
just repair things and move on.

The reason I choose this analogy is that a better model for the script-kiddy
problem would be to look at them as wild animals. If a lion comes into your
village and kills your neighbor, you are unhappy, but you don't angry at the
lion. It is just responding to animal instinct. You certainly hunt it down,
though, and defend yourself, but in a dispassionate sort of way. In much the
same way, machines exposed to the Internet have to deal with a background
radiation of script-kiddy probes. It isn't worth getting angry at them, they
are just animals responding to their instincts. They are a force of nature,
like the wind and tides.

The reason I prefer this model is that with military analogies, you think in
terms of "enemies". Script-kiddies aren't your enemy, they aren't out to get
you in particular. The distinction is important when trying to create a
model that defends against Internet attacks. Think of the classic Birthday
Paradox: in a room of 23 people, there is a > 50% chance that two people in
the room have the same birthday. The reason this is a "paradox" is that the
model people use in their minds is thinking of the probability that one
other person in the room has the same birthday as them (which is indeed a
small chance). In cryptography, we have the same problem. Consider a cryptog
raphic hash of 64-bits. This means that there is a one in 2^64 chance that
somebody can create a message that has the same hash as your message.
However, there is only one in 2^32 chance that somebody can create two
messages with the same hash. What this means is that if I have one message,
the difficulty of you finding another just like it is 2^64.  However, let's
say that you want to create two contracts with the same hash, after I sign
the first promising to pay you $1, you substitute the second where I promise
to pay you $1-million. This has a difficulty of only 2^32. (This is of
course a gross simplification, I'm discussing Birthday Paradox, not crypto).

Today's security people think in the same way. The use a military model
where they calculate the risk that a hypothetical enemy will compromise
their system. However, from the Birthday Paradox model, the risk is actually
much higher when you think in terms of many simultaneous "enemies". There
was a recent incident in the news where a big company got hacked by a script
kiddy: the hacker wasn't going after that victim in particular, but once
they found out who it was they hacked, they certainly took advantage of it.

One of the things that worries me about the (faulty) analogies is that
people are trying hard to separate black from white (I see only shades of
gray). We've grown up in the TV/movie era where the bad guys are not only
clearly evil, but know that they are evil. In real life, people that
everyone else sees as evil do not consider themselves evil. A couple years
ago, there was a mafia hit-man in the news. Even though he had killed over
20 people, he considered himself a good, god-fearing person; it was simply
his job. Most "hackers" are the same way. I've never met one that considers
himself "evil", just misunderstood.

Likewise, consider a model for cyber terrorism. The news, of course, is
playing up the fears about a new wave of hacktivists. This doesn't match
what is really going on. The way people view real terrorists isn't very
accurate. The majority of terrorists aren't people who rationally determine
that violence is the best way to achieve their goals. Instead, they are
typically inherently violent people who are looking for ways that they can
feel good about carrying out their desires. So called "hacktivists" are the
same way: they just want to hack, but they don't think of themselves as evil
people, so they are looking for justification as to why it is ok to hack.
Choosing the right model is important. One model says that there will be a
new level of attacks as terrorists get a hold of hacker technology, the
other model says that the level won't change, but the tone of their messages
will become increasingly political.

I'm sorry for getting long winded here, it touches my philosophical nerve. I
disagree with most the industry standard models. Choosing the correct model
has a big influence on how successful you will be.




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards