Firewall Wizards mailing list archives
RE: Castles and Security (fwd)
From: "Robert Graham" <robert_david_graham () yahoo com>
Date: Thu, 11 Jan 2001 14:02:07 -0800
Hhhmm. Ancient castles weren't about "defense", but "offense". A castle served as a base of operations from which warriors could sally forth, strike their enemies, then retreat back to safety. Castles were placed on hills overlooking key commerce areas (e.g. rivers) as a way of extracting tolls from passersby. Even in cases where castles were primarily defensive (Carcasonne), they were designed for temporary refuge for peasants to come in from the fields while the troops could sally forth/attack/retreat. Indeed, a synonym for "castle" is "retreat". The common people didn't live in castles, they were primarily designed as temporary refuges and positions of power to control the surrounding region. (I.e. a good offense is having a good defense). When you think about it, major cities of the ancient world were not built like castles. The reason for the city's existence was trade and commerce. Fortifications that would keep out a major army would only impede commerce, removing the purpose the cities existence in the first place. A city's protection lay not in the flimsy walls that surrounded it, but in the ability for its army to meet the approaching army. This is why Rome was sacked - it was wide open to the invaders. As Marcus points out, large cities are not defensible using a castle mentality. Neither are networks. This is a source of great conflict within companies as business people want to open up their networks. They are in constant conflict with their own security people. The firewall nazis want to pull up the drawbridge and hide behind their castle walls. But your network isn't a refuge that you hide behind, but an open marketplace. Your goal isn't to defend the network, but to defend commerce. I really dislike the entire class of military analogies. Warfare is about battles, well-known enemies, two parties fighting and responding to each other. There are occasional "battles" like the IRC wars, but most "hacking" has little in common with the military. There is a love of the cyber-warfare analogy that leads to natural conclusions like the outlawing of cyber-weaponry. However, most people don't quite get the difference between an analogy and the real thing. There is no spoon. Cyber-weaponry doesn't really exist as such, though it is certainly a fun way of talking about it. (Most cyberlaw these days deals with these imagined stories that appeal to the masses, little applies to the real thing). Personally, I feel a better analogy is something like the dikes in the Netherlands. They hold back the tide. The ocean isn't the "enemy" you are battling, but a fact of life you have to deal with; a force of nature. You don't get mad when the dike breaks and the ocean floods your village, you just repair things and move on. The reason I choose this analogy is that a better model for the script-kiddy problem would be to look at them as wild animals. If a lion comes into your village and kills your neighbor, you are unhappy, but you don't angry at the lion. It is just responding to animal instinct. You certainly hunt it down, though, and defend yourself, but in a dispassionate sort of way. In much the same way, machines exposed to the Internet have to deal with a background radiation of script-kiddy probes. It isn't worth getting angry at them, they are just animals responding to their instincts. They are a force of nature, like the wind and tides. The reason I prefer this model is that with military analogies, you think in terms of "enemies". Script-kiddies aren't your enemy, they aren't out to get you in particular. The distinction is important when trying to create a model that defends against Internet attacks. Think of the classic Birthday Paradox: in a room of 23 people, there is a > 50% chance that two people in the room have the same birthday. The reason this is a "paradox" is that the model people use in their minds is thinking of the probability that one other person in the room has the same birthday as them (which is indeed a small chance). In cryptography, we have the same problem. Consider a cryptog raphic hash of 64-bits. This means that there is a one in 2^64 chance that somebody can create a message that has the same hash as your message. However, there is only one in 2^32 chance that somebody can create two messages with the same hash. What this means is that if I have one message, the difficulty of you finding another just like it is 2^64. However, let's say that you want to create two contracts with the same hash, after I sign the first promising to pay you $1, you substitute the second where I promise to pay you $1-million. This has a difficulty of only 2^32. (This is of course a gross simplification, I'm discussing Birthday Paradox, not crypto). Today's security people think in the same way. The use a military model where they calculate the risk that a hypothetical enemy will compromise their system. However, from the Birthday Paradox model, the risk is actually much higher when you think in terms of many simultaneous "enemies". There was a recent incident in the news where a big company got hacked by a script kiddy: the hacker wasn't going after that victim in particular, but once they found out who it was they hacked, they certainly took advantage of it. One of the things that worries me about the (faulty) analogies is that people are trying hard to separate black from white (I see only shades of gray). We've grown up in the TV/movie era where the bad guys are not only clearly evil, but know that they are evil. In real life, people that everyone else sees as evil do not consider themselves evil. A couple years ago, there was a mafia hit-man in the news. Even though he had killed over 20 people, he considered himself a good, god-fearing person; it was simply his job. Most "hackers" are the same way. I've never met one that considers himself "evil", just misunderstood. Likewise, consider a model for cyber terrorism. The news, of course, is playing up the fears about a new wave of hacktivists. This doesn't match what is really going on. The way people view real terrorists isn't very accurate. The majority of terrorists aren't people who rationally determine that violence is the best way to achieve their goals. Instead, they are typically inherently violent people who are looking for ways that they can feel good about carrying out their desires. So called "hacktivists" are the same way: they just want to hack, but they don't think of themselves as evil people, so they are looking for justification as to why it is ok to hack. Choosing the right model is important. One model says that there will be a new level of attacks as terrorists get a hold of hacker technology, the other model says that the level won't change, but the tone of their messages will become increasingly political. I'm sorry for getting long winded here, it touches my philosophical nerve. I disagree with most the industry standard models. Choosing the correct model has a big influence on how successful you will be. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Castles and Security (fwd), (continued)
- RE: Castles and Security (fwd) twaszak (Jan 04)
- Re: Castles and Security (fwd) jeradonah (Jan 04)
- RE: Castles and Security (fwd) Bill_Royds (Jan 04)
- Re: Castles and Security (fwd) George Capehart (Jan 05)
- Re: Castles and Security (fwd) Ryan Russell (Jan 08)
- Re: Castles and Security (fwd) George Capehart (Jan 08)
- Re: Castles and Security (fwd) George Capehart (Jan 05)
- RE: Castles and Security (fwd) Scott, Richard (Jan 08)
- RE: Castles and Security (fwd) Antonomasia (Jan 08)
- Re: Castles and Security (fwd) Darren Reed (Jan 10)
- Re: Castles and Security (fwd) Steven M. Bellovin (Jan 10)
- RE: Castles and Security (fwd) Robert Graham (Jan 12)
- RE: Castles and Security Lance Spitzner (Jan 12)
- RE: Castles and Security (fwd) Robert Graham (Jan 12)
- RE: Castles and Security (fwd) Ben . Grubin (Jan 12)