Re: The Morris worm to Nimda, how little we've learned or gained

["Marcus J. Ranum" <mjr () nfr com>]

R. DuFresne wrote:
> And we have not even broached the topic here of vendor
> responsibility...

There's enough blame that everyone involved can shoulder a ton of guilt.

I've been watching the blame in computer security flow in circles for
years. The flow looks like this:
- The hackers blame the sysadmins who leave their machines open
- The sysadmins blame the vendors who write buggy insecure code
- The vendors blame the customers who place a premium on features over quality

What's ironic - and what makes the whole problem so intractible is the
fact that they're _all_ right. Everyone has to do a lot less whining and get
a lot more serious about fixing their piece of the problem and not
pointing out where everyone else is letting them down. That's what it'll
take to get the circle-jerk to stop.

I can tell you a few of the indicators that I'm looking for which will indicate
that progress is about to be made in security:
1) The first time a company goes public and becomes huge based on the
        premise that their software is super-high-quality.
2) The first time an operating system ships that doesn't need to have all
        its software installed with system privileges to function
3) The first time customers place and enforce a puchase ban on a software
        product notorious for insecurity and unreliability
4) The first time that ISPs act together to ban an application from their
        backbone(s)
5) The first successful class-action lawsuit over software quality encompassing
        security

Note that not only do I see no sign of the above happening, I see signs in
the industry and community that steps are being taken to _prevent_ some of
the above. Most notably #5 and possibly #3.

The sad reality is that safety technology only gets applied once it's obvious
that the damage from not applying it is extremely expensive to the entire
community. Remember - we didn't have mandatory seatbelts in cars until
the 1960's and didn't have mandatory shoulder straps until the 1970's. Air
bags didn't come until the 1980's and mandatory _use_ laws are only recently
on the books in most states. Internationally, the situation is worse. And
people have known for a long time that seat belts save lives...

It's going to take a lot longer to clean this stuff up. Some of us will literally
not live to see it - I expect to be dead of old age (at a healthy age, mind you!)
before major progress in computer security is widespread.

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                           http://www.nfr.com
Personal:                      http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards