Firewall Wizards mailing list archives
Re: Security dumming down - the king's clothes
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 12 Dec 2003 11:03:01 -0500
Anyone in the news media know why this critical security story was de-indexed so quickly? Internet worms and critical infrastructure, Bruce Schneier <http://news.com.com/2010-7343-5117862.html?tag=nefd_gutspro> It's a detailed examination of the correlation between MSBlast and the Aug. 14 power blackout. Recommended reading, however, despite being published on Dec. 9 it is no longer included in Cnet's front page index or their security index which goes back to Nov. 25.
Bruce's look at the problem is probably too technical for a lot of journalists. :) Seriously, though, Bruce makes some provocative points but unfortunately, now that the event is over, it's probably not going to be possible to tell exactly what *DID* happen. More interesting broad questions that could have been asked are hidden in Bruce's article, and therefore are ignored namely: 1) If these networks are so critical, why are their controlling systems internet-connected at all!? 2) If these networks are so critical, why has there been no overall systematic design of their security properties? 3) If these backup systems and management systems that Bruce mentions are also critical to the grid networks, why aren't they treated as such? I guess, to me, it boils down to "what, don't people understand that transitive trust implies transitive failure?" but that's a statement of the obvious. :( When I read something like Bruce's article, I divorce it automatically from Microsoft-related questions - if Microsoft wasn't the issue, some other software vendor would be. As much as we're all jealous of microsoft's wealth and power^H^H^H^H^H^H^H^H^H^H^H^H^H^H concerned by Microsoft's dominance in the software industry, I don't suspect that any of the other O/S vendors out there (Sun? IBM? Apple?) would do a fantastically superior job if they had 99.9% of the desktops in the world, either. So focus on the kind of issues I see above: why are trust boundaries between mission critical and non-critical networks weakly defined and poorly understood?
Would it be paranoid to associate this with @Stake's dismissal of Dan Geer after voicing his personal opinion of this same vendor's security and the short shrift major news outlets gave that?
Major news outlets did NOT pay "short shrift" to the Geer/Schneier/et al paper on monocultures. In fact, they hyped it far beyond its worth. It's an interesting position paper but I think it contains serious flaws (see: http://www.ranum.com/security/computer_security/rants/monoculture.html for my views, which I won't repeat here) You've perhaps forgotten, but that event was news for almost a week. In today's news environment, a *week* is what you get if you're Michael Jackson and you're arrested for child molestation. A *week* is a lot of media attention. Indeed, Geer et al's paper has sparked a long-term hype-trend on the monoculture topic, as far as I can tell. Viz: http://news.com.com/2102-7355_3-5111905.html?tag=st_util_print My assessment is that the paper in question got an unusually large helping of media attention, for a computer security story.
These correlations were further supported a couple of weeks ago at Stanford's Cyber Security Conference where all speakers went to great lengths to avoid criticizing the vendor in question.
Even you avoided naming Microsoft, my friend! :) What have they got on you? ;) That was the DHS one, right? Now, in that case, you were dealing with people who still are hoping to get money and favors from Microsoft. So of course they are going to be careful not to bite the hand that feeds them.
All of which make me wonder about an article by Fred Avolio in September's Information Security Magazine. <http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art179,00.html> It was, on the surface, an attempt to make a distinction between "stateful inspection" and "application intelligence", but anyone who knows Fred can see that the story was dumbed down to a such an absurd degree that it makes no sense at all, except perhaps to a marketing or rhetoric PhD. It should be noted that Information Security Magazine rarely covers anything other than products which run under operating systems written by the vendor in question and that they rarely say anything negative about anything.
I don't think Fred needs me to stick up for him so I won't. ;) But - if I know Fred, he was probably trying to make a subtle point about marketing bullsh*t applied to computer security. :) After all, "application intelligence" sure sounds like a marketing bullsh*t reinvention of proxy firewalls - which is old old stuff not new new stuff. I don't want to put words into Fred's mouth but I know he sees his job as to educate - to try to get people who are not very technically sophisticated (but who may think they are) to see the fundamentals that they haven' had time to learn. Part of the "dumbing down" that you're seeing is the result of security's newfound importance as a field. We've got loads of folks who are trying to spin up quickly because they've finally realized they need to worry about it. We've also got tons of new security companies trying to cash in on security's newfound importance - so every one of those companies (most of which sell pretty much the same thing) have marketing idiots who work for them who say "we need to define a NEW CATEGORY OF PRODUCT" so they start messing with the language. Now, all those poor newly-minted security guys have to wade through all this new marketing glop filled with claims that they have to validate the truth or falsity of, and new terminology they have to figure out. To a greater or lesser degree, a lot of us old-timers try to fight the flood of bullsh*t by educating customers and end users so they can identify it themselves. So, yes, Fred probably is dumbing down a lot of stuff. You don't make a lot of friends if you write an article that says "Calling something 'stateful multi-layer inspection' is a ridiculous load of dingoes kidneys when you consider that all it's doing is keeping a state-table entry on which direction you saw the original SYN packet and doing some minimal TCP sequence processing to make sure packets are within a window. Only a marketing idiot would come up with a term like 'stateful multi-layer inspection' for something that's basically a little bit more stateful than router 'established' screening." Of course journalists aren't required to make friends but - it doesn't help a lot if your editors get hate mail each time you write a column. :)
The common thread is the amazing degree to which cyber security is being dumbed-down whenever it applies to this one particular vendor.
Can't you say "Microsoft"? Cat got your tongue? ;) I don't think that's the case. There's certainly no broad conspiracy or even a small one. There are a few companies and individuals who look out for their financial interests - but they HAVE to. :) There's also a matter of professional ethics. I happen to believe that if you're taking someone's money you should not publicly throw rocks at them unless that's part of your arrangement. It falls under the old rule of "the customer is always right" @Stake's single largest customer was Microsoft. By doing what he did without telling his boss what he was doing, Geer broke the 3rd law of corporate survival: he surprised his boss with something bad involving a big customer. Whether it's morally justified or not, it's professionally stupid. Dan could have resigned a year or 2 before he published that paper, if that's how he really felt, and then nobody could have faulted him at all. If you work for a man, in heaven's name, work for him. If he pays you wages which supply your bread and butter, speak well of him, stand by him and the institution he represents. If put to a cinch, an ounce of loyalty is worth a pound of cleverness. If you must vilify, condemn and eternally disparage -- resign your position, and when you are outside, damn to your heart's content. But as long as you are a part of the institution, do not condemn it. If you do that, you are loosening the tendrils that are holding you to the institution, and by the first high wind that comes along, you will be uprooted and blown away and probably will never know why. - Elbert Hubbard
Perhaps the most damaging example of this is our own government's failure to even identify the vendor as the source of the it's worst infrastructure vulnerabilities and the cause of nearly every documented security breach. <http://govtsecurity.securitysolutions.com/ar/security_think_tank_gives/>.
Yeah, this surprised me, too. Because Microsoft is NOT the source of its worst infrastructure vulnerabilities. I'd have expected my government workers to be eager to find someone else to blame. Microsoft is not the problem! The problem is: why has our federal government built mission-critical internet-facing systems using such poor security? A lot of the problems with Windows can be mitigated (it's hard work... but it's doeable) why has such incompetence become endemic in federal IT? Put another way: Why would we believe that the same people who built the government's existing insecure windows systems would be able to build secure systems using UNIX or anything else for that matter? Perhaps that's why there's silence. With current federal IT expertise and procurement practices (basically nobody knows how to do anything except hire contractors) federal IT security is going to s*ck no matter what.
The logical outcome of this collective failure to to recognize the king has no clothes will, I fear, be as bad for information security as it was for the airlines on 9/11/01.
A lot of folks recognize that the emperor has no clothes. The question is: why? Microsoft's stuff is certainly PART of the problem but another big piece of the problem is that people insist on buying it and don't manage it right. There's enough blame to go around and just assuming a conspiracy is too simplistic. The truth is a more complex combination of clueless customers, cruddy code, incompetent federal IT workers, consultants out for a buck, marketing idiots, and a dash of denial. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Security dumming down - the king's clothes Roger Marquis (Dec 11)
- Re: Security dumming down - the king's clothes Marcus J. Ranum (Dec 12)
- Re: Security dumming down - the king's clothes Chris Blask (Dec 13)
- Re: Security dumming down - the king's clothes R. DuFresne (Dec 13)
- RE: Security dumming down - the king's clothes Bill Royds (Dec 14)
- Message not available
- RE: Security dumming down - the king's clothes Marcus J. Ranum (Dec 14)
- RE: Security dumming down - the king's clothes Marcus J. Ranum (Dec 16)
- Re: Security dumming down - the king's clothes Marcus J. Ranum (Dec 12)
- <Possible follow-ups>
- RE: Security dumming down - the king's clothes Richard Snow (Dec 16)
- RE: Security dumming down - the king's clothes Don Parker (Dec 17)
- RE: Security dumming down - the king's clothes Wes Noonan (Dec 17)