RE: Vulnerability Response (was: BGP TCP RST Attacks)

["Marcus J. Ranum" <mjr () ranum com>]

Ben Nagy wrote:
> > As I said, I think time will tell. :)
> I'm horribly torn here. I completely agree with you, but I just don't see
> any evidence of change. Essentially what you are claiming, when you say that
> "time will tell", is that little green men from the Planet Clue are going to
> invade earth with their rectal clue applicators and drag most of the IT
> industry in the world off to re-education camps.

I didn't say that!!! I didn't even *THINK* that!!

What I think is going to happen is that people are going to
keep spending huge amounts of money on approaches that
don't work. Some, a small number, are going to say, "well, Duh!
and solve the problem." After a while, the folks who are busy
fighting the bug-of-the-week club down in the trenches are
going to say, "hey! look! that guy over there doesn't have this
problem!" and they'll adapt. Or they'll die out or just keep
cheerfully pounding their heads against the wall. But eventually
it will become clear that their approach is loserly.

Remember, loserly behavior is not a function of population
size. Just because lots of people are doing something dumb
doesn't make it any less dumb. It only means that there are
more people doing it.

I *hope* that in 10 years security practitioners will look back
at the days of "the system-wide patching fad" and laugh.

We're a society of fads and "get rich quick" schemes. We'd
rather pay 3X as much for special food that has 1/2 the calories
of normal food - instead of eating 1/2 as much of the normal
food (which actually has real flavor). We'd rather follow a fad
diet that destroys our body with saturated fats than simply
"eat lots. work hard. burn lots of energy."  We're still in the
era of get.rich.quick low-carb Internet security - perhaps it
will be the aliens with their clue probes that get us out of it, but
it's more likely we'll either stay there or wise up.


> > > Take a look at the recent security record of MS RPC endpoints. You 
> > > can't turn them off. You can't secure them. Windows will break.
> >
> > Yes. So? YOU ARE INSANE IF YOU ARE RELYING ON WINDOWS FOR 
> > INTERNET-FACING CRITICAL SYSTEMS.
>
> Trouble is that it's not just internet facing systems that get owned. This
> idea of crunchy outside chewy centre has GOT to change. It's dead. Didn't
> work. Bye-bye.

I'm not advocating a perimeter-only defense!!! I *NEVER* have.
But it's the first and best place to start. If you don't do something
sensible at the perimeter - or you don't have a perimeter at all -
then all your systems are internet-facing. We've seen how well
*THAT* works, too.

Let me try some different logic on you:
        - Every year there are more internet-facing systems by
                some huge number, as more homes go online
        - Many of those systems rely on endpoint mitigation and
                patching as their sole security
        - Every year, the number of systems compromised keeps
                going up

What does that tell you? That the attackers are getting smarter?
No - they're doing the "same old same old".   That the attackers
are working harder? Maybe, but it's largely automated. So
if you have largely automated attacks succeeding wildly against
system that are using low-carb security - well.... What do you
conclude?

> > What do you think? If we install JUST ONE MORE PATCH it's 
> > gonna be SECURE? Heck, no. The only way to secure this crap 
> > is to hold it down and hammer a stake through its heart.
>
> Ah c'mon.

I'm serious.
Back in 1997 (blackhat keynote, you can hear the audio on
http://www.ranum.com/security/computer_security/audio/mjr-blackhat-97.mp3
 - it's a cruddy recording and I was a bit hung over when I did
the talk, but the idea remains. There's one major "bug" in the
talk, and here's the patch:
s/"it would be funny if I wasn't kidding"/"it would be funny if I wasn't serious"/)

Are you trying to tell me that operating systems are holy
writ that cannot be discarded and replaced with something
better? Ever hear of TOPS-10, MULTICS, OS/9, VMS? They
are operating systems that people used to use. O/S' come
and go. Windows is "just a phase" (as my parents used to
say when I wanted to dye my hair weird colors in high
school)  it will pass. Maybe.

> Given that we can't go back to the abacus, we need to work from where we
> are, and it is happening.

Why do we need to wok from where we are? Where we are is
not good!!! Working harder on it may not make it better. In fact
the preponderance of evidence is that it's getting WORSE.
Do you want to work harder on a situation where hard work
may be rewarded with worsening results? I'm not being
facetious; I am deadly serious. Trying to fix Windows security
has *ONLY* paid off in the stock prices of security companies
and not improved end user experience or system reliability
one iota.

> I see MS doing GOOD WORK in improving the
> fundamental security core of their OS.

I see MS doing GOOD MARKETING in attempting to
unscrew that which is permanently screwed.

> I nearly passed out when I saw
> support for NX memory

It's a nice kludge. Making the stack grow *up* into memory
like MULTICS did this in ~1965 - around the time I was learning
to walk upright. It's a little harder to code that kind of thing in
your kernel if you're smarter than a chimpanzee but it means
you never have buffer overruns.

You've all probably heard the old joke, "if computer programmers
built bridges like they write code, the first rainstorm we had would
collapse civilization" - it's wrong. If computer programmers built
bridges like they write code, they'd start off by re-inventing the I-beam
for each bridge - and they'd never get anything done because
they'd be arguing about the relative merits of whatever strongly-hyped
metal alloy was popular that week (XML? couldn't we use XML for that?)

> no anonymous RPC and host firewall enabled by default
> in a general purpose service pack. They've come a long way from VMS. :)

Yes, they have. VMS was so much better, and the gap is growing
rapidly. :)

> The other option to burning it all and starting again is to "get there from
> here". I say it's possible (eventually). Until that happens, we need
> auxilliary solutions to prop things up.

I thing it's time to start grabbing our stakes and hammers
and getting to work!!

> > Well, yeah. If you're using the wrong OS you're an idiot. The 
> > fact that there are a lot of idiots out there doesn't make 
> > them any less idiotic, either.
>
> This line brings a smile to my face every time I read it.
>
> You're right, of course, but lots of people aren't going to admit it when
> you rub their nose in it like that. I'm writing this on a Windows box - and
> you just told me that your work box is Windows too. I vote that us "idiots"
> deserve security too. 

I have fabulous security!!! My machine is isolated so that its
manifest weaknesses don't bother me. I accepted the fact
that I have a dumb O/S and because I am smart guy I
designed around it. I also have terrific backups "just in case" ;)
It's what I mean about understanding your risks and working
around them. The problem is that people don't want to
understand 'em and work around them. They just get as
far as "well, there are risks." and start patching.

> [...]
> > The idea that code needs to be patched frequently and often 
> > is predicated on the flawed concept that cruddy code is 
> > exposed to untrusted network. That's just dumb.
>
> So this is, again, where we differ in opinion. The desktop - also known as
> Cruddy Code Central - is what is causing the problem. You "old school"
> genuises have been telling us "newbies" to build super duper amazing transit
> points between networks of different trust levels, which we have been trying
> to do.

NO you haven't!!! You're like the guys who want to eat 3 gallons
of ice cream a day and still lose weight using some fad diet.
Those things many people call "firewalls" are just low-carb
feel-good half-hearted nods toward security. Their policies 
have been set up by committees with marketing people on
them, and their security posture depends more on which business
unit brings in more money than on actually protecting the
network. I mean these darned things allow attachments
through; they allow ActiveX through, they allow IM through,
etc, etc, etc. That's not a firewall. That's a "slow router."
And these "firewalled" networks are full of users who come
and go with laptops that they just plug in wherever they
want whenever they want and are given an IP address and
off they go. Those "mobile users" are on common segments
with mission critical servers and the only "authentication" they
use is the fact that they're physically there. Did I just describe
the typical corporate network? Can you tell me what is
"firewalled" about *THAT*!?!!?    That's not firewalled. That's
low-carb-fat-free-firewalled.

> The trouble is that malware still gets in. Poot. Them dang worms is
> like roaches, I tell ya. Looks 'ifn that there trusted network weren't quite
> so trusted after all...

Peter Neumann likes to make sure people use the words "trusted"
and "trustworthy" properly. :)   That was a trusted network but not
a trustworthy network. :)  oops.

> There comes a point where we have to admit that "the security architecture
> operation was a complete success, but the patient died" is of limited value.

The patient died AND IS STARTING TO SMELL!

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards