Re: Ok, so now we have a firewall, we're safe, right?

["Marcus J. Ranum" <mjr () ranum com>]

Paul D. Robertson wrote:
> That just gets you uninvited to all the "real meetings" in my experience-
> and I bet you've been not invited to more meetings than I wasn't invited
> to! ;)

Wait... You mean I'm supposed to be *invited* to meetings?? I thought
my job was to find out what was going on and invite myself!  The only
meetings I ever get invited to are the ones that I hold. ;)  At least
my dog and my horse still come when they're called...

> > "*Laugh* You Fscking MORON. If you had half of the IQ
> > of my horse P-nut you'd have had one of your minions
> > draw up a plan for securing wireless *BEFORE* you
>
> Ah, but then we go back to the "make the vendors liable for selling that
> crap."  Neither approach seems to work.

Nope, I'm not at all from the "make vendors liable" school. In
fact, I think that's a terrible idea!! (See:
http://www.ranum.com/security/computer_security/editorials/lawyers
) for opinions on that particular topic. All we'd get if we held
vendors liable is more lawyers. The end effect of inviting lawyers
into security (via HIPAA, SARBOX, etc) is still undertermined
but right now it looks like it's just a massive financial drain
with very little positive benefit. I still can't think of an industry
that has been submitted to increased regulation which has
gotten more efficient, cheaper, or better.

The problem is that we're assuming free market dynamics
apply to the security market, and they don't. For a free
market to self-correct, you need the mythical "informed
consumer" - which is very rare in security. If I try to sell
you food that is obviously rotten, you can tell by the
smell - but if I try to sell you a firewall that is basically
a pretty user interface over top of some cheese, you
need to dig deeper. And very few "technical" managers
or executives appear willing to do that. Instead they
"outsource" their thinking to industry analysts and
marketing weasels - and are amazed to discover that
they've been lied to. Duh?


[...cool story...]
> I think it's probably unreasonable[1] to expect the general consumer to
> understand the nuances of 802.11b/g being added to a DSL router that's
> sent to them by their provider, and I think in this case, I'd advocate a
> nice little lawyerfest aimed squarely at said provider.

I wonder if the router's manual said anything about it. I wonder
if the customer read the fine manual. They shouldn't be relieved
of responsibility for understanding what they are doing. If society
relieves the end user of responsibility for what they do with a
tool, we're propagating the ridiculous situation where someone
buys a chainsaw, doesn't use it properly because they didn't
read the directions, sues the manufacturer, and wins.

Keep the lawyers out of it. I think we can probably agree that
both the provider and the customer deserve a spanking.

But that's a different case from a CTO or CIO. Technology
is their JOB. It's what they (supposedly) DO. So if a CTO
initiates a "mission critical" service and it sucks because
the CTO didn't look at security or was stupid enough to
believe the vendor's marketing or bought because some
in-the-vendor's-pocket industry analyst hyped the technology,
then the CTO is not doing their job and should be flipping
burgers or something less technical that's within their
intellectual comfort zone.

> The issue with taking the high road is that the target has to know it's
> the high road.

I don't agree. All that matters is that _you_ know what's
the high road. Put differently: are you suggesting that because
your listener doesn't know what's the right thing to do, you
should immediately compromise?

>  I've found taking published events such as the one I've
> pointed out very helpful in building a case for having a road at all, high
> or low.  It turns out that CTOs seem to spend more effort on things they
> can use to ridicule their other CTO buddies at golf games- "Sure, we
> blocked EXE files after that Israeli thing- only someone as bad off as you
> would both end up in a sand trap *and* have a salesweasel infect your
> network" is much more effective than "that firewall guy's laughing at me
> again!"


Isn't the situation pathetic when smart people need to bend
over backwards in order to appease, cajole, manipulate, and
stroke their clueless "superiors"?  What a waste of time and
energy that could be spent on better pursuits!!

You know the old saw about "you can lead a horse to water,
but you can't make him drink?"  It ignores an important fact,
namely: horses will always drink if they need to, and won't if
they don't need to. They're smart like that, unlike most people.

Back a zillion years ago I worked as a systems admin at
Johns Hopkins Hospital in Baltimore. Hospitals were just
starting to be computerized, then, and we were at the
cutting edge of the break-away from mainframe computing
to departmental servers. There were studies going on where
doctors were being exposed to the idea of "clinical
workstations" - access to online information and patient
records - really cutting edge stuff. But many of the senior
doctors refused to touch a computer. Using something
with a keyboard on it was what *secretaries* did, back
in *their* day, not what *doctors* did.  Those guys are all
now dead or retired, or both. Now doctors are all over
info-tech.  The lesson I got from that is that it takes time
for societies to evolve, as cluelessness of one kind is
replaced by cluefulness, which in turn is usually clueless
about something else.

This whole information security thing is eventually going
to filter into everyone's consciousness as relevant, but
only after there's lots of pain. Unfortunately, it's usually
the innocent who bear the brunt of the cost of the great
"learning experience"

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards