Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Thu, 02 Jun 2005 14:36:40 -0400
Paul D. Robertson wrote:
That just gets you uninvited to all the "real meetings" in my experience- and I bet you've been not invited to more meetings than I wasn't invited to! ;)
Wait... You mean I'm supposed to be *invited* to meetings?? I thought my job was to find out what was going on and invite myself! The only meetings I ever get invited to are the ones that I hold. ;) At least my dog and my horse still come when they're called...
"*Laugh* You Fscking MORON. If you had half of the IQ of my horse P-nut you'd have had one of your minions draw up a plan for securing wireless *BEFORE* youAh, but then we go back to the "make the vendors liable for selling that crap." Neither approach seems to work.
Nope, I'm not at all from the "make vendors liable" school. In fact, I think that's a terrible idea!! (See: http://www.ranum.com/security/computer_security/editorials/lawyers ) for opinions on that particular topic. All we'd get if we held vendors liable is more lawyers. The end effect of inviting lawyers into security (via HIPAA, SARBOX, etc) is still undertermined but right now it looks like it's just a massive financial drain with very little positive benefit. I still can't think of an industry that has been submitted to increased regulation which has gotten more efficient, cheaper, or better. The problem is that we're assuming free market dynamics apply to the security market, and they don't. For a free market to self-correct, you need the mythical "informed consumer" - which is very rare in security. If I try to sell you food that is obviously rotten, you can tell by the smell - but if I try to sell you a firewall that is basically a pretty user interface over top of some cheese, you need to dig deeper. And very few "technical" managers or executives appear willing to do that. Instead they "outsource" their thinking to industry analysts and marketing weasels - and are amazed to discover that they've been lied to. Duh? [...cool story...]
I think it's probably unreasonable[1] to expect the general consumer to understand the nuances of 802.11b/g being added to a DSL router that's sent to them by their provider, and I think in this case, I'd advocate a nice little lawyerfest aimed squarely at said provider.
I wonder if the router's manual said anything about it. I wonder if the customer read the fine manual. They shouldn't be relieved of responsibility for understanding what they are doing. If society relieves the end user of responsibility for what they do with a tool, we're propagating the ridiculous situation where someone buys a chainsaw, doesn't use it properly because they didn't read the directions, sues the manufacturer, and wins. Keep the lawyers out of it. I think we can probably agree that both the provider and the customer deserve a spanking. But that's a different case from a CTO or CIO. Technology is their JOB. It's what they (supposedly) DO. So if a CTO initiates a "mission critical" service and it sucks because the CTO didn't look at security or was stupid enough to believe the vendor's marketing or bought because some in-the-vendor's-pocket industry analyst hyped the technology, then the CTO is not doing their job and should be flipping burgers or something less technical that's within their intellectual comfort zone.
The issue with taking the high road is that the target has to know it's the high road.
I don't agree. All that matters is that _you_ know what's the high road. Put differently: are you suggesting that because your listener doesn't know what's the right thing to do, you should immediately compromise?
I've found taking published events such as the one I've pointed out very helpful in building a case for having a road at all, high or low. It turns out that CTOs seem to spend more effort on things they can use to ridicule their other CTO buddies at golf games- "Sure, we blocked EXE files after that Israeli thing- only someone as bad off as you would both end up in a sand trap *and* have a salesweasel infect your network" is much more effective than "that firewall guy's laughing at me again!"
Isn't the situation pathetic when smart people need to bend over backwards in order to appease, cajole, manipulate, and stroke their clueless "superiors"? What a waste of time and energy that could be spent on better pursuits!! You know the old saw about "you can lead a horse to water, but you can't make him drink?" It ignores an important fact, namely: horses will always drink if they need to, and won't if they don't need to. They're smart like that, unlike most people. Back a zillion years ago I worked as a systems admin at Johns Hopkins Hospital in Baltimore. Hospitals were just starting to be computerized, then, and we were at the cutting edge of the break-away from mainframe computing to departmental servers. There were studies going on where doctors were being exposed to the idea of "clinical workstations" - access to online information and patient records - really cutting edge stuff. But many of the senior doctors refused to touch a computer. Using something with a keyboard on it was what *secretaries* did, back in *their* day, not what *doctors* did. Those guys are all now dead or retired, or both. Now doctors are all over info-tech. The lesson I got from that is that it takes time for societies to evolve, as cluelessness of one kind is replaced by cluefulness, which in turn is usually clueless about something else. This whole information security thing is eventually going to filter into everyone's consciousness as relevant, but only after there's lots of pain. Unfortunately, it's usually the innocent who bear the brunt of the cost of the great "learning experience" mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Going meta (was RE: Ok, so now we have a firewall...), (continued)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Bennett Todd (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Scott Stursa (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Chris Blask (Jun 04)
- RE: Going meta (was RE: Ok, so now we have a firewall...) Brian Loe (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) R. DuFresne (Jun 10)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 04)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Dave Piscitello (Jun 02)
- Re: Going meta (was RE: Ok, so now we have a firewall...) Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 02)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? ArkanoiD (Jun 04)
- Re: Ok, so now we have a firewall, we're safe, right? R. DuFresne (Jun 10)
- Re: Ok, so now we have a firewall, we're safe, right? Dave Piscitello (Jun 10)