Re: Ok, so now we have a firewall, we're safe, right?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 31 May 2005, Marcus J. Ranum wrote:

> Paul D. Robertson wrote:
> > But you almost have to use the events to sell your approach.  Done well,
> > that's how you get buy-in for a security program
>
> No, I think we need to start taking the high road. Security

That just gets you uninvited to all the "real meetings" in my experience-
and I bet you've been not invited to more meetings than I wasn't invited
to! ;)

> practitioners have been too busy arguing about the color
> locks on the barn doors* and trying to argue from a position
> of weakness. It's stupid. It's not working. We need to just
> be telling these CTOs:
> "*Laugh* You Fscking MORON. If you had half of the IQ
> of my horse P-nut you'd have had one of your minions
> draw up a plan for securing wireless *BEFORE* you

Ah, but then we go back to the "make the vendors liable for selling that
crap."  Neither approach seems to work.

I was talking to a friend today who related a recent tale of a happy
homemaker who got an unscheduled visit from a group of folks wearing
badges and waving guns at 6am one morning.

The new guests asked the resident (who was probably shocked to get so many
visitors so early, and who wasn't prepared for company) if they had
wireless access and got "No!  Never used it!" as an answer.

Turns out that the resident's telco gave them a wireless/wired DSL router
when they were provided with DSL service.  They plugged their computer in
to the wired port, DSL worked and they were happy until 6am a few days
ago.  Suddenly their satisfaction with DSL dropped.

Now, this person obviously wasn't that technically savvy, and didn't
realize that someone else was using their DSL connection to do Very Bad
Things.  Probably they were a CTO or Salesweasel.

I think it's probably unreasonable[1] to expect the general consumer to
understand the nuances of 802.11b/g being added to a DSL router that's
sent to them by their provider, and I think in this case, I'd advocate a
nice little lawyerfest aimed squarely at said provider.

Now there's a difference between intentionally fielding wireless and
unintentionally fielding it- and between a CTO and not-a-CTO, but the end
result seems to be about the same, and it was time for a story anyway.

> They're sensitive to ridicule and abuse. They're impervious
> to clues.

They tend to think the same of us ;)

The issue with taking the high road is that the target has to know it's
the high road.  I've found taking published events such as the one I've
pointed out very helpful in building a case for having a road at all, high
or low.  It turns out that CTOs seem to spend more effort on things they
can use to ridicule their other CTO buddies at golf games- "Sure, we
blocked EXE files after that Israeli thing- only someone as bad off as you
would both end up in a sand trap *and* have a salesweasel infect your
network" is much more effective than "that firewall guy's laughing at me
again!"


Paul
[1] Though gravely saddened by the general lack of interest in gaining
clue that comes from most of the population, I understand that if they
knew stuff they'd be even MORE dangerous.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards