Firewall Wizards mailing list archives
Mis-attribution - Re: How automate firewall tests
From: Chris Blask <chris () blask org>
Date: Sun, 12 Nov 2006 07:38:37 -0500
Hi folks! Sorry for the re-opening of old threads, but I just noticed that Marcus incorrectly flamed Crispin for my words, and I hate for someone else to be slapped in my stead. I can' t find Crispin's contact info, so someone please forward this to him with my apologies for drawing fire in his direction. At 09:29 AM 8/28/2006, Marcus J. Ranum wrote:
Crispin Cowan wrote: [CORRECTION - should be: "Chris Blask wrote:"]Problem is, I don't believe in positive security models in the real worldThat's OK. It doesn't matter whether you do or not. You can choose to go around not believing in the laws of physics, either. But that doesn't change the fact that "the bigger they come, the harder they hit."
The "laws of physics" analogy is more aptly applied to the "positive security is the only answer" position, imho. There is no doubt that, given infinite resources, a perfect security implementation could be created. There is also no doubt that, given infinite resources, a mouse's droppings could be accelerated past the speed of light - it's just that the energy resources needed exceed the energy content of the universe itself, so it's rather impractical. This is the same set of arguments as "a perfect space shuttle cannot be built, therefore man should abandon space flight" thread. The fact that the Internet exists despite its imperfections - and in existing it serves a myriad of positive purposes - is identical to the fact that humans continue to explore space despite two shuttle-loads of dead astronauts and wrecked hardware littering the surface of Mars. Unless and until the financial resources can be harnessed to pay the salaries of the hardware and software engineers necessary to build - from the ground up - a network whose components are *all* founded on security as the primary function, there will be no single implementation of an information system that truly satisfies the positive security model.
The state of the industry today is a direct result of the fact that a lot of you don't "believe" in a positive security model, or "believe" that security is something that can be negotiated as part of some mysterious balancing act between "business needs" and "security requirements." What people don't get is that the hackers don't give a rat's ass about where you choose to establish your balance between fantasy and reality: all they need is one hole and your balance is yesterday's fine dream and today's front page news.
True enough. I suppose the difference being debated here is whether it is worth doing anything at all, ever, or conversely whether we should all throw our hands up and stomp of in righteously pompous indignation. I can say for certain that every security product I have been involved with - which therefore includes the security deployed on more than half of all networks in the world - would simply not exist if the costs involved had included the necessity of designing every single component to the utmost security conceivable before shipping a single unit. There could have been no use of Intel ethernet chips, no re-use of any pre-existing code, no use of existing printed circuit boards - and every device would have to cost more than the net-worth of most customers' company and none would ever have been deployed except at a few elite government or mega-corporation sites.
For the last 15 years we've been presented with a constant litany of important agencies, sites, and systems that have been hacked into because people don't believe that doing security right is practical. I'm OK with that (it's not my problem!)(*) but I get really disgusted when people publicly announce: "I BELIEVE THE EARTH IS FLAT AND WILL CONTINUE TO KEEP TRYING TO KEEP IT THAT WAY."
Sorry, I'm not sure which side you are arguing on. Is the above shouted quote supposed to be my position, or conversely is it the "no security can be deployed unless it costs $1,000,000 per site" argument?
C'mon, ["CHRIS" - Corrected 12/11/2006 - cb] - if you don't believe in positive security models what's your alternative? "Kludge stuff forever"? That's working just great. "User education"? Fantastic. Stellar. "Risk management"? The hackers love risk management. It's one thing to say you don't believe but it's a hard position to hold when the stuff you DO appear to believe in has obviously failed to work.
The Internet doesn't exist, then? Every network connected to it is compromised every second of every day? Hackers have caused the complete and irrecoverable collapse of all businesses, educational activities, "grandmothers' knitting" email list...? Did I miss the news? Yes, in fact, the current approach that is being used on the Internet is "working just great". If you want to join forces with Microsoft and build the perfect "Information Superhighway" before deploying a single connection, you are welcome to (well, you actually have to talk them back into that approach, since they gave up a decade ago). In the meantime, us poor idiots including the entire readership of this list will just keep failing in everything we do because we are too stupid to realize that every single action we take is misguided and useless and that our ill-conceived networks only *appear* to be running seven days a week.
(* Well, it is, really. I mean, as a veteran, I know now that the VA nicely published my personal information because of "practical" "business needs" etc etc etc)
Since I don't believe that I can exist in the real world without interacting with it, I'll save the hackers the energy and include my personal information below. Now that that is out of the way, I can focus on the hopeless pursuit of increasing the security of others from where it happens to be right now in the real world to where I would like it to be. -chris Chris Blask Founder and CEO Lofty Perch Inc If you want to live in a world in which the computer is a panacea rather than a plague, there are a few crucial things that must be done. Do not leave the responsibility for the social impact of computer applications in the hands of technicians. Insist on individual, government, and corporate responsibility and liability for the computer's effect on people. Recognize the computer as an inanimate tool with enormous potential for either good or evil, the choice of which is in the hands of men and women, not inanimate systems. Our government is designed so that you are neither dependent on the excellence of your leaders nor vulnerable to their failings; so too should you be free of the men and women who make and run your computers. - Stanley Rothman & Charles Mosmann: Computers and Society, 1976 1231 King Street West Toronto, Ontario, Canada M6G 1K3 Cell - +1 416 358 9885 Home - +1 705 766 1391 chris () loftyperch com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 12)
- Message not available
- Re: Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 13)
- Message not available
- Re: Mis-attribution - Re: How automate firewall tests Paul Melson (Nov 13)
- Re: Mis-attribution - Re: How automate firewall tests R. DuFresne (Nov 13)
- Re: Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 13)
- Re: Mis-attribution - Re: How automate firewall tests R. DuFresne (Nov 15)
- Re: Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 15)
- Re: Mis-attribution - Re: How automate firewall tests Crispin Cowan (Nov 17)
- Re: Mis-attribution - Re: How automate firewall tests Brian Loe (Nov 18)
- Re: Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 18)
- Re: Mis-attribution - Re: How automate firewall tests Chris Blask (Nov 13)