Mis-attribution - Re: How automate firewall tests

[Chris Blask <chris () blask org>]

Hi folks!

Sorry for the re-opening of old threads, but I just noticed that 
Marcus incorrectly flamed Crispin for my words, and I hate for 
someone else to be slapped in my stead.  I can' t find Crispin's 
contact info, so someone please forward this to him with my apologies 
for drawing fire in his direction.

At 09:29 AM 8/28/2006, Marcus J. Ranum wrote:
> Crispin Cowan wrote:  [CORRECTION - should be: "Chris Blask wrote:"]
> > Problem is, I don't believe in positive security models in the real world
>
> That's OK. It doesn't matter whether you do or not. You can choose to
> go around not believing in the laws of physics, either. But that doesn't
> change the fact that "the bigger they come, the harder they hit."

The "laws of physics" analogy is more aptly applied to the "positive 
security is the only answer" position, imho.

There is no doubt that, given infinite resources, a perfect security 
implementation could be created.  There is also no doubt that, given 
infinite resources, a mouse's droppings could be accelerated past the 
speed of light - it's just that the energy resources needed exceed 
the energy content of the universe itself, so it's rather impractical.

This is the same set of arguments as "a perfect space shuttle cannot 
be built, therefore man should abandon space flight" thread.  The 
fact that the Internet exists despite its imperfections - and in 
existing it serves a myriad of positive purposes - is identical to 
the fact that humans continue to explore space despite two 
shuttle-loads of dead astronauts and wrecked hardware littering the 
surface of Mars.  Unless and until the financial resources can be 
harnessed to pay the salaries of the hardware and software engineers 
necessary to build - from the ground up - a network whose components 
are *all* founded on security as the primary function, there will be 
no single implementation of an information system that truly 
satisfies the positive security model.

> The state of the industry today is a direct result of the fact that a lot of
> you don't "believe" in a positive security model, or "believe" that security
> is something that can be negotiated as part of some mysterious balancing
> act between "business needs" and "security requirements."  What people
> don't get is that the hackers don't give a rat's ass about where you choose
> to establish your balance between fantasy and reality: all they need is one
> hole and your balance is yesterday's fine dream and today's front page
> news.

True enough.  I suppose the difference being debated here is whether 
it is worth doing anything at all, ever, or conversely whether we 
should all throw our hands up and stomp of in righteously pompous indignation.

I can say for certain that every security product I have been 
involved with - which therefore includes the security deployed on 
more than half of all networks in the world - would simply not exist 
if the costs involved had included the necessity of designing every 
single component to the utmost security conceivable before shipping a 
single unit.  There could have been no use of Intel ethernet chips, 
no re-use of any pre-existing code, no use of existing printed 
circuit boards - and every device would have to cost more than the 
net-worth of most customers' company and none would ever have been 
deployed except at a few elite government or mega-corporation sites.

> For the last 15 years we've been presented with a constant litany of
> important agencies, sites, and systems that have been hacked into
> because people don't believe that doing security right is practical. I'm
> OK with that (it's not my problem!)(*) but I get really disgusted when
> people publicly announce:
> "I BELIEVE THE EARTH IS FLAT AND WILL CONTINUE TO KEEP
> TRYING TO KEEP IT THAT WAY."

Sorry, I'm not sure which side you are arguing on.  Is the above 
shouted quote supposed to be my position, or conversely is it the "no 
security can be deployed unless it costs $1,000,000 per site" argument?

> C'mon, ["CHRIS" - Corrected 12/11/2006 - cb] - if you don't believe 
> in positive security models what's
> your alternative? "Kludge stuff forever"? That's working just great.
> "User education"? Fantastic. Stellar. "Risk management"? The
> hackers love risk management. It's one thing to say you don't believe
> but it's a hard position to hold when the stuff you DO appear to believe
> in has obviously failed to work.

The Internet doesn't exist, then?  Every network connected to it is 
compromised every second of every day?  Hackers have caused the 
complete and irrecoverable collapse of all businesses, educational 
activities, "grandmothers' knitting" email list...?  Did I miss the news?

Yes, in fact, the current approach that is being used on the Internet 
is "working just great".  If you want to join forces with Microsoft 
and build the perfect "Information Superhighway" before deploying a 
single connection, you are welcome to (well, you actually have to 
talk them back into that approach, since they gave up a decade 
ago).  In the meantime, us poor idiots including the entire 
readership of this list will just keep failing in everything we do 
because we are too stupid to realize that every single action we take 
is misguided and useless and that our ill-conceived networks only 
*appear* to be running seven days a week.

> (* Well, it is, really. I mean, as a veteran, I know now that the VA
> nicely published my personal information because of "practical"
> "business needs" etc etc etc)

Since I don't believe that I can exist in the real world without 
interacting with it, I'll save the hackers the energy and include my 
personal information below.  Now that that is out of the way, I can 
focus on the hopeless pursuit of increasing the security of others 
from where it happens to be right now in the real world to where I 
would like it to be.

-chris


Chris Blask
Founder and CEO
Lofty Perch Inc

If you want to live in a world in which the computer is a panacea 
rather than a plague, there are a few crucial things that must be 
done. Do not leave the responsibility for the social impact of 
computer applications in the hands of technicians. Insist on 
individual, government, and corporate responsibility and liability 
for the computer's effect on people. Recognize the computer as an 
inanimate tool with enormous potential for either good or evil, the 
choice of which is in the hands of men and women, not inanimate systems.

Our government is designed so that you are neither dependent on the 
excellence of your leaders nor vulnerable to their failings; so too 
should you be free of the men and women who make and run your computers.

  - Stanley Rothman & Charles Mosmann: Computers and Society, 1976

1231 King Street West
Toronto, Ontario, Canada
M6G 1K3
Cell - +1 416 358 9885
Home - +1 705 766 1391


chris () loftyperch com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards