more on Chinese hackers

[David Farber <dave () farber net>]

Begin forwarded message:

From: Marc <marcaniballi () hotmail com>
Date: November 27, 2005 4:41:54 PM EST
To: "'David Wagner'" <daw () cs berkeley edu>
Cc: wilsonrj () cogeco ca, dave () farber net
Subject: RE: [IP] more on Chinese hackers

Hello David;

I pretty much agree with your concepts, with the exception that I  
never said
"all systems are equally insecure." What I said was that all man-made
systems are vulnerable to man. The measure of vulnerability (as is the
measure of risk) is largely arbitrary and based upon historical  
precedent
along with some inductive reasoning and often a bit of financial  
analysis.
The reality of risk in an evolving technological environment is that  
it is
generally present yet specifically unknowable. We can build models to
predict probabilities and impacts, but they can only be built using  
history
and conjecture - there is no way to KNOW what all potential risks  
are, and I
would submit that when it comes to technology, we can't even know  
HALF of
the risks a system faces over the course of a year into the future.  
Whether
a network is internet connected or not does not appreciably affect  
its risk
profile unless you consider the systems to be otherwise naked. The  
assessed
risk profile of an internet connected system is likely different, but  
not
necessarily less secure than a private system.

As any security professional will tell you, the number one cause of  
failure
in any security plan/procedure is people - machines don't make security
errors. So I can only agree that IF a hacker finds information they
shouldn't, then somebody didn't do their job - the real problem then
becomes, WHO didn't do their job? The base commander, the security  
officer,
the security consultant, the software vendor, the hardware vendor, the
telecom provider, the implementation team, the content management  
team . . ?


Of course, it may be that the "guilty parties" involved actually were  
doing
what they were told! One of the more interesting forms of security is to
misdirect your adversary.

Marc

-----Original Message-----
From: David Wagner [mailto:daw () cs berkeley edu]
Sent: Saturday, November 26, 2005 8:51 PM
To: marcaniballi () hotmail com
Cc: wilsonrj () cogeco ca; dave () farber net
Subject: [IP] more on Chinese hackers

In article <4388F42D.1070904 () farber net> you write:
> As everyone knows, there is no lock made that
> cannot be picked. If man made it, man can hack it. So whether these  
> folks
> put their systems on the Internet (with good security and DMZ etc)  
> or on a
> private leased line network (hugely expensive) they are in effect  
> JUST AS
> VULNERABLE. A motivated attacker will find a way in, sooner or  
> later. With
> enough research and effort, they may even know exactly where to go  
> and what
> to look for.

This doesn't follow.  Security is not black-and-white.  When you leap  
from
"no system is perfectly secure" to "all systems are equally  
insecure", you
have made a bogus leap of reasoning.  By this reasoning, there would  
be no
point in ever locking the doors of any building, no matter how critical,
and there would be no point in locking the door on the bank vault.
This reasoningwould suggest we might as well leave them all unlocked all
the time, since no matter what you do you are "JUST AS VULNERABLE",  
right?
Well, that's wrong.  Completely wrong.  Security is about managing  
risks,
and it is often helpful to do your best to reduce or manage the risk,
even if you cannot completely eliminate it.

The military does have rules that prohibit storing their most sensitive
information on Internet-connected computers.  And that is a sensible
precaution.  It doesn't completely eliminate all risk, but it's a good
first step.  If a hacker finds classified information stored on an
Internet-connected computer, odds are that someone wasn't doing their  
job.


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/