NYT article on the (ever-more-sophitsticated) bot wars

[David Farber <dave () farber net>]

Gene, you sounds more and more frustrated, as I have been, with the  
progress. I have said for years that it is hard to retrofit security  
to a system where security was not a fundamental design criteria. Yet  
we continue to design systems and networks and then try to make them  
secure,  Dave Farber

Begin forwarded message:

From: "Eugene H. Spafford" <spaf () mac com>
Date: December 11, 2008 6:07:50 PM EST
To: "David P. Reed" <dpreed () reed com>
Cc: dave () farber net, ip <ip () v2 listbox com>
Subject: Re: [IP] Re:    NYT article on the (ever-more-sophitsticated)  
bot wars

I'm going to resist the urge for long responses here....

On Dec 10, 2008, at 8:46 AM, David P. Reed wrote:

> Dave - I'd like to ask Spaf, whose opinions on this subject are  
> important, to amplify and to explain what he means in the following  
> paragraphs:
> > It's unfortunate that (for "political" reasons) every report on the  
> > topic that bubbles up to high levels suggests that if only we  
> > coordinate enough and invest enough, we can patch the current  
> > steaming pile in some way.
> >
> > No report points out that the people responsible have been told  
> > that this can't work but they continue with business as usual.  No  
> > one reports that we continue to throw good money after bad by  
> > buying and deploying the same gunk that got us in this mess.
> 1. In particular, what is the "same gunk"?

OSes, overly-permissive email, firewalls, anti-virus that is unable to  
keep up with the threat, and on and on.  Not only are most of these  
poorly thought out from a security point of view, they are all  
designed to provide too many generic, permissive services to the  
widest possible client base.  That may be good business but poor  
security planning.  (Then again, selling cigarettes is good business,  
too.)   And much of the security solution space is limited responses  
to specific threats that continue to prop up the rest of the poorly- 
designed base.

> 2. I'm not sure who "the people responsible" are.   Do you mean the  
> Chief Executive Officers of corporations?  The US government has no  
> office in charge of citizen or corporate security.   NSA is  
> responsible for DoD security, as far as I can tell.  And my local  
> police department is responsible for holding criminals accountable  
> to laws.

CIOs and IT managers at major companies and government agencies.  The  
President's office. Congress.  The GAO.  OMB.  The list goes on.   
There have been scores of reports, and many experts who have given  
input, but the system is designed to perpetuate what is in place.

> It would be a great contribution to society were Spaf and others to  
> write down a plan that would help Americans feel safe against  
> intrusions into their lives that are unwanted and unwelcome.

Well, that is outside the expertise of any one person....especially  
when we start looking at needs of law enforcement and national  
defense.  You are asking for something very large.

The number 1 change we need to make is to understand that issues of  
security, safety and reliability are not easily measured and deploying  
the cheapest upfront solution is not consistent with trusted  
systems.   The impact of that would go deep, including into the design  
of the software we run on our systems.   Note that this is true of any  
security -- airport, computer, home or national security.  There is a  
cost involved, and always residual risk.

We have chosen to standardize on a small set of very complex items  
because some people think they are cheaper to acquire and  
maintain....based on experiences gained 15-20 years ago with different  
platforms.  Those estimates also don't bear in mind the costs of  
security, reliability, and other important factors.   But until we  
change the mindset about up-front cost trumping all else, we can't win.

We have to change the way we educate software designers, and the way  
we hold companies accountable for flaws in code.

We must do a better job investigating and prosecuting computer crime.

These are not fundamentally big shifts in technology -- we have the  
technology for many of these issues now.   We simply lack the will to  
apply it.

I'm not going into detail, because I doubt there are many who really  
want the answers.   They want their Windows machines, on-line games,  
animated WWW apps, iPods and universal connectivity.

I feel like the old monk in some of those kung fu movies where the  
students come to learn the secrets.  The monk tells the students that  
they will need to give up worldly possessions and study for years to  
master the art.  All but one leave because they are too attached to  
the world.  The one who stays and listens attains enlightenment.







-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com