Re: Cracks in the Firewall

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: jericho () attrition org, joe.duffy () us pwcglobal com

Jericho,

> Well, I think this pretty much establishes that Joe Duffy was not on
> the net before 1995 or so.

How so?  The original design of ARPANet was all about sharing and
allowing access to those who participated in the project.  Mr. Duffy's
statement would be in accordance with that historical, though perhaps
anecdotal information.
 
> That screams "upper management" and "i have a problem comprehending
> a mouse with three buttons" to me.

That's a pretty rough statement.  Have you met Mr. Duffy?  I'm
assuming that since you didn't mention having done so, that you
haven't.

Steph Marr used to be the National Director for the InfoSec Practice
at Predictive Systems...he was based out of Santa Cruz.  Definitely
upper management, but I'm reasonably sure he knows how to use a
three-button mouse.

> First, what is "pre-Internet" computing?

Given the media and how they've mangled pretty much anything related
to computing in general, I'd venture to guess that it refers to
pre-GUI web surfing...pre-Berners Lee.

> Since the Internet was basically founded/born/created in 1969, that
> would put his statement somewhere between "absurd" and "fucking
> stupid".

I'd agree...but we don't know if your assumption regarding the
timeline is correct.

> I hate to be the one who beats Duffy with a clue-by-four

Did Mr. Duffy write the article in question?  Why not go after the
author of the article?

> Wonder if Duffy has installed a copy of NT or Linux lately and
> noticed that the security posture screams "bend me over"? I'd guess
> not.

I'm with you...I don't think Mr. Duffy's installed anything lately.  
However, given his position and title, I'd have serious concerns if he
had.  He's at the level now where he considers the advice and input of
folks who work for him.
 
> > Other insights can be gleaned from ISS's inaugural quarterly
> > report.
>
> I'd love to see the details that went into this study and figures.

Well, the article says "ISS's inaugural quarterly report".  If you
want to see the details, go see them.

> There seems to be a lot of leeway here as to what one considers
> "attack", how you qualify seperate attacks, etc.

Having worked with their products, and having chased ghosts...no one
from tech support could tell me what are the details of the signature
that triggers the "Napster_Long_Command" alert...and dealt with false
positives (Internet Scanner 6.01 and prior would report AutoAdminLogon
alerts if the Registry value was set to 0, signifying that the
functionality did *not* exist) I'd agree that there is a considerable
amount of leeway.  However the only real way to judge the report would
be, as you say, to get the details.  After all, even Jay Heiser
pointed out in his InfoSecurityMag column that the often-quoted
CSI/FBI report "lacks...rigor".
 
> All in all, I don't think these statements can easily be made short
> of a lot more research.

Agreed.  Given the issues that many of us have seen w/ the ISS
products, can one arbitrarily accept their 'findings'?  After all, if
RealSecure misidentifies alerts (are the signatures open to public
examination??) and issues, what does that say about the report?  
GIGO?



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.