Re: Cracks in the Firewall

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
Cc: H C <keydet89 () yahoo com>, joe.duffy () us pwcglobal com

> > Well, I think this pretty much establishes that Joe
> > Duffy was not on the net before 1995 or so.
>
> How so?  The original design of ARPANet was all about sharing and
> allowing access to those who participated in the project.  Mr.
> Duffy's

"The [pre-Internet] computing technologies were designed to keep
people out." - Duffy, from the article

Huh? ARPANet was about sharing and ALLOWING access, you say. Duffy
says it was about "keeping people out". I agree with you, thus my
comment.

> > First, what is "pre-Internet" computing?
>
> Given the media and how they've mangled pretty much anything related
> to computing in general, I'd venture to guess that it refers to
> pre-GUI web surfing...pre-Berners Lee.

My point was, operating systems weren't geared for keeping people out
back then, nor are they today.

> > Since the Internet was basically founded/born/created in 1969,
> > that would put his statement somewhere between "absurd" and
> > "fucking stupid".
>
> I'd agree...but we don't know if your assumption regarding the
> timeline is correct.

it doesn't matter about MY assumption. doesn't matter WHEN he is
talking about. operating systems have never been designed to keep
people out. look at a default installation of windows, irix, sunos,
linux etc. compare it 10 years ago to today and they are all still
installed with every service known to man open. that isn't "keeping
people out".

> Did Mr. Duffy write the article in question?  Why not go after the
> author of the article?

i will. i do that in a different forum (errata on attrition)

> > Wonder if Duffy has installed a copy of NT or Linux lately and
> > noticed that the security posture screams "bend me over"? I'd
> > guess not.
>
> I'm with you...I don't think Mr. Duffy's installed anything lately.  
> However, given his position and title, I'd have serious concerns if
> he had.  He's at the level now where he considers the advice and
> input of folks who work for him.

that speaks worse then. if PWC tech people are telling him that
default installs of red hat or solaris or irix or NT are done so to
"keep people out", then there should be serious concerns at all levels
about their consultants.

> > I'd love to see the details that went into this
> > study and figures.
>
> Well, the article says "ISS's inaugural quarterly report".  If you
> want to see the details, go see them.

they don't release the details. they release the final glossy report.

> > There seems to be a lot of leeway here as to what
> > one considers "attack", how you qualify seperate 
> > attacks, etc.
>
> Having worked with their products, and having chased ghosts...no one
> from tech support could tell me what are the details of the
> signature that triggers the "Napster_Long_Command" alert...and dealt
> with false positives (Internet Scanner 6.01 and prior would report
> AutoAdminLogon alerts if the Registry value was set to 0, signifying
> that the functionality did *not* exist) I'd agree that there is a
> considerable amount of leeway.  However the only real way to judge
> the report would be, as you say, to get the details.  After all,
> even Jay Heiser pointed out in his InfoSecurityMag column that the
> often-quoted CSI/FBI report "lacks...rigor".

Something I have been saying for years, specifically about the CSI/FBI
report. Unfortunately, years later someone finally voiced my same
concerns and got it heard by a wider audience.

http://www.attrition.org/errata/stats.html

That was the first page I dedicated to questionable stats, and you
will notice halfway down the CSI/FBI stats.

> > All in all, I don't think these statements can
> > easily be made short of a lot more research.
>
> Agreed.  Given the issues that many of us have seen w/ the ISS
> products, can one arbitrarily accept their 'findings'?  After all,
> if RealSecure misidentifies alerts (are the signatures open to
> public examination??) and issues, what does that say about the
> report?  GIGO?

exactly.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.