Re: Lindows Issues

[Paul McNabb <mcnabb () argus-systems com>]

I don't know if this is the case here, but some of the hype could
very well be generated by the media.  We had this problem a year
or two ago when we held a "hacking contest" for a product.  I had
about 2 dozen press interviews, at least, and in *every* one of
them the reporter/inteviewer tried to put words into my mouth.
This happened with NPR, CNN, and lots of other major groups, not
just the local radio, TV, and newspapers.  Although I think NPR
was probably the best.

The conversations would go like this:

Interviewer: "So, Mr. McNabb, what you're telling us is that your
product is impregnable."

Me: "No, it just really raises the bar.  No product or system can
ever be made 100% impregnable."

Int.: "So that means that if a company installs your product, they
won't have to worry about hackers ever getting in."

Me: "No, they still need to follow all kinds of proper procedures,
and our product only deals with certain kinds of threats."

Int.: "So this contest that you are running, it will prove that your
system can't be hacked, right?"

Me: "No. Contests don't *prove* anything, and they certainly can't be
counted as part of a product security analysis or testing program.
We are hoping to show that you can use radically different security
architectures and still maintain a high level of security. It's a
way for us to let people know about what we're doing and to open up
the discussion about how systems can and should be protected."

Int.: "Well, there you have it folks.  If this hacking contest goes
as Mr. McNabb hopes, it will have proven that we can finally
guarantee that hackers will be out of business and that his company's
product is invincible."

Then the interviewers comments would be on the radio or TV or in a
printed or online report (my comments seemed to be edited out enough
so that no one really knew what I said), and I'd get tons of flames
from fellow security people ranting about what an idiot I was.

So anytime I read this stuff now, I always take it with a grain of
salt.  Maybe the guy said it that way, but maybe he didn't...
The media guys are always trying to stretch the story as much as
possible to make it sound as exciting as possible.

Just my take from experience.

paul

---------------------------------------------------------
Paul A. McNabb, CISSP           Argus Systems Group, Inc.
Senior Vice President and CTO   1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"

Deputy Director, CARIS
University of Illinois
Center for Advanced Research in Information Security
http://www.caris.uiuc.edu
---------------------------------------------------------

>  Date: Fri, 19 Jul 2002 15:20:06 -0400
>  From: "Timothy L. Salus" <tsalus () cboss com>
>  To: Jonas M Luster <jluster () d-fensive com>
>  Cc: vuln-dev () security-focus com
>  Subject: Re: Lindows Issues
>  
>  A simple thing to remeber is --- any code has to be decoded to be worth
>  anything --- Therefore any code or system can be broken -- Human error
>  alone stops system and applications from being perfect
>  
>  Jonas M Luster wrote:
>  
>  > Quoting Rohrer, Mark E (mark.e.rohrer () lmco com):
>  >
>  > > carried by InfoWorld Daily News on 05/28/2002:  "Executives from Oracle,
>  > > Dell and Red Hat are scheduled next week to launch what the companies dubbed
>  > > 'Unbreakable Linux' in an invitation they sent out to the press."
>  >
>  > Any lie, repeated sufficienty often, posted on billboards alongside
>  > 101 and told by sufficently wealthy individuals or coprorations will
>  > eventaully become subjective truth.
>  >
>  > Oracle has not stopped its "Unbreakable" campaign, even _after_ they
>  > were proven wrong in a way I'd describe as humilating, and people
>  > still believe them. Who's to blame RedHat for jumping a bandwagon that
>  > sure as heck will help them not only redefine "unbreakable" to
>  > something along the lines of "... by a team of ten trained squrls" but
>  > also has shown to effectively change the perception of the masses.
>  >
>  > "Unbreakable" is a simple statement. In its repetitiveness it is
>  > hypnotic, almost subliminal. The power of those campaigns can be seen
>  > in past and current industry campaigns, and political approaches.
>  >
>  > Now, you and I know that neither RedHat, nor Oracle is "unbreakable".
>  > And we'd know that one even without having seen the gaping holes in
>  > both products - we know it, because we know that there is no such
>  > thing as "unbreakable". Oracle knows that, too. But by assuming
>  > something that is virtually impossible, Oracle just made the move to
>  > greater advertising - what better to claim than something no one else
>  > would or could claim (except Microsoft).
>  >
>  > Yet another unanswered question would be: "How long until their
>  > clients find out they've been had?" and "What's gonna happen then?".
>  >
>  > The answers are most likel "long until never" and "nothing". Oracle's
>  > uber-envyed idol Microsoft shows us that there is no such thing as
>  > losing substantial client base of uncovered lies or a generally false
>  > advertising. They also show us that users take a lot of punishment and
>  > still return (it's called the "Mick Foley Syndrome", read his books if
>  > you don't get the twist :) for more.
>  >
>  > They'll release it, a week later someone will break it, the press will
>  > report it, and yet another week later your ${PHB} will buy site
>  > licenses because it's unbreakable. Makes money for Oracle and Red
>  > "Five years without a remote clue in the default maintainer" Hat.
>  >
>  > jonas
>