Firewall Wizards mailing list archives
RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Joseph Steinberg <Joseph () whale-com com>
Date: Tue, 7 Aug 2001 16:31:00 -0400
There are "air bags and seat belts" out there. The various application-level inspection tools (Whale's e-Gap being among them) add the safety you are looking for; you do not need to accept application-level vulnerabilities (in the case of the e-Gap O/S and Network level as well). As far as "accepting" patching as a part of life -- but is it really being done (the patching)? Code Red proved that many organizations had not installed a simple patch even a month Microsoft released it and warned sys admins to apply it. Patching introduces all sorts of problems -- problems with patches that interfere with other software, that contain old files, that themselves are vulnerable. (Take a look at MS01-030 -- Microsoft had to patch its patches for its patches...) Because patches can themselves be problematic, organizations need to decide whether to install patches in the production environment and run the risk of system problems, or to test patches in a staging environment before deploying to production -- in which case the production systems remain vulnerable during the testing. Either way, patching, as a solution to software bugs, presents major risks. There is a cute (and somewhat comical) short presentation called about this problem available at: http://www.whalecommunications.com/weekinthelife/weekinthelife_files/frame.h tm As I mentioned in my previous post, we at Whale Communications have come up with a solution to this issue that reduces the urgency of applying most patches. I will not go into a product pitch on this mailing list -- there is more information available on our website www.whalecommunications.com. Joseph -----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr com] Sent: Tuesday, August 07, 2001 9:59 AM To: Darren Reed; Joseph () whale-com com Cc: rcwash () concentric net; firewall-wizards () nfr com Subject: Re: [fw-wiz] Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed wrote:
How much does it cost the world to patch these problems up vs the developer to put in place proper testing to find and eliminate these problems before it goes out the door? How can we allow such a critical piece of modern
life
to be such a pile of rubbish?
Safety technology is _consistently_ one of the last things we apply to any new technology. And we usually apply it only after the lack has been clearly documented, and it's obvious that a high level of damage results from not applying it reasonably consistently. Take my favorite example: cars. In the 1920's you could purchase a "commercial off the shelf car" that could do 60+MPH with relative ease. Never mind the fact that the roadway infrastructures weren't safe for those speeds (until the 1950's) they didn't come with seat belts. Seatbelts were not mandatory until the 1960's. Shoulder straps didn't come in until the 1970's, and airbags in the 1980s/90s. In the late 1970's Lee Iaccoca, the CEO of General Motors, said that they would never put airbags in their cars because customers wouldn't pay for them. So, for the first 20-30 _years_ of the history of personal automobiles, it must have been _accepted_ and even taken for granted that when you ditched your car at speeds approaching 50MPH you _were_ going to eat that big bakelite steering wheel and you _were_ going to need reconstructive surgery. Bummer that reconstructive surgery hadn't been invented, yet... For some reason this was considered "acceptable." Today we consider it acceptable that administrators have to manually install patches on a regular basis. Today we consider it acceptable that our operating environments are trivially hackable out of the box. Today we consider it acceptable that Windows crashes once or twice a day if you're trying to do anything tricky like read Email while you're writing a CD or accessing a digital camera. We're still in the infancy of computers. Darren, you're just ahead of the time. :) mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)