Firewall Wizards mailing list archives
Re: The Morris worm to Nimda, how little we've learned or gained
From: "Marcus J. Ranum" <mjr () nfr com>
Date: Thu, 03 Jan 2002 15:44:55 -0500
R. DuFresne wrote:
And we have not even broached the topic here of vendor responsibility...
There's enough blame that everyone involved can shoulder a ton of guilt. I've been watching the blame in computer security flow in circles for years. The flow looks like this: - The hackers blame the sysadmins who leave their machines open - The sysadmins blame the vendors who write buggy insecure code - The vendors blame the customers who place a premium on features over quality What's ironic - and what makes the whole problem so intractible is the fact that they're _all_ right. Everyone has to do a lot less whining and get a lot more serious about fixing their piece of the problem and not pointing out where everyone else is letting them down. That's what it'll take to get the circle-jerk to stop. I can tell you a few of the indicators that I'm looking for which will indicate that progress is about to be made in security: 1) The first time a company goes public and becomes huge based on the premise that their software is super-high-quality. 2) The first time an operating system ships that doesn't need to have all its software installed with system privileges to function 3) The first time customers place and enforce a puchase ban on a software product notorious for insecurity and unreliability 4) The first time that ISPs act together to ban an application from their backbone(s) 5) The first successful class-action lawsuit over software quality encompassing security Note that not only do I see no sign of the above happening, I see signs in the industry and community that steps are being taken to _prevent_ some of the above. Most notably #5 and possibly #3. The sad reality is that safety technology only gets applied once it's obvious that the damage from not applying it is extremely expensive to the entire community. Remember - we didn't have mandatory seatbelts in cars until the 1960's and didn't have mandatory shoulder straps until the 1970's. Air bags didn't come until the 1980's and mandatory _use_ laws are only recently on the books in most states. Internationally, the situation is worse. And people have known for a long time that seat belts save lives... It's going to take a lot longer to clean this stuff up. Some of us will literally not live to see it - I expect to be dead of old age (at a healthy age, mind you!) before major progress in computer security is widespread. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Morris worm to Nimda, how little we've learned or gained Marcus J. Ranum (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned or gained Paul D. Robertson (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained Richard Johnson (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained Ryan Russell (Jan 05)
- Re: The Morris worm to Nimda, how little we've learned or gained Frederick M Avolio (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained Adam Shostack (Jan 04)
- RE: The Morris worm to Nimda, how little we've learned or gained robert_david_graham (Jan 04)
- RE: The Morris worm to Nimda, how little we've learned or gained Ryan Russell (Jan 05)
- OT: Re: The Morris worm to Nimda, how little we've learned or gained Roelof JT Jonkman (Jan 05)
- Re: OT: Re: The Morris worm to Nimda, how little we've learned or gained H. Morrow Long (Jan 06)
- Host Based Packet Filters (was: OT: The Morris worm to Nimda, how little we've learned or gained) Robin S. Socha (Jan 06)
(Thread continues...)