Re: The Morris worm to Nimda, how little we've learned or gained

[Rudy_D_Pereda () mail dbf state fl us]

Folks, you can continue beating this dead horse, but the fact of the matter
is that people, businesses, government need a catalyst to make them think
differently about things. This thing can be hardening security, flawless
OS/application designs, etc.... whatever you wanted to be.

Case in point, the September 11 attacks on the WTC. As unfortunate, and
grotesque an action as that was that is what it took to get the government
to tell the airlines to pinch their profits and increase security at the
airports(its better but don't let it fool you). It also opened up the eyes
of everyone to the reality that we are not protected by an invisible
shield.

Likewise, I think for everyone to take security seriously in the
technological realm of computers, networks, etc... some thing major will
first have to happen that impacts everyone(internet users, companies,
government) and lingers in their minds for sometime. As we all know, time
mends everything and people, on the most part, forget or want to forget
unpleasant happenings.

You can talk about how little we've learned, done, changed from 20 yrs ago,
but you need a major catalyst for everyone to realize the seriousness of
the matter. Remember, when increasing security, or adding competent staff
to your techno team get in the way of profits or budgets, everyone will
continue to gamble to the very end hoping that it's not going to happen to
them.

...Rudy.



                                                                                                                        
                             
                    "Paul D. Robertson"                                                                                 
                             
                    <proberts () patriot ne        To:     "Marcus J. Ranum" <mjr () nfr com>                           
                                   
                    t>                          cc:     "R. DuFresne" <dufresne () sysinfo com>, <firewall-wizards () 
nfr net>                             
                    Sent by:                    Subject:     Re: [fw-wiz] The Morris worm to Nimda, how little we've  
learned or gained              
                    firewall-wizards-adm                                                                                
                             
                    in () nfr com                                                                                       
                                
                                                                                                                        
                             
                                                                                                                        
                             
                    01/03/2002 08:36 PM                                                                                 
                             
                                                                                                                        
                             
                                                                                                                        
                             




On Thu, 3 Jan 2002, Marcus J. Ranum wrote:

> I've been watching the blame in computer security flow in circles for
> years. The flow looks like this:
> - The hackers blame the sysadmins who leave their machines open
> - The sysadmins blame the vendors who write buggy insecure code
   and not producing patches quickly enough.
> - The vendors blame the customers who place a premium on features over
quality
   and not installing patches quickly enough.

> What's ironic - and what makes the whole problem so intractible is the
> fact that they're _all_ right. Everyone has to do a lot less whining and
get

It's the Default Deny stance- "By default, I deny that I caused the
problem." ;)

> I can tell you a few of the indicators that I'm looking for which will
indicate
> that progress is about to be made in security:
> 1) The first time a company goes public and becomes huge based on the
>         premise that their software is super-high-quality.

That's counter to profit margins unless 3 and possibly 5 happen.

> 2) The first time an operating system ships that doesn't need to have all
>         its software installed with system privileges to function

That's been done- it's too difficult to administer with the level of IT
staff that's currently fielded- heck it's just too difficult to
administer period.

> 3) The first time customers place and enforce a puchase ban on a software
>         product notorious for insecurity and unreliability

If that were the case, MS Office wouldn't have survived macro viruses...

> 4) The first time that ISPs act together to ban an application from their
>         backbone(s)

Hell, let's start with them banning some users from their leaves.

> 5) The first successful class-action lawsuit over software quality
encompassing
>         security

That'll be the only way we'll get impetus to change in any significant
manner.

> Note that not only do I see no sign of the above happening, I see signs
in
> the industry and community that steps are being taken to _prevent_ some
of
> the above. Most notably #5 and possibly #3.

People/companies don't really want SECURITY, they just don't want PAIN
from INSECURITY.  That's a fundamental issue.

> The sad reality is that safety technology only gets applied once it's
obvious
> that the damage from not applying it is extremely expensive to the entire
> community. Remember - we didn't have mandatory seatbelts in cars until
> the 1960's and didn't have mandatory shoulder straps until the 1970's.
Air
> bags didn't come until the 1980's and mandatory _use_ laws are only
recently
> on the books in most states. Internationally, the situation is worse. And
> people have known for a long time that seat belts save lives...

It's not *just* damage that's an issue (motorcycle helmets are a prime
example), there also needs to be some sort of control structure which can
enforce the greater common good.  That tends to mean the evils of
legislature and enforcement.

I think we'll see improvements from evolution, it's just that evolution
takes lifetimes and we could really use some genetic engineering.

Paul
-----------------------------------------------------------------------------

Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards