Firewall Wizards mailing list archives
Re: The Morris worm to Nimda, how little we've learned or gained
From: Rudy_D_Pereda () mail dbf state fl us
Date: Fri, 11 Jan 2002 07:34:40 -0500
Folks, you can continue beating this dead horse, but the fact of the matter is that people, businesses, government need a catalyst to make them think differently about things. This thing can be hardening security, flawless OS/application designs, etc.... whatever you wanted to be. Case in point, the September 11 attacks on the WTC. As unfortunate, and grotesque an action as that was that is what it took to get the government to tell the airlines to pinch their profits and increase security at the airports(its better but don't let it fool you). It also opened up the eyes of everyone to the reality that we are not protected by an invisible shield. Likewise, I think for everyone to take security seriously in the technological realm of computers, networks, etc... some thing major will first have to happen that impacts everyone(internet users, companies, government) and lingers in their minds for sometime. As we all know, time mends everything and people, on the most part, forget or want to forget unpleasant happenings. You can talk about how little we've learned, done, changed from 20 yrs ago, but you need a major catalyst for everyone to realize the seriousness of the matter. Remember, when increasing security, or adding competent staff to your techno team get in the way of profits or budgets, everyone will continue to gamble to the very end hoping that it's not going to happen to them. ...Rudy. "Paul D. Robertson" <proberts () patriot ne To: "Marcus J. Ranum" <mjr () nfr com> t> cc: "R. DuFresne" <dufresne () sysinfo com>, <firewall-wizards () nfr net> Sent by: Subject: Re: [fw-wiz] The Morris worm to Nimda, how little we've learned or gained firewall-wizards-adm in () nfr com 01/03/2002 08:36 PM On Thu, 3 Jan 2002, Marcus J. Ranum wrote:
I've been watching the blame in computer security flow in circles for years. The flow looks like this: - The hackers blame the sysadmins who leave their machines open - The sysadmins blame the vendors who write buggy insecure code
and not producing patches quickly enough.
- The vendors blame the customers who place a premium on features over
quality and not installing patches quickly enough.
What's ironic - and what makes the whole problem so intractible is the fact that they're _all_ right. Everyone has to do a lot less whining and
get It's the Default Deny stance- "By default, I deny that I caused the problem." ;)
I can tell you a few of the indicators that I'm looking for which will
indicate
that progress is about to be made in security: 1) The first time a company goes public and becomes huge based on the premise that their software is super-high-quality.
That's counter to profit margins unless 3 and possibly 5 happen.
2) The first time an operating system ships that doesn't need to have all its software installed with system privileges to function
That's been done- it's too difficult to administer with the level of IT staff that's currently fielded- heck it's just too difficult to administer period.
3) The first time customers place and enforce a puchase ban on a software product notorious for insecurity and unreliability
If that were the case, MS Office wouldn't have survived macro viruses...
4) The first time that ISPs act together to ban an application from their backbone(s)
Hell, let's start with them banning some users from their leaves.
5) The first successful class-action lawsuit over software quality
encompassing
security
That'll be the only way we'll get impetus to change in any significant manner.
Note that not only do I see no sign of the above happening, I see signs
in
the industry and community that steps are being taken to _prevent_ some
of
the above. Most notably #5 and possibly #3.
People/companies don't really want SECURITY, they just don't want PAIN from INSECURITY. That's a fundamental issue.
The sad reality is that safety technology only gets applied once it's
obvious
that the damage from not applying it is extremely expensive to the entire community. Remember - we didn't have mandatory seatbelts in cars until the 1960's and didn't have mandatory shoulder straps until the 1970's.
Air
bags didn't come until the 1980's and mandatory _use_ laws are only
recently
on the books in most states. Internationally, the situation is worse. And people have known for a long time that seat belts save lives...
It's not *just* damage that's an issue (motorcycle helmets are a prime example), there also needs to be some sort of control structure which can enforce the greater common good. That tends to mean the evils of legislature and enforcement. I think we'll see improvements from evolution, it's just that evolution takes lifetimes and we could really use some genetic engineering. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Morris worm to Nimda, how little we've learned or gained, (continued)
- Re: The Morris worm to Nimda, how little we've learned or gained Frederick M Avolio (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained Adam Shostack (Jan 04)
- RE: The Morris worm to Nimda, how little we've learned or gained robert_david_graham (Jan 04)
- RE: The Morris worm to Nimda, how little we've learned or gained Ryan Russell (Jan 05)
- OT: Re: The Morris worm to Nimda, how little we've learned or gained Roelof JT Jonkman (Jan 05)
- Re: OT: Re: The Morris worm to Nimda, how little we've learned or gained H. Morrow Long (Jan 06)
- Host Based Packet Filters (was: OT: The Morris worm to Nimda, how little we've learned or gained) Robin S. Socha (Jan 06)
- safety of unidirectional NT trusts hermit921 (Jan 15)
- Re: safety of unidirectional NT trusts Jonas Anden (Jan 16)
- Re: safety of unidirectional NT trusts S. Jonah Pressman (Jan 17)
- Re: The Morris worm to Nimda, how little we've learned or gained Rudy_D_Pereda (Jan 12)
- Re: The Morris worm to Nimda, how little we've learned or gained Michael Brennen (Jan 12)
- Re: The Morris worm to Nimda, how little we've learned or gained R. DuFresne (Jan 13)
- Re: The Morris worm to Nimda, how little we've learned or gained Michael Brennen (Jan 14)
- Re: The Morris worm to Nimda, how little we've learned or gained R. DuFresne (Jan 14)
- Re: The Morris worm to Nimda, how little we've learned or gained Michael Brennen (Jan 15)
- Re: The Morris worm to Nimda, how little we've learned or gained Michael Brennen (Jan 12)