Re: Personal Firewall Day?

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 7 Oct 2003, Marcus J. Ranum wrote:

> Christopher Hicks wrote:
> > Right on.  But your concept of distributed computing seems to mean "let
> > everybody do what they want with no limits".  Effective distributing
> > computing just doesn't happen that way.
>
> *Bingo* -- effective distributed computing relies on putting the right
> services in the right places. Locating services in an effective
> distributed environment depends on bandwith assumptions,
> reliability assumptions, computation assumptions, and assumptions
> about what parts of the system are relatively disposable. The folks
> at MIT's Athena project did a lot of thinking on this topic and I
> believe their work was a fabulous (ignored) gem of computing.
> Systems like AOL and some of the massively multiplayer games
> approach truly effective distribution. The designers of those systems
> have also discovered another property of such systems that
> probably would scare a lot of you, if you think it through: the
> provider of the backend "owns" the system - the software
> revenue model pushes toward a rental/service model rather
> than an outright purchase as we have under the current
> general purpose computing model. That means you'd never really
> "own" your software environment... If you didn't pay your
> bills your files would no longer be accessible, etc. That would
> doubtless make some people extremely uncomfortable but
> oddly they are comfortable with exactly that model with cable
> TV, cellular, etc. Anyplace where you have an expensive
> backend system that represents a large sunk cost, frontended
> by a commercial appliance that is relatively "disposable" you
> move toward the leased service model.
>
> I don't think we're ready to go there with computing but I
> think that's where we should be going.


Aren;t those corps that have gone the ASP outsourcing route already buying
into the non-ownership model?  I see nothing for them to fear, besides the
catostrophic loss of the ASP provider, or their not being financially
sound enough to pay their own bills.  Still data the content in the
application, key'ed in stuffs, is still 'ownable' and controlable as long
as its not stored at the ASP providers systems...


Not that I'm a proponent of outsourcing to ASP's, I'm kinda neutral at
present.  I would not go there, but, if my employer did, I'd deal with
it...

> > Dictatorships are all bad, but they're the organizational structure with 
> > the lowest overhead.
>
> Minor historical note: NO THEY AREN'T ALL BAD. We've demonized
> the concept of "Dictatorship" but the ancient Greeks used the term
> to mean "government by dictate" - not representation. In theory you
> could have a dictator who really knew what *he was doing and just
> didn't put it to a vote or ask a central committee or whatever. Of
> course most dictatorships have really been unfortunate for those
> living under them, and thus the political system has achieved a
> bad reputation. Dictatorships are probably more successful as a
> political system than any other, as you say, because of the low
> overhead and lack of committees. ;)
>
> > This whole monoculture versus operating system analogy continues to
> > provide me lots of amusement.  The big problem with monocultures as
> > everyone "knows" by now is that having only one genetic strain makes you
> > an easier target.  Avoiding a monoculture only require a very little
> > genetic variation.  Do different passwords qualify?
>
> What bothers me is that it's an *ANALOGY* - we argue by
> analogy so much that we ignore the fact that analogies
> often conceal realities. Monocultures are "bad" in biology
> because your lack of diversity makes you vulnerable to
> unique new infections. But we're talking about computers,
> not animals!! Animals can't transfer immunity the way
> computers do! So the whole analogy folds. How do we

animals can, and indeed do, mother to fetus transfers of anti-bodies and
such, so the analogy perhas holds better then first percieved.  though
admittedly, it;s far easier in the photon realm to do tranference.

> transfer immunity between computers? Firewall rules,
> antivirus signatures, and firewall-wizards. Those are 3 totally
> different ways of rapidly conferring immunity without
> having to encounter the cyberpathogen that computers
> have which biotic organisms totally lack. So the whole
> "monoculture" concept is irrelevant to computer security
> unless we factor the concept into our designs and put
> that on a checkbox and say "solved that."

Hmm, I keep seeing and commenting on other lists, folks stating that the
days of a perimiter are gone.  Now, I will admit that the concept needs
adapting, and our perceptioins of a perimiter have indeed changed, but, we
are still in a perimiter posture, and need to retain that concet at least
at present in defining security and the policies and all that security
posturing entails.  It's more that our perimiters are not as distinct and
tightly controled as they once were...


> > Have these people taken a genetics course in the last twenty
> > years?  ;)
>
> Most of the guys who wrote the "monoculture" paper are
> friends of mine and some of them invited me to participate.
> I didn't because, honestly, I think they're not writing about
> computers and computer security - they're complaining
> about customers' purchasing habits, they're complaining
> about the "monopoly of mediocrity" and they're rooting for
> a non-existent underdog. In other words, that paper was
> a political document masquerading as a technical document.

Of course, perhaps the time has come that 'political postuering' is needed
to clue the masses <mgt being in that masses group>.

Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards