Firewall Wizards mailing list archives
Re: How to Save The World (was: Antivirus vendor conspiracy theories)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sun, 12 Dec 2004 19:57:06 -0500
Adam Shostack wrote:
| Isn't this amazing, if you think about it? Enterprise IT managers are | such freakin' morons that they'd rather pay $50/year/desktop plus So, I totally agree with what you're saying. But I'm curious: Are they really morons, or is there a better explanation?
Well, obviously they aren't morons. I think that, really, what we are seeing is a massive failure to think critically about certain problems. That is not quite as bad as being a moron (it's cureable) but it's kind of like one of those paradigms of ignorance that people sometimes get trapped in. The Cargo Cults come to mind. Basically, it's a feedback loop in which something that isn't working is attempted increasingly aggressively rather than triggering a search for an alternative. Or even an alternative explanation. If you drink a couple of shots of tequila to clear your mind of preconceptions and really think about this Internet Security stuff, there's a couple of glaringly obvious alternatives that we, as an industry, have chosen to not explore. What is the cost of enumerating viruses and malware and running antivirus software ($19/year/desktop...) versus the cost of telling the system exactly what code you want to allow to run. (Hmmm, let's see - I could define my desktop computer's "allow" list in 3 seconds: Eudora, Opera, Photoshop, Powerpoint, Word, and directory toolkit) The obvious answer is "default deny" rather than "default permit and block/enumerate all evil." What's missing is the executive logic that looks at _all_ the costs in proportion. So, they're not morons - they just are too short-sighted to look at the whole picture. (But then these are the same !(&#!^$! dipsticks who think it's smart to outsource mission-critical business processes to the lowest bidder. It looks smart if all you look at is the cost.)
Is it easier to get budget for cleanup than prevention? (Ie, are their bosses the morons?)
The bosses of IT management are cut from the same material. But they're probably better golfers. :) I was talking to a very (_very_) senior government IT manager a few months ago. During the same conversation in which he described how they had spent millions and millions of dollars trying to get a relatively straightforward deployment of a commercial "off the shelf" product to work, he was shocked when I suggested that they could have probably had custom-built software that was faster, better, and less vulnerable to the common problems that plagued the particular COTS code. Obviously, he'd drunk the Kool-ade. Spending $1.2 million on a database, and then throwing $200,000 at "securing" it - including an infinite maintenance cycle involving patchnig - rather than spending (at most) $300,000 to just Solve The Problem, own it outright, and never pay maintenance. This guy was not a business school graduate, so obviously the brain damage is not a result of that particular curriculum - but it's got to be coming from someplace. (Their application is a static-coded database that you could probably write a curses app and web-forms atop BSD-db b-trees and hash tables and have a working prototype in a month) Now, they are going to be blowing $200,000+ annually in "maintenance" to the vendor of this buggy piece of poo - and it's "security not my problem." This government agency is moving toward a "browser-enabled model" for virtually all their computing. So I asked him if they would consider ditching everyone's desktop machines and replacing them with $100 Playstation-II consoles with USB keyboards and a DVD-rom-bootable (tamper proof!) browser. He looked at me as if my hair had just burst into flames and I had announced that I was The Antichrist. For a very long time, now, the industry has been moving away from "custom code" based on the premise that software is a commodity and should be treated as such. But that is obviously an inaccurate premise. If you question the premise that software is a commodity, you need to question all the "facts" that follow from it. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How to Save The World, (continued)
- Re: How to Save The World Crispin Cowan (Dec 12)
- Re: How to Save The World Frank Knobbe (Dec 13)
- Re: How to Save The World Devdas Bhagat (Dec 13)
- Re: How to Save The World Jian Zhen (Dec 13)
- Re: How to Save The World Marcus J. Ranum (Dec 13)
- Re: How to Save The World Jian Zhen (Dec 13)
- Re: How to Save The World Devdas Bhagat (Dec 13)
- Re: How to Save The World Crispin Cowan (Dec 13)
- Re: How to Save The World Devdas Bhagat (Dec 13)
- Re: How to Save The World Bruce B. Platt (Dec 13)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Re: How to Save The World Crispin Cowan (Dec 13)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) ucxfoe (Dec 15)
- Re: Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 15)
- Re: Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 16)
- Re: Re: How to Save The World (was: Antivirus vendor conspiracy theories) Adam Shostack (Dec 19)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Harry Tabak (Dec 15)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) ucxfoe (Dec 15)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Paul D. Robertson (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Jim Seymour (Dec 12)