Re: Botnets, IRC servers and firewalls?

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Paul Robertson writes:

> The "worst" thing a home user can do
> is execute a virus or trojan- and the interface presents that in
> essentially the same way as non-active content- that's not really an
> end-user problem.  Take the execute bit off the place where attachments
> normally get saved, and you'd remove a huge percentage of the problems.
> We at some point must come to the place where "breaking" 2% of
> functionality to save 98% of users is worth doing.

I think this is a specific instance of a more general infosec desiderata:
We need to get to the point where we can address problems -in aggregate-
rather than individually.

If we look at this as an endluser problem then our solution is going
to involve (at least in part) things like luser education and training.
Individually, this is not necessarily a large task[0], but:

        -Educating one luser doesn't help educate other lusers[1]
         (This includes the proposition that me educating my lusers
         doesn't help you educate your lusers)
        -Educating -all- lusers is a large task
        -Single lusers crapping out on their training can be as expensive
         as multiple lusers crapping out[2]

The point being that solutions to endluser problems (approached from
the endluser end) don't scale.  The reason why this is particularly
problematic is that bad guy activities tend to scale extremely well.

I've said things to this effect before (possibly on this list), but
I think it bears reiteration:  On any given day, lots of bad guys are
probably working on breaking the latest version of any given application
foo[3].  Even if they aren't all -intentionally- coordinating their efforts,
their common goals (i.e., to compromise foo) creates -effective- cooperation.

Unfortunately, the same is not true of the efforts of the good guys[4].  An
adequate discussion of why this is the case is probably beyond the scope
of this mailing list.  Short version:  even if all exploitable bugs
disappeared overnight this would not necessarily lead to an overall
improvement in the effective `security' of the internet.  This, too, is
another contention that deserves careful discussion, but consider:
there were information security problems before anyone was pushing
data over networks---or even doing mechanical computation, for that matter.
This implies that removing all the security-related problems of
the -technology- of a system will not remove all the information security
problems of the system itself.

The punchline?  Solutions to widespread security problems -must-
scale or they are not solutions at all[5].






- -spb

- -----
0       Mod a nonzero number of lusers in any given population, for which
        the problem is intractable.
1       Mod getting the educational infrastructure in place, incremental
        gains derived from end lusers educating each other, u.s.w.
2       In other words:  in the general case the magnitude of risk is not
        linear with respect to the number of untrained lusers (although 
        it may be in specific cases).  Compare the case of something like
        virus propagation versus something like unintended information
        disclosure (e.g., the shareholder report ends up on Kazaa).
3       And of course there are other sources of effective cooperation
        among bad guys, mostly deriving from other common goals.
4       I.e., by having lots of good guys do code auditing together.  Again,
        there are other way good guys can cooperate;  the point is that
        they tend not to scale as well as does cooperation among the bad
        guys.
5       If there was a magic ritual that could render a network device
        or host absolutely `secure' (for some arbitrary definition of `secure')
        but which required a trained shaman and a couple weeks of
        preparation to conduct, it would have no perceptable effect on internet
        security in aggregate.
        Evidence:  we -already- have rituals that will eliminate a huge
        portion of known vulnerabilities which takes comparatively
        little time (i.e., staying rev on patches) and expertise, and
        virtually nobody (in aggregate) uses them.
        This suggests that approaches to the problem of this form are
        unlikely to be effective.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQFAJGcqG3kIaxeRZl8RAi1xAJ0Suw97PlIp++XALGrgM76feAPfqwCfW8ES
A5otsPy5w7FmnkNAZ3jNiEA=
=KGrB
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards