Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 01 Jun 2004 10:38:07 -0400
Ben Nagy wrote:
As I said, I think time will tell. :)I'm horribly torn here. I completely agree with you, but I just don't see any evidence of change. Essentially what you are claiming, when you say that "time will tell", is that little green men from the Planet Clue are going to invade earth with their rectal clue applicators and drag most of the IT industry in the world off to re-education camps.
I didn't say that!!! I didn't even *THINK* that!! What I think is going to happen is that people are going to keep spending huge amounts of money on approaches that don't work. Some, a small number, are going to say, "well, Duh! and solve the problem." After a while, the folks who are busy fighting the bug-of-the-week club down in the trenches are going to say, "hey! look! that guy over there doesn't have this problem!" and they'll adapt. Or they'll die out or just keep cheerfully pounding their heads against the wall. But eventually it will become clear that their approach is loserly. Remember, loserly behavior is not a function of population size. Just because lots of people are doing something dumb doesn't make it any less dumb. It only means that there are more people doing it. I *hope* that in 10 years security practitioners will look back at the days of "the system-wide patching fad" and laugh. We're a society of fads and "get rich quick" schemes. We'd rather pay 3X as much for special food that has 1/2 the calories of normal food - instead of eating 1/2 as much of the normal food (which actually has real flavor). We'd rather follow a fad diet that destroys our body with saturated fats than simply "eat lots. work hard. burn lots of energy." We're still in the era of get.rich.quick low-carb Internet security - perhaps it will be the aliens with their clue probes that get us out of it, but it's more likely we'll either stay there or wise up.
Take a look at the recent security record of MS RPC endpoints. You can't turn them off. You can't secure them. Windows will break.Yes. So? YOU ARE INSANE IF YOU ARE RELYING ON WINDOWS FOR INTERNET-FACING CRITICAL SYSTEMS.Trouble is that it's not just internet facing systems that get owned. This idea of crunchy outside chewy centre has GOT to change. It's dead. Didn't work. Bye-bye.
I'm not advocating a perimeter-only defense!!! I *NEVER* have. But it's the first and best place to start. If you don't do something sensible at the perimeter - or you don't have a perimeter at all - then all your systems are internet-facing. We've seen how well *THAT* works, too. Let me try some different logic on you: - Every year there are more internet-facing systems by some huge number, as more homes go online - Many of those systems rely on endpoint mitigation and patching as their sole security - Every year, the number of systems compromised keeps going up What does that tell you? That the attackers are getting smarter? No - they're doing the "same old same old". That the attackers are working harder? Maybe, but it's largely automated. So if you have largely automated attacks succeeding wildly against system that are using low-carb security - well.... What do you conclude?
What do you think? If we install JUST ONE MORE PATCH it's gonna be SECURE? Heck, no. The only way to secure this crap is to hold it down and hammer a stake through its heart.Ah c'mon.
I'm serious. Back in 1997 (blackhat keynote, you can hear the audio on http://www.ranum.com/security/computer_security/audio/mjr-blackhat-97.mp3 - it's a cruddy recording and I was a bit hung over when I did the talk, but the idea remains. There's one major "bug" in the talk, and here's the patch: s/"it would be funny if I wasn't kidding"/"it would be funny if I wasn't serious"/) Are you trying to tell me that operating systems are holy writ that cannot be discarded and replaced with something better? Ever hear of TOPS-10, MULTICS, OS/9, VMS? They are operating systems that people used to use. O/S' come and go. Windows is "just a phase" (as my parents used to say when I wanted to dye my hair weird colors in high school) it will pass. Maybe.
Given that we can't go back to the abacus, we need to work from where we are, and it is happening.
Why do we need to wok from where we are? Where we are is not good!!! Working harder on it may not make it better. In fact the preponderance of evidence is that it's getting WORSE. Do you want to work harder on a situation where hard work may be rewarded with worsening results? I'm not being facetious; I am deadly serious. Trying to fix Windows security has *ONLY* paid off in the stock prices of security companies and not improved end user experience or system reliability one iota.
I see MS doing GOOD WORK in improving the fundamental security core of their OS.
I see MS doing GOOD MARKETING in attempting to unscrew that which is permanently screwed.
I nearly passed out when I saw support for NX memory
It's a nice kludge. Making the stack grow *up* into memory like MULTICS did this in ~1965 - around the time I was learning to walk upright. It's a little harder to code that kind of thing in your kernel if you're smarter than a chimpanzee but it means you never have buffer overruns. You've all probably heard the old joke, "if computer programmers built bridges like they write code, the first rainstorm we had would collapse civilization" - it's wrong. If computer programmers built bridges like they write code, they'd start off by re-inventing the I-beam for each bridge - and they'd never get anything done because they'd be arguing about the relative merits of whatever strongly-hyped metal alloy was popular that week (XML? couldn't we use XML for that?)
no anonymous RPC and host firewall enabled by default in a general purpose service pack. They've come a long way from VMS. :)
Yes, they have. VMS was so much better, and the gap is growing rapidly. :)
The other option to burning it all and starting again is to "get there from here". I say it's possible (eventually). Until that happens, we need auxilliary solutions to prop things up.
I thing it's time to start grabbing our stakes and hammers and getting to work!!
Well, yeah. If you're using the wrong OS you're an idiot. The fact that there are a lot of idiots out there doesn't make them any less idiotic, either.This line brings a smile to my face every time I read it. You're right, of course, but lots of people aren't going to admit it when you rub their nose in it like that. I'm writing this on a Windows box - and you just told me that your work box is Windows too. I vote that us "idiots" deserve security too.
I have fabulous security!!! My machine is isolated so that its manifest weaknesses don't bother me. I accepted the fact that I have a dumb O/S and because I am smart guy I designed around it. I also have terrific backups "just in case" ;) It's what I mean about understanding your risks and working around them. The problem is that people don't want to understand 'em and work around them. They just get as far as "well, there are risks." and start patching.
[...]The idea that code needs to be patched frequently and often is predicated on the flawed concept that cruddy code is exposed to untrusted network. That's just dumb.So this is, again, where we differ in opinion. The desktop - also known as Cruddy Code Central - is what is causing the problem. You "old school" genuises have been telling us "newbies" to build super duper amazing transit points between networks of different trust levels, which we have been trying to do.
NO you haven't!!! You're like the guys who want to eat 3 gallons of ice cream a day and still lose weight using some fad diet. Those things many people call "firewalls" are just low-carb feel-good half-hearted nods toward security. Their policies have been set up by committees with marketing people on them, and their security posture depends more on which business unit brings in more money than on actually protecting the network. I mean these darned things allow attachments through; they allow ActiveX through, they allow IM through, etc, etc, etc. That's not a firewall. That's a "slow router." And these "firewalled" networks are full of users who come and go with laptops that they just plug in wherever they want whenever they want and are given an IP address and off they go. Those "mobile users" are on common segments with mission critical servers and the only "authentication" they use is the fact that they're physically there. Did I just describe the typical corporate network? Can you tell me what is "firewalled" about *THAT*!?!!? That's not firewalled. That's low-carb-fat-free-firewalled.
The trouble is that malware still gets in. Poot. Them dang worms is like roaches, I tell ya. Looks 'ifn that there trusted network weren't quite so trusted after all...
Peter Neumann likes to make sure people use the words "trusted" and "trustworthy" properly. :) That was a trusted network but not a trustworthy network. :) oops.
There comes a point where we have to admit that "the security architecture operation was a complete success, but the patient died" is of limited value.
The patient died AND IS STARTING TO SMELL! mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)