Re: whitehouse cyber strategy review

[Rich Kulawiec <rsk () gsp org>]

On Sun, Nov 15, 2009 at 08:09:37AM -0500, Larry Seltzer wrote:
> We're getting off-track here, but your experience is, at best, many
> years out of date. 

Maybe.  Or maybe several years ahead.  I suppose we'll see.

Look, I'm *well* aware of the myriad issues involved here, and I am
by no means suggesting that this is a panacea.  There is no panacea.
I'm simply pointing out that Microsoft has proven to my satisfaction
that they're incapable or unwilling to step up, and I see no reason
to continue re-running the experiment over and over again when we
already know what the result will be.

Let's run a different one, so that if/when we fail, we at least
have the novel experience of failing in a different way.

And yes, to Dan's point, I know that even if we start with a solid
base OS but then layer it with PHP and Apache and MySQL and a zillion
other things, that the end result may be swiss cheese.  But (a) I think
we have a fighting chance of at least containing the problem on 'nix
and (b) there are a bazillion desktops that don't need any of that.
Give 'em a base OS, Firefox (with NoScript, AdBlock, TACO, etc.),
Thunderbird and OpenOffice, which at least limits the attack surface
to those applications.  And restrict access to that surface by
judicious use of things like HTTP proxies and SMTP abuse controls.
Again: not a panacea.  But a considerable improvement.  It gives
defenders a fighting chance, whereas today they've got none.


My larger point, though, which may have been lost in my sarcasm, is that
sticking with Windows guarantees failure.  No matter what else is done,
no matter how it's done, the result will be failure.  So even if the
alternatives only offer a 1% chance of success (to randomly pick a
number), those long odds are still preferable to 0%.

To put another way, the same-old same-old is NOT gonna get it done.
Radical thinking and radical approaches are needed.  If not my suggested
radical approach, fine, then another one, any one.

It can't possibly be any worse.  I mean, the security track record
of the federal sector to date is rated "F" only because there's no
lower grade available, and frankly, that's rather charitable.

But of course that won't happen.  Conceiving it is well beyond the
capabilities of the feeble intellects that make decisions within the
Beltway.  And there's WAY too much money to be made by maintaining the
status quo, modulo a few buzzwords.

And so there will be more of this (courtesy Richard Forno's InfoWarrior
list tonight):

        14 tech firms form cybersecurity alliance for government
        Lockheed Martin, top suppliers launch initiative for government market

Garbage.  Utterly worthless garbage.  I don't even have to read the
details to know this, because I've seen this movie a dozen times and
it always ends the same way:

        "full of sound and fury, signifying...nothing".

But I'm sure it's great for the pigs feeding at the trough.

---Rsk

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.