Next message: mea culpa: "Re: [ISN] ICSA employes an undercover hacker spy."
[Moderator: ICSA thread: fin.]
Reply From: David Kennedy CISSP <dmkennedy�t_private>
At 02:03 PM 7/5/98 -0500, Brian Macke wrote:
>On Sun, 5 Jul 1998, Dave Kennedy wrote:
>
>> >Can anyone verify this story? It sounds all too hokey to be true. The BIND
..SNIP...
>>
>> I'll verify it, but I don't guess you'll look at me as objective, and
>> that's OK, I'm not. Don't believe it if you don't want to. That works for
>> me just fine 8-)
>
>You're right, I won't consider you objective - no one truly ever is. But
>if you have proof, I'll listen. I'm seriously not prejudicial towards
>ICSA, I just am extremely skepitcal of what they put out as doctrine. I
>think I'm rather justified in my skepticism when two ICSA certified
>'firewalls' have proven to me to be worse than a direct connection or
>homebrew 'firewall'.
>
We frequently put out that a certified product, badly installed or
maintained can be worse than no product at all because it leads to a false
sense of security. Indeed, ICSA's latest "product" is "TruSecure" where
one of the things that gets evaluated is whether the fw is installed and
maintained properly. I'm not a huge fan of this product, but one of it's
purposes is to check and see if a fw is providing intended protection or not.
>(Those are PIX and WatchGuard, BTW. I still stand by my statement that I
>wouldn't put a WG box on my network, much less use it as a monitor stand.
>I actually tried using it as a monitor stand this last week - the thing
>sags in the middle under the weight.)
I've got NDA's in the way here, but you might be surprised to know some of
the high profile sites that use PIX and WG's as part of a defense in depth.
IMHO, both are very good as one layer of a defense in depth. Standalone
use depends on the risk tolerance of the customer, but I wouldn't expect
one of these to stand by itself in front of www.whitehouse.gov
>> >Before or after they front the $20,000 blood money for ICSA?
>
>(That was a jab at firewall certification... I think you missed it. I
>agree it was kind of subtle.)
I missed it because what we're taking hits for lately is this TruSecure
deal which starts out at $40K, and I thought you just missed the number.
>
>> >Love the Scooby Doo ending. Wish all Security incidents ended with a
>> >punchline.
>>
>> We're so glad you enjoyed it.
>
>It was more of an indictment of journalists covering these kinds of
>stories (unless the crew at ICSA thought this one up... it doesn't sound
>like it, though). When you write a technical article in a non-technical
>circular, (hackers in Forbes, for example), you need a 'Scooby-Doo'
>punchline to make the reader feel good about what they just read...
>something they can relate to. While that's all well and good for Mr. Joe
>Banker in Northampton, Mass. - it's ingratiating to those in the field.
>It's very difficult to describe my job to 'normal folks', and it gets even
>moreso when people read articles like this with happy endings. Real
>security is gritty, ugly, and painful - surrounded by people that want to
>make my company a trophy, and managers that don't think it's that big of a
>deal. I'm not alone in this - most everyone I rub elbows with in the field
>agrees.
>
>So label me bitter if you'd like, it won't be the first time.
Neither J3 nor I went trolling for this article. We generally try to avoid
the publicity. It's very much like when I was running undercover
investigations; you don't advertise. But somebody with a bigger paycheck
decided we'd do this. Actually, it's the second one since I've been with
ICSA (nee-NCSA). And I wholeheartedly agree it's tough to get
middle-of-the-road journalists to get it right. I've been jousting with a
pack of 'em for a month now over my criticism of the pseudo-scientific
articles on the "Blitzkrieg Server" from FutureVision Group. They dearly
want a quote like, "This thing is a complete fraud." Unfortunately no one
has actually seen the technology to have any degree of certainty that's so.
All of the articles about it are horrendously bad technobabble, but is
that the fault of the company or the journalists? FVG's point man has nine
patents for neural networking when he was with GTE, so he's not a complete
babe-in-the-woods.
But it's impossible to get a journalist to see it objectively. They either
want it to be "revolutionary" or "fraudulent," there doesn't' seem to be
any middle ground and no critical thinking on their part at all.
All in all though, the Forbes article is pretty close. I wasn't there when
the journalist made the interview and there was only one part of the
article that I didn't have first hand knowledge of.
Regards,
Dave Kennedy CISSP
International Computer Security Assoc http://www.ncsa.com
Protect what you connect.
Look both ways before crossing the Net.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:57:58 PDT