Re: [ISN] ICSA employes an undercover hacker spy.

From: mea culpa (jerichot_private)
Date: Sun Jul 05 1998 - 22:24:07 PDT

  • Next message: mea culpa: "Re: [ISN] ICSA employes an undercover hacker spy."

    [Moderator: ICSA thread: fin.]
    Reply From: David Kennedy CISSP <dmkennedyt_private>
    At 02:03 PM 7/5/98 -0500, Brian Macke wrote:
    >On Sun, 5 Jul 1998, Dave Kennedy wrote:
    >> >Can anyone verify this story? It sounds all too hokey to be true. The BIND
    >> I'll verify it, but I don't guess you'll look at me as objective, and
    >> that's OK, I'm not.  Don't believe it if you don't want to.  That works for
    >> me just fine 8-)
    >You're right, I won't consider you objective - no one truly ever is. But
    >if you have proof, I'll listen. I'm seriously not prejudicial towards
    >ICSA, I just am extremely skepitcal of what they put out as doctrine. I
    >think I'm rather justified in my skepticism when two ICSA certified
    >'firewalls' have proven to me to be worse than a direct connection or
    >homebrew 'firewall'.
    We frequently put out that a certified product, badly installed or
    maintained can be worse than no product at all because it leads to a false
    sense of security.  Indeed, ICSA's latest "product" is "TruSecure" where
    one of the things that gets evaluated is whether the fw is installed and
    maintained properly.  I'm not a huge fan of this product, but one of it's
    purposes is to check and see if a fw is providing intended protection or not.
    >(Those are PIX and WatchGuard, BTW. I still stand by my statement that I
    >wouldn't put a WG box on my network, much less use it as a monitor stand.
    >I actually tried using it as a monitor stand this last week - the thing
    >sags in the middle under the weight.)
    I've got NDA's in the way here, but you might be surprised to know some of
    the high profile sites that use PIX and WG's as part of a defense in depth.
    IMHO, both are very good as one layer of a defense in depth.  Standalone
    use depends on the risk tolerance of the customer, but I wouldn't expect
    one of these to stand by itself in front of
    >> >Before or after they front the $20,000 blood money for ICSA?
    >(That was a jab at firewall certification... I think you missed it. I
    >agree it was kind of subtle.)
    I missed it because what we're taking hits for lately is this TruSecure
    deal which starts out at $40K, and I thought you just missed the number.
    >> >Love the Scooby Doo ending. Wish all Security incidents ended with a
    >> >punchline.
    >> We're so glad you enjoyed it.
    >It was more of an indictment of journalists covering these kinds of
    >stories (unless the crew at ICSA thought this one up... it doesn't sound
    >like it, though). When you write a technical article in a non-technical
    >circular, (hackers in Forbes, for example), you need a 'Scooby-Doo'
    >punchline to make the reader feel good about what they just read...
    >something they can relate to. While that's all well and good for Mr. Joe
    >Banker in Northampton, Mass. - it's ingratiating to those in the field.
    >It's very difficult to describe my job to 'normal folks', and it gets even
    >moreso when people read articles like this with happy endings. Real
    >security is gritty, ugly, and painful - surrounded by people that want to
    >make my company a trophy, and managers that don't think it's that big of a
    >deal. I'm not alone in this - most everyone I rub elbows with in the field
    >So label me bitter if you'd like, it won't be the first time. 
    Neither J3 nor I went trolling for this article.  We generally try to avoid
    the publicity.  It's very much like when I was running undercover
    investigations; you don't advertise.  But somebody with a bigger paycheck
    decided we'd do this.  Actually, it's the second one since I've been with
    ICSA (nee-NCSA).  And I wholeheartedly agree it's tough to get
    middle-of-the-road journalists to get it right.  I've been jousting with a
    pack of 'em for a month now over my criticism of the pseudo-scientific
    articles on the "Blitzkrieg Server" from FutureVision Group.  They dearly
    want a quote like, "This thing is a complete fraud."  Unfortunately no one
    has actually seen the technology to have any degree of certainty that's so.
     All of the articles about it are horrendously bad technobabble, but is
    that the fault of the company or the journalists?  FVG's point man has nine
    patents for neural networking when he was with GTE, so he's not a complete
    But it's impossible to get a journalist to see it objectively.  They either
    want it to be "revolutionary" or "fraudulent," there doesn't' seem to be
    any middle ground and no critical thinking on their part at all.
    All in all though, the Forbes article is pretty close.  I wasn't there when
    the journalist made the interview and there was only one part of the
    article that I didn't have first hand knowledge of.
    Dave Kennedy CISSP
    International Computer Security Assoc
    Protect what you connect.
    Look both ways before crossing the Net.
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated []

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:58 PDT