RE: [ISN] Lost in cyberspace

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 02:44:49 PST

  • Next message: InfoSec News: "[ISN] Hundreds warned as data disappears"

    Forwarded from: Brendan Koerner <Koernerat_private>
    Ordinarily I wouldn't respond to such critiques, but the responses to
    my Slate piece contain several misrepresentations, fabrications, and
    other rhetorical tricks. I don't fancy myself particularly
    thin-skinned, but some of what was written really sticks in my craw.
    Let's start, quite appropriately, with the first response. Believe it
    or not, Mr. Huggins, I was not invited to help the government craft
    the Strategy. Does that somehow strip me of my right to comment on its
    focus and potential effectiveness? As for your additional comments
    about my caffeine and protest habits (both of which are quite wrong,
    BTW), what possible purpose do they serve? Such name-calling seems
    better suited to a cable-news talk show than a discussion list like
    ISN, methinks.
    Mr. Huggins also errs by assuming I'd object to some sort of federal
    security guidelines. Ah, but there's that rhetorical trick again--our
    opinions differ, so therefore I must be some EPIC-loving, tree-hugging
    pinko, huh? Always best to stick with what's in the article, rather
    than make inferences based on nothing more than supposition. If Uncle
    Sam were to come up with federal guidelines, I might actually
    applaud--provided they were crafted by more on-the-ball people than
    were responsible for the Strategy.
    Lastly, what the heck does this mean:
    > Attempt to utilize value input from real security experts than
    > publish what leaders from IBM MS and others tell them.
    I'll assume that there's a missing "rather" after expert, and an
    extraneous "value." If it's your sincere belief that the document does
    this, Mr. Huggins, then I'd be delighted to hear exactly what
    revelatory security measures the Strategy recommends. As far as I can
    tell (and I read the report several times, cover to cover), the best
    thing it's got going is the call for better sysadmin training. What
    about the other 74-and-a-half pages?
    (BTW, quite bold of Mr. Huggins to vow that a "true snapshot of what
    can happen" will occur this year. Readers of the article will recall
    this is eerily similar to what the Business Software Alliance said
    back in February of 2002. Wagers, anyone?)
    Mr. Ellingson tries to inject a not-so-subtle plug for his company by
    spinning out the notion of how stolen credit-card numbers can abet
    terrorists. Let's put aside the fact, briefly, that I do bring up the
    financial theft issue in the piece. (With a hyperlinked plug for my
    own Legal Affairs piece on Russian cybercrime--I, too, suffer from the
    disease of self-promotion.) Is Mr. Ellingson's argument that hackers
    abetted the 9/11 hijackers by swiping them new identities? Maybe I'm
    living in a very dark place, but this is news to me. And is the
    inference that better computer security would have prevented 9/11?
    I am not "ignoring the problem," per Mr. Ellingson's words. I am,
    instead, questioning the true nature of that problem, and whether the
    government is taking the right approach to improving computer
    security. To focus our efforts (including hundreds of millions of
    dollars) on supporting NIPC and the like, with an eye toward keeping
    some mythical Al Qaeda hacker from opening Hoover Dam, while failing
    to patch very basic server holes at Citibank is sheer lunacy.
    Mr. Reed also uses the classic "strawman" critical approach by
    inferring that I'm the sort of person who said airplanes could never
    be used as weapons, or that Japan couldn't attack Pearl Harbor. Both
    assertions are nonsense, of course--I never believed anything akin to
    the former, and I wasn't alive in the early 1940s. Mr. Reed offers no
    actual evidence as to why my assertions are incorrect, just a vague
    guess that I don't understand the difference between threats and
    Would it be overly cynical of me to assume that MITRE has a vested
    interest in amping up fear of cyberterrorism? Perhaps, and my
    apologies to Mr. Reed if this seems overly snarky. But I'm a big
    believer in "truth in advertising," which is why I took the Strategy
    to task for its plethora of factual distortions and FUD.
    Believe me, I'm all for better security. But I still can't figure out
    how the FUD-filled Strategy points us in the right direction.
    	-----Original Message----- 
    	From: InfoSec News [mailto:isnat_private] 
    	Sent: Mon 3/10/2003 4:49 AM 
    	To: isnat_private 
    	Subject: Re: [ISN] Lost in cyberspace 
    	Date: Wed, 5 Mar 2003 09:23:30 -0600 (CST)
    	From: hugginsat_private
    	Subject: Re: [ISN] Lost in cyberspace
    	Again another slam against the government and how it does its
    	business. Where was this individual when they were writing the
    	document.  Sitting on the sidelines drinking latte's and protesting
    	our war more than likely.
    	Here's my thoughts, the government had two choices
    	1.  Legislate compliance with federal statutes (what dod and the rest
    	of the government must comply with) for businesses which would have
    	drawn the ire of epic and people like this author or
    	2.  Attempt to utilize value input from real security experts than
    	publish what leaders from IBM MS and others tell them.
    	A true snapshot of what can happen is going to happen this year and
    	when it does I will be laughing all the way to the bank, and people
    	like this author will be eating crow.
    	Date: Wed, 5 Mar 2003 11:24:36 EST
    	From: JohnE37179at_private
    	Subject: Re: [ISN] Lost in cyberspace
    	In a message dated 3/5/03 10:17:37 AM, isnat_private writes:
    	> Yet here we are in 2003, and the cyberterrorism casualty list is
    	> still barren.
    	I guess this is true if you live with your head in a very dark place. 
    	Let's see if we can give the writer a clue. Tens of millions of
    	identities compromised on credit bureau and credit card sites. Let's
    	connect the dots. 15 out of the 19 hijackers on September 11th were
    	using multiple identities.
    	This writer tells the same head in the sand story that everything is
    	OK, because I am ignoring the problems. Sounds like the NASA approach
    	to shuttle flight safety.
    	John Ellingson
    	CEO Edentification, Inc.
    	Date: Wed, 05 Mar 2003 12:17:47 -0600
    	From: Vince Reed <vreedat_private>
    	Subject: Re: [ISN] Lost in cyberspace
    	It is hard to imagine that someone with the credentials to get this
    	article published could be so wrong on so many points he makes about
    	the administration's National Strategy To Secure Cyberspace!
    	Hopefully, it is because Mr. Koerner is just misinformed and doesn't
    	understand the differences between threats and vulnerabilities.
    	Brendan fits in with the same people who said that an airliner would
    	not be used as a weapon because it hadn't been done in the past. He
    	would  probably also fit in well with those who thought that Japan's
    	naval air power wasn't a threat to America prior to W.W.II because of
    	the logistic problems in extending such a force across the Pacific.
    	The only correct conclusion Mr. Koerner draws is towards the end of
    	his article where he says "Most [of the reports solutions] are
    	meaningless jargon..." The Government has definitely failed to step up
    	and taken the actions necessary to secure our critical information
    	Vince Reed
    	ISN is currently hosted by
    	To unsubscribe email majordomoat_private with 'unsubscribe isn'
    	in the BODY of the mail.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 05:08:42 PST