Forwarded from: Brendan Koerner <Koernerat_private> Ordinarily I wouldn't respond to such critiques, but the responses to my Slate piece contain several misrepresentations, fabrications, and other rhetorical tricks. I don't fancy myself particularly thin-skinned, but some of what was written really sticks in my craw. Let's start, quite appropriately, with the first response. Believe it or not, Mr. Huggins, I was not invited to help the government craft the Strategy. Does that somehow strip me of my right to comment on its focus and potential effectiveness? As for your additional comments about my caffeine and protest habits (both of which are quite wrong, BTW), what possible purpose do they serve? Such name-calling seems better suited to a cable-news talk show than a discussion list like ISN, methinks. Mr. Huggins also errs by assuming I'd object to some sort of federal security guidelines. Ah, but there's that rhetorical trick again--our opinions differ, so therefore I must be some EPIC-loving, tree-hugging pinko, huh? Always best to stick with what's in the article, rather than make inferences based on nothing more than supposition. If Uncle Sam were to come up with federal guidelines, I might actually applaud--provided they were crafted by more on-the-ball people than were responsible for the Strategy. Lastly, what the heck does this mean: > Attempt to utilize value input from real security experts than > publish what leaders from IBM MS and others tell them. I'll assume that there's a missing "rather" after expert, and an extraneous "value." If it's your sincere belief that the document does this, Mr. Huggins, then I'd be delighted to hear exactly what revelatory security measures the Strategy recommends. As far as I can tell (and I read the report several times, cover to cover), the best thing it's got going is the call for better sysadmin training. What about the other 74-and-a-half pages? (BTW, quite bold of Mr. Huggins to vow that a "true snapshot of what can happen" will occur this year. Readers of the article will recall this is eerily similar to what the Business Software Alliance said back in February of 2002. Wagers, anyone?) Mr. Ellingson tries to inject a not-so-subtle plug for his company by spinning out the notion of how stolen credit-card numbers can abet terrorists. Let's put aside the fact, briefly, that I do bring up the financial theft issue in the piece. (With a hyperlinked plug for my own Legal Affairs piece on Russian cybercrime--I, too, suffer from the disease of self-promotion.) Is Mr. Ellingson's argument that hackers abetted the 9/11 hijackers by swiping them new identities? Maybe I'm living in a very dark place, but this is news to me. And is the inference that better computer security would have prevented 9/11? I am not "ignoring the problem," per Mr. Ellingson's words. I am, instead, questioning the true nature of that problem, and whether the government is taking the right approach to improving computer security. To focus our efforts (including hundreds of millions of dollars) on supporting NIPC and the like, with an eye toward keeping some mythical Al Qaeda hacker from opening Hoover Dam, while failing to patch very basic server holes at Citibank is sheer lunacy. Mr. Reed also uses the classic "strawman" critical approach by inferring that I'm the sort of person who said airplanes could never be used as weapons, or that Japan couldn't attack Pearl Harbor. Both assertions are nonsense, of course--I never believed anything akin to the former, and I wasn't alive in the early 1940s. Mr. Reed offers no actual evidence as to why my assertions are incorrect, just a vague guess that I don't understand the difference between threats and vulnerabilities. Would it be overly cynical of me to assume that MITRE has a vested interest in amping up fear of cyberterrorism? Perhaps, and my apologies to Mr. Reed if this seems overly snarky. But I'm a big believer in "truth in advertising," which is why I took the Strategy to task for its plethora of factual distortions and FUD. Believe me, I'm all for better security. But I still can't figure out how the FUD-filled Strategy points us in the right direction. Cheers, Brendan -----Original Message----- From: InfoSec News [mailto:isnat_private] Sent: Mon 3/10/2003 4:49 AM To: isnat_private Cc: Subject: Re: [ISN] Lost in cyberspace Date: Wed, 5 Mar 2003 09:23:30 -0600 (CST) From: hugginsat_private Subject: Re: [ISN] Lost in cyberspace Again another slam against the government and how it does its business. Where was this individual when they were writing the document. Sitting on the sidelines drinking latte's and protesting our war more than likely. Here's my thoughts, the government had two choices 1. Legislate compliance with federal statutes (what dod and the rest of the government must comply with) for businesses which would have drawn the ire of epic and people like this author or 2. Attempt to utilize value input from real security experts than publish what leaders from IBM MS and others tell them. A true snapshot of what can happen is going to happen this year and when it does I will be laughing all the way to the bank, and people like this author will be eating crow. -=- Date: Wed, 5 Mar 2003 11:24:36 EST From: JohnE37179at_private Subject: Re: [ISN] Lost in cyberspace In a message dated 3/5/03 10:17:37 AM, isnat_private writes: > Yet here we are in 2003, and the cyberterrorism casualty list is > still barren. I guess this is true if you live with your head in a very dark place. Let's see if we can give the writer a clue. Tens of millions of identities compromised on credit bureau and credit card sites. Let's connect the dots. 15 out of the 19 hijackers on September 11th were using multiple identities. This writer tells the same head in the sand story that everything is OK, because I am ignoring the problems. Sounds like the NASA approach to shuttle flight safety. John Ellingson CEO Edentification, Inc. 608-833-6261 -=- Date: Wed, 05 Mar 2003 12:17:47 -0600 From: Vince Reed <vreedat_private> Subject: Re: [ISN] Lost in cyberspace It is hard to imagine that someone with the credentials to get this article published could be so wrong on so many points he makes about the administration's National Strategy To Secure Cyberspace! Hopefully, it is because Mr. Koerner is just misinformed and doesn't understand the differences between threats and vulnerabilities. Brendan fits in with the same people who said that an airliner would not be used as a weapon because it hadn't been done in the past. He would probably also fit in well with those who thought that Japan's naval air power wasn't a threat to America prior to W.W.II because of the logistic problems in extending such a force across the Pacific. The only correct conclusion Mr. Koerner draws is towards the end of his article where he says "Most [of the reports solutions] are meaningless jargon..." The Government has definitely failed to step up and taken the actions necessary to secure our critical information resources. Vince Reed - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 05:08:42 PST