Forwarded from: security curmudgeon <jericho@private> Cc: sberinato@private This was certainly an interesting article. Bit naive.. bit of FUD.. bit of hypocrisy.. it had it all! All in all, I rate this piece a Big load of crap. Comments inline.. : http://www.cio.com/archive/031505/security.html : : BY SCOTT BERINATO : : Professor Hannu H. Kari of the Helsinki University of Technology is a : smart guy, but most people thought he was just being provocative when he : predicted, back in 2001, that the Internet would shut down by 2006. : "The reason for this will be that proper users' dissatisfaction will : have reached such heights by then that some other system will be : needed," I don't think I need to cover how absurd "the internet would shut down" is. Hell, people still have trouble defining it, let alone declaring "it" shut down. : Kari holds dozens of patents. He helped invent the technology that : enables cell phones to receive data. He's a former head of Mensa : Finland. Still, many observers pegged him as an irresponsible doomsayer : and, seeing as how he consults for security vendors, a mercenary one at : that. Sounds like another case of academia promoting their ideas without grounding themselves in a healthy dose of reality. Mensa and patents mean nothing really. I think he is confusing user disgust with the internet being "shut down". And for all of his stats on worms and viruses and cyberattacks and spam (and oh my!), i'd love to see his statistics showing any trend of portions of the internet "shutting down" or users giving up on the net completely due to frustration. Sure, lots of bad things continue to happen and the trend is growing.. but how about this result he predicts? Any statistics or trends to back the rest? : attacking the machines it targeted. Paul Stich, CEO of managed : security provider Counterpane, reports that attempted attacks on his : company's customers multiplied from 70,000 in 2003 to 400,000 in 2004, : an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that I think we're close to the ten year anniversary of asking journalists (and most security professionals) the following question: What exactly do you mean by 'attack'? Remember, a lot of these FUD spreaders (including .gov agencies) count a *ping* as an attack. Without qualifying what 'attack' means, any statistic that mentions said 'attacks' are *worthless fluff*. : among the 2.8 million e-mails sent to his company every day, 2.1 : million, or 75 percent, are junk. The increasing clutter of online junk : is driving people off the Internet. In a survey by the Pew Internet and : American Life Project, 29 percent of respondents reported reducing their : use of e-mail because of spam, and more than three-quarters, 77 percent, : labeled the act of being online "unpleasant and annoying." Indeed, in And how many of those people STOPPED using the net as a result? Almost everyone I know thinks that driving to and from work is "unpleasant and annoying", yet less than 0.01% stopped doing it. : Kari may have overstepped by naming a specific date for the Internet's : demise, but fundamentally, he's right. The trend is clear. The *trend* has been there for a DECADE. Why say 2006 again? : What was left was an impressive, broad and, sometimes, even fun list of : Big Ideas to fix information security. Let's hope some take shape before : 2006. : : Get All the Smart People Together and Give Them Lots of Money : The best place to start is with a Big Idea to concentrate and organize : all the other big ideasa Manhattan Project for infosecurity. Great idea, who pays the bill? Who determines the "smart people"? How long does it take for them to define the problems before developing technical solutions? Once they figure out brilliant solutions, how do you get everyone to implement them? : Hire a Czar : A surgeon general-like figure for security is not only a Big Idea; it's : a popular one. Several folks suggest creating some kind of "government : leader" or "public CIO for security," none more vocally than Paul Kurtz, : the executive director of the Cyber Security Industry Alliance. Hire a Czar, that's an original thought.. U.S. cybersecurity chief resigns http://www.infoworld.com/infoworld/article/04/10/01/HNchiefresigns_1.html Amit Yoran, director of the DHS National Cyber Security Division since September 2003 resigns. -- U.S. Cybersecurity Czar to Resign http://www.wired.com/news/politics/0,1283,57454,00.html Richard Clarke, currently the nation's top cybersecurity adviser, will resign from government. Having a "cyber security czar" is a pointless task unless his position means something, and has some real power. : Eliminate All Coding Errors Within Two Years : Mary Ann Davidson, CSO of Oracle and champion of the quality coding : movement, says she's tired of coders arguing that their jobs are too : creative to eliminate errors such as buffer overflowsthat coding's an : art, not a science. : : Davidson knows that, with billions of lines of legacy code and billions : more in development, eliminating all coding errors is quite a lofty : goal. Oh this is hands down the most amusing, ironic AND disgusting thing I have read in a while. Hey Mary, you hypocritical pop tart, YOU WORK FOR ORACLE. Your products have more vulnerabilities than features year after year! You are the *last* person/company that should EVER speak on security practices. Davidson has been with Oracle for more than 15 years and the amount of vulnerabilities in their products is getting *worse*, not better. You show the rest of the world that your idea can work at Oracle, and I am sure the rest will follow. : Pry PCs from Their Cold, Dead Hands : Guns are dangerous; therefore, we license them. We give them unique : serial numbers and control their distribution. James Whittaker says : programmable PCs are dangerous, so why not treat them like guns? According to the CDC, there were 17,638 homicides in 2002 [1]. We license guns for a reason. In 2001, there were 42,443 deaths from automobile accidents injuries [2]. We license automobile drivers for a reason. In 2001, 2002, 2003 and 2004, how many deaths were attributed to computers? According to one worldwide study, smoking was blamed for 5 million deaths in 2000 [3], and we don't even license people to purchase smoking products. Statistics and logic aside, who determines or standardizes the licensing? Who issues them? Who polices and revokes them? : Call the Cybercops : With a "Cyberpol," you could license private eyes and forensic experts : who not only would facilitate the cooperation but also would improve : response time, as there already isn't enough law enforcement for : cybercrime. And should this 'Cyberpol' follow 'Interpol'? What happens when a country doesn't participate or honor Interpol requests? What happens when a "licensed private eye" goes to a U.S. based ISP and asks for logs that require a federal supoena? It just added a layer of bureaucracy and hindered the investigation, potentially when time is critical. : Unleash the Power ofXML and Meta-Data : Several people suggest using XML and meta-data to tag websites with : safety, reputation, past performance and other security ratings to act : as signposts for dangerous cyberneighborhoods. A virtual Better Business : Bureau could manage the data so that when users visit a website, their : computers pull down the XML meta-data about that site. This has an obvious problem. Who exactly decides what sites are bad.. this new virtual BBB? Take organizations that try to do this for specific areas of the industry right now. SpamCop or other blackhole list maintainers and commercial content filter products are the first to come to mind. If these are indications of what this virtual BBB might accomplish, no thanks. Many people feel they do as much harm as they do good. My domain has sent out 0 spam in the past 5 years, yet we have been blacklisted on at least three different RBL lists including SpamCop (several times). Each time it took a small miracle to get the domain removed entirely due to THEIR process for handling such cases. Almost every single content filtering software blocks my domain .. why? Criminal activity says one.. pornography says another.. hacker material says a third. Yet every security company and federal law enforcement agency *relied* on the information we provided for several years. These designations are copletely subjective based on the audience, something no software or programmer can adequately determine and enforce. How exactly is this proposed BBB going to handle rating the 60,442,655 web sites available in March of 2005 [4]? All in all, this list of Big Ideas seem like a Big joke mostly written by Big windbags that don't understand the Big internet that they propose to drastically change. jericho attrition.org [1] http://www.cdc.gov/nchs/fastats/homicide.htm [2] http://www.wrongdiagnosis.com/a/automobile_accidents_injury/deaths.htm [3] http://my.webmd.com/content/article/97/104239.htm?z=1728_00000_1000_nd_04 [4] http://news.netcraft.com/archives/web_server_survey.html _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Mar 18 2005 - 01:39:23 PST