Re: NIPC Daily Report, 30 October 2001

From: Alan (alan@private)
Date: Wed Oct 31 2001 - 11:30:58 PST

  • Next message: Andrew Plato: "RE: NIPC Daily Report, 30 October 2001"

    On Wednesday 31 October 2001 10:19, Crispin Cowan wrote:
    > Chris & Kathleen wrote:
    > > hi All
    > > this is not funny people in Portland have almost gone ballistic there.
    > > many are frightened and scared from Sep 11The so this kind of stuff
    > > does not surprise me.  We need to remember to keep calm and don't let
    > > this kind of stuff rattle us.  Granted the person who did this thing
    > > may have had a grudge or was playing a bad practical joke, but we need
    > > to keep level heads. We also need to NOT let this stuff become a joke
    > > - as there is a real danger out there.  It''s not funny and we should
    > > not treat it as such.
    >
    > I beg to differ.  The threat is absurdly small compared to the level of
    > self-imposed denial-of-service we are enduring. One is more likely to be
    > hit by lightning than hurt by a terrorist attack. This is precisely
    > analagous to shutting down your servers because your IDS issued an
    > alert. It's a bad idea for computer networks, and I hazard to say it is
    > a bad idea for civic systems to similarly over-react.
    
    I have seen people do just that over other situations where fear and 
    misinformation prevail.  ("Can you say Y2K boys and girl? I knew you could!")
    
    The idea that a server cannot come to harm if you just turn it off, not 
    realizing that other servers depend on that one...  (Ever see what happens to 
    a site when someone shuts down all the DNS servers servicing a domain? You 
    become an "un-company." Double-plus ungood.)
    
    > I feel that it is high time that people stop jumping at shadows, and
    > carry on with normal life. Moreover, it is well past high time that we
    > stop imposing stupid, ineffective "security" measures that mostly make
    > the public feel good, but have no real protective value.
    
    "But if they are afraid, they won't question and give us everything we ask 
    for!"
    
    There are a whole bunch of groups that feed on fear.  Law enforcement and the 
    military are getting everything on their Christmas wish list out of this. So 
    are the various companies selling to those groups.  The news media is getting 
    high ratings and more and more viewers hooked.  (Sure beat the "Your child 
    could be in danger from <scare source X> stories".)  
    
    Unfortunately, even some in the security industry feed off that fear.
    
    Security people need to remain level-headed.  Panic and paranoia does not 
    help the thought process. If you are going to defend systems against an 
    unknown, you need to have all of your wits about you, or else you end up 
    spending huge amounts of time and money on things that don't help, and may 
    make things worse.  
    
    If I can scare you into doing something stupid, it can become a denial of 
    service attack in and of itself.
    
    > For instance, can someone tell me the useful purpose of having armed
    > soldiers at the airport metal detectors? The soldiers don't do anything,
    > they just stand there.  It's not like they know anything about detecting
    > contraband in luggage anyway. At best, they can defend the airport gate
    > against a frontal assault by an armed gang. But only a very small one.
    > And no terrorist would use that approach anyway, because they would
    > never get the plane off the ground. So what is the point?
    
    The point is that it gives people who lack the power of actual analysis and 
    reason a belief that they are "safe".  (Which, unfortunately, tends to cover 
    far too many Americans. (My personal belief is that far to many Americans can 
    no longer discern between fantasy and reality, which explains "Zero 
    Tolerance" and most laws out of Congress.))
    
    Schneier had an excellent comment in his Sept 30 Cryptogram on the issue of 
    airports and security.  His main point was there was no threat model used in 
    the planning. They just made up a bunch of rules, some good and some bad. The 
    reports I have seen since then tend to back up the assertion. (Random and 
    meaningless reasons used to search and detain, that have little to do with 
    actual security and more to do with fear and insecurity.)
    
    The article can be found at: http://www.counterpane.com/crypto-gram-0109a.html
    
    > Perennial question: is non-computer infrastructure topical to CRIME?
    
    Yes, actually.  Physical security concerns are defiantly on topic.  (As are 
    panic overreactions.)  The reason is that they tend to mirror on the computer 
    side as well.
    
    I have seen places that had all sorts of computer security measures in place, 
    but you could walk in and out of buildings with hardware.  I have also seen 
    places where the physical security was quite tight (to the point of 
    absurdity), but there was next to no OS level security.
    
    The best denial of service attack is hauling away the server.
    
    The way other security concerns are handled (or not handled) tend to mirror 
    in the computer field.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:29:22 PDT