[Good Lord but that is ugly HTML Andrew's mailer is producing. The entire message came as two base64-encoded MIME attachments, including the "ASCII" version, and the HTML version is using strange boxes around the text. Pardon the formatting problems. I'll stick to pure ASCII posts from now on.] Andrew Plato wrote: > > If there is one thing to learn from the CRIME list, it's that computer > > security security people are a cynical, skeptical (probably even bitter > > :-)) bunch. It's our job to be skeptical, to find the many flaws and > > assume the worst of whatever we're looking at. > > I find this to be a very incomplete view of the security industry. I > consider myself part of the security industry but I do not see myself > as a cynical, skeptical, or bitter person when it comes to my work. I > think this is a problem in some regards with security people. They are > so consumed with finding faults, they forget (or ignore) methods to > patch or repair those faults. > I have a problem with that. A secure system is one that does what it is supposed to, and *nothing* else. It is fundamentally impossible to prove the "nothing else" part, and so we are required to resort to combinations of inspection and faith to determine how likely it is that a given system is secure. Doing this even half-way well requires a major dose of skepticizm, or else you will be taken in by snake oil salesmen who tell you "Of *course* it is secure" :-( I also dispute that this degree of skepticizm in any way inhibits the ability to patch systems. The security people I have the most respect for are all highly cynical, but that does not inhibit them from providing creative and effective solutions. > I see my role as a person who has to actually patch up those holes. > And that is a very different perspective than the academics and > pundits who want to terrify people into action. Spreading FUD may be > fun and emotionally satisfying, but it isn't very productive. > Somebody, like me has to help people patch those holes. And scaring > people with "Microsoft is bad, you're an idiot for using it," rhetoric > may help fan the flames of anti-Microsoft sentiment, but it isn't > really practical for IT managers who then have to return to their > office and confront 500 Windows machines. > "Spreading FUD" is making a claim of risk where there is none. This is the exact dual of selling snake oil: claiming safety where there is none. Clearly neither is constructive, and a realistic assessment of risks is called for to be effective, including a realistic understanding of the costs of implementing a solution vs. the costs of enduring the risks. IMHO, Robert Graham's article is selling snake oil in a major way. It hsi highly non-credible, and deceptively lures people into engaging in some very bad security policies. > I don't think locking a car and uninstalling a complex software > component are really very comparable. This is what happens when we > start to reason metaphorically. The metaphors become twisted. > True, reasoning by metaphor is dangerous. Metaphors are useful for explaining concepts, but not for proving points. When Barry asked "really? why?" metaphors were appropriate, but when Andrew said "I disagree", they stopped being appropriate. > The fact is most people simply do not understand how their PC > functions. The don't care about services, ports, or access control > lists. They want to go down to Best Buy, purchase a digital camera, > plug it in and have it immediately work. Ever notice how the aisles at > Frys are filled with obviously returned products. I would bet that a > large percentage of those returns were simply because the person who > bought the product did not understand how to integrate that product > with their existing environment (and the awful documentation probably > didn't help.) > All of which is true, but again is beside the point. Frys customers helplessly accept whatevr Microsoft gives them: that is part of the antitrust suit against Microsoft. That Microsoft uses this monopoly lock on desktop operating systems to fob off crappy security on those least able to do something about it is one of the factors that gets so many security people so angry. > Graham's point then, is that most people really are not concerned with > security. They want usability and security is second. The challenge to > security folks is to find ways to provide both. And that is not easy > and it won't happen overnight. You are not going to convince people to > just throw off their Windows boxes and adopt highly secure UNIX > terminals tomorrow. > I agree with what Andrew says above: a core part of the security problem is to find solutions that deliver the security with minimal compromises in convenience. My problem is with Graham, who essentially says "Security is hard. Lets have ice cream." > > However, and I think this is the most crucial point that Robert Graham > > misses, the best security solutions are those that are neither a > nuisance > > or inconvenience and yet provide real security. It is a failure of both > > designers and security experts that security and convenience are seen > > as opposites, to be traded off against each other. That's what we all, > > including Microsoft, should be working towards. > > I think the fact that Graham designed an intrusion detection product > (BlackICE now the core technology in ISS's RealSecure) is > demonstrative of his commitment to building solutions that are neither > a nuisance or an inconvenience. In fact, I would argue (although I > have a rather obvious bias here) that Mr. Graham's technologies are > some of the least intrusive security products that still deliver > outstanding capabilities. > Really? BlackICE replaced the core NIDS engine in ISS RealSecure? This is news to me. At least one of us is confused :) I thought ISS bought BlackICE for their personal firewall product, and not to replace their NIDS engine. WRT Graham's credibility: as I said at the outset, I don't know what he's been smoking lately, because he's not normally this silly. That article was absolute crap: worse, it is toxic to the novice security admin, because it seductively leads you on to think that some VERY bad ideas are actually good ideas. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:58 PDT