((sorry...plain text now.)) > I have a problem with that. A secure system is one that does > what it is supposed to, and *nothing* else. Crispin, that's cool for you and hardcore UNIX guys who have nothing better to do but spend hour after hour tuning their servers. But that simply is not a practical answer for businesses and individuals who do not have the time or resources to make sure every conceivable hole is plugged. Your statement "a secure system is one that does what it is supposed to and nothing else" sounds great in a seminar at a university. But what is a system supposed to do? This isn't a one-size fits all situation. People use servers and workstations to do a vast array of different things from playing games to typing reports. Its impossible to know with any certainly what a system is "supposed to do" without conducting a comprehensive audit of every system and every software package under your control. And I honestly don't think most IT guys have the time or resources to do that. Therefore, the answer is to plug as many as possible without resorting to a massive change in infrastructure. > It is fundamentally impossible to prove > the "nothing else" part, and so we are required to resort to > combinations of inspection and faith to determine how likely > it is that a given system is secure. Doing this even half-way well > requires a major dose of skepticizm, or else you will be taken in by snake oil > salesmen who tell you "Of *course* it is secure" :-( This idea that things are either 100% secure or 100% insecure is inherently faulty. Security is not a black and white problem. Half-secure is better than zero secure. And many places have no choice but to settle with half-secure, because total security is simply too expensive or would obliterate usability. And I don't see any text by Graham, myself, or any other security nut that is saying "oh yeah, you're totally secure if you buy XYZ product." And I am sorry but this obsession with ultimate security might be fine for scientists and security experts, but it simply is not a practical answer for the average IT department. > "Spreading FUD" is making a claim of risk where there is > none. No. Spreading FUD is making wild, unsupported, or exaggerated claims about technology for the sole purpose of frightening people into action. Usually action to purchase a product or reject a particular technology. When I think of FUD, I think of somebody like Steve Gibson, who is a chronic FUD mongerer. He has about 1/2 the concept baked and then he runs around screaming like a lunatic trying to terrify people into doing something. The mere fact that Steve has a site devoted to debunking his rantings (www.grcsucks.com) shows what FUD mongering can get you. I personally am very tired of FUD mongering. Its annoying and counterproductive. When I meet with customers I try to focus almost exclusively on how to solve security issues in a practical and cost-effective manner. Sometimes that means using security products, sometimes that means making fundamental infrastructure changes. Whatever the case, screaming at people that THEY HAD BETTER STOP USING WINDOWS RIGHT NOW!!!! is in my opinion immature and counter-productive. It doesn't respond to the real world problems that are facing businesses. People are not going to stop using Windows not matter how loud you scream at them. > This is > the exact dual of selling snake oil: claiming safety where there is > none. Clearly neither is constructive, and a realistic assessment of > risks is called for to be effective, including a realistic > understanding of the costs of implementing a solution vs. the costs of > enduring the risks. Again, I fail to see where anybody - Graham or the likes has said you're 100% safe if you just install a patch or buy their software. > IMHO, Robert Graham's article is selling snake oil in a major way. It > hsi highly non-credible, and deceptively lures people into > engaging in some very bad security policies. How? How exactly would Graham's comments lead a person into an insecure situation? It seems to me Crispin the undertone of your argument is: "Graham acknowledges Windows, and therefore his argument is wrong." That is faulty reasoning because the assumption is that Windows cannot be secured, which it can. See: http://www.anitian.com/Corp/Papers/Hardening_Win2k.pdf Just because people do not know how to secure a Windows box, does not mean it is a faulty platform. Just because Microsoft has a monopoly doesn't mean the products are inherently bad. Standard Oil had a monopoly, but the oil they sold was perfectly normal oil. Just because Microsoft dominates the market doesn't mean we should all just throw out our Microsoft products. Keep in mind that most business executives could care less what is running in the server room. As far as they are concerned, you could run the entire company off a Timex Sinclair and a 300 baud modem. What matters to them is productivity. Because any hit against productivity (and usability) means loss in profitability. Now, many executives I meet are willing to accept that security must be a part of the picture. And they may even be willing to take a few productivity hits because in the long term, being more secure protects profitability. But no business in the universe is going to accept wiping out their entire infrastructure and retraining their entire staff based on a promise that this might be a notch more secure. Not when those places, with a little discipline and control, can make their Windows system very secure. > I agree with what Andrew says above: a core part of the > security problem > is to find solutions that deliver the security with minimal > compromises > in convenience. My problem is with Graham, who essentially says > "Security is hard. Lets have ice cream." I don't see that as what Graham said. I would interpret Graham's statements as: "Security is hard, let's take this one step at a time and be practical (and then have ice cream)." > Really? BlackICE replaced the core NIDS engine in ISS > RealSecure? This is news to me. At least one of us is confused :) I thought > ISS bought BlackICE for their personal firewall product, and not to > replace their NIDS engine. Nope. RealSecure is now pretty much all BlackICE under the covers. The core engine is now BlackICE augmented with RS's signatures. Best IDS there is (in my humble and totally biased opinion.) ------------------------------------ Andrew Plato President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com Yahoo Messenger: Anitian ------------------------------------
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:04 PDT