RE: Lloyds to offer hacker insurance

From: Matthew Patton (pattonat_private)
Date: Fri May 08 1998 - 11:31:51 PDT

  • Next message: Mike Bresina: "Re: Blitzkrieg Server -- For Real?! ( LONG )"

    >I think I can safely say (paraphrasing Kevin) that the prevailing
    >management attitude is, "Hey, I passed the C&A so I can back-burner
    >security until the next C&A cycle." And then they get whacked. Not their
    >fault - they passed the C&A.
    Funny this should come up. But digging back into the archives of history
    let us recall the most embarrassing hack of circa Jan 1996. So,
    purhaps the readership has forgotten (or did I fail to post) that just DAYS
    before the hack, DTIC's computer systems underwent a 'security checkup' by
    none other than DISA's ASSIST intrusions tiger team. Said team asked DTIC
    to point out their internet connected boxes and ran a set of tools against
    them and upon finishing, blessed their health. Seems nobody at DTIC
    mentioned the nifty new IRIX box sitting off in a corner playing dumb and
    happy to the address of ''. So the DTIC guys went happily on
    their way, forgetting all about certain builtin accounts not having
    passwords (default out of box setup) or that some flaming bozo had set the
    root password to "1234". So you see audit or not who says the auditors will
    do a complete job? The fact that the intrusion team didn't "find" the irix
    box is a bit troubling no?
    >"Insurance" in the .mil/.gov arena usually translates to
    >"Plausible Deniability" or some other form of Vogon poetry.
    Precisely!! So who in the Pentagon do we want to hack today???
    'Flippergate' got to love it.
    "There are no significant bugs in our released software that any
    significant number of users want fixed." - Bill Gates in an interview with
    Focus magazine, Oct 23, 1995.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:59 PDT