At 10:44 AM 2/23/00 -0500, Roger Nebel wrote: >I believe he meant that the people who put up insecure systems which are >then compromised and used to attack others and not the targets who may >be a patch or two out of date. So he's not blaming the victims for >being attacked but rather the morons who connected a system to the >Internet that was easily subverted. Then we all must be morons, since nearly every one of us has had systems that either could have been subverted or have been subverted. You wake up one morning to find that your nice FTP app that everyone uses is actually exploitable, and that there have been underground exploits for it for the last six months. The list goes on and on. To go back to some real-world analogies, most houses have extremely flimsy front doors, and windows can often be popped easily. Most people can break into their own house if they need to. With the exception of vehicles with anti-theft devices, anyone who is good with a slim jim can open a locked car door in less than a minute, and can then get around the steering wheel lock and ignition very quickly as well. I used to be a mechanic, and have had to overcome all of these systems at one time or another for customers. So most of our vehicles are easily subverted. When your locked car gets stolen, the cop doesn't blame you - they blame the thief. The overall cost to society is too high to put systems on all cars that are harder to overcome, so we accept that some people will steal cars, and we have to hunt them down. Sure, people ought to patch their systems, and there's a lot of work we all need to do to make things better - but if you look around you, most real-world security systems depend fairly heavily on there being some level of law enforcement to back them up. Expecting everyone to maintain their computer systems to the level that we'd like to see just isn't realistic - and I think that even among the security crowd (if we're being honest), we all have to admit that we have all at one time or another either had a system that is hackable or had a system get hacked. I was told one day that I had to add domain admins to my local administrators group - the guy did something that wasn't very bright, got the whole domain hacked, and the bozos chose to use my system to demonstrate the problem. So if we're defining moron to include people who put systems up that can be compromised, then I think we need to remember that present company will be included. So if we're a bunch of morons, then what the hell do we expect ordinary people to do? So, trying to move beyond the blame game, here's what I think we need to do (reflects a paper that Alan Paller and several others have helped with): 1) We need better practices by ISPs to limit spoofing - ingress and egress filtering should be the norm. We need to eliminate spoofing by dial-up customers. Even if you can spoof from inside a site, it still makes tracking it a LOT easier. 2) We need to be doing more security auditing - this is really essential. ISPs ought to provide that as a service to customers. Notify people when they are leaving themselves wide open - most of them probably don't realize they have a problem. 3) Education is a part of the solution - educate developers, admins, end-users and law enforcement. 4) We need to work towards making keeping a machine secure a lot easier - get the machine to check a web site (or something) and see if it needs any patches, then throw a pop-up, send mail, do something. David LeBlanc dleblancat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:09 PDT