|
Firewall Wizards
mailing list archives
Re: The Morris worm to Nimda, how little we've learned or gained
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 3 Jan 2002 20:36:19 -0500 (EST)
On Thu, 3 Jan 2002, Marcus J. Ranum wrote:
I've been watching the blame in computer security flow in circles for
years. The flow looks like this:
- The hackers blame the sysadmins who leave their machines open
- The sysadmins blame the vendors who write buggy insecure code
and not producing patches quickly enough.
- The vendors blame the customers who place a premium on features over quality
and not installing patches quickly enough.
What's ironic - and what makes the whole problem so intractible is the
fact that they're _all_ right. Everyone has to do a lot less whining and get
It's the Default Deny stance- "By default, I deny that I caused the
problem." ;)
I can tell you a few of the indicators that I'm looking for which will indicate
that progress is about to be made in security:
1) The first time a company goes public and becomes huge based on the
premise that their software is super-high-quality.
That's counter to profit margins unless 3 and possibly 5 happen.
2) The first time an operating system ships that doesn't need to have all
its software installed with system privileges to function
That's been done- it's too difficult to administer with the level of IT
staff that's currently fielded- heck it's just too difficult to
administer period.
3) The first time customers place and enforce a puchase ban on a software
product notorious for insecurity and unreliability
If that were the case, MS Office wouldn't have survived macro viruses...
4) The first time that ISPs act together to ban an application from their
backbone(s)
Hell, let's start with them banning some users from their leaves.
5) The first successful class-action lawsuit over software quality encompassing
security
That'll be the only way we'll get impetus to change in any significant
manner.
Note that not only do I see no sign of the above happening, I see signs in
the industry and community that steps are being taken to _prevent_ some of
the above. Most notably #5 and possibly #3.
People/companies don't really want SECURITY, they just don't want PAIN
from INSECURITY. That's a fundamental issue.
The sad reality is that safety technology only gets applied once it's obvious
that the damage from not applying it is extremely expensive to the entire
community. Remember - we didn't have mandatory seatbelts in cars until
the 1960's and didn't have mandatory shoulder straps until the 1970's. Air
bags didn't come until the 1980's and mandatory _use_ laws are only recently
on the books in most states. Internationally, the situation is worse. And
people have known for a long time that seat belts save lives...
It's not *just* damage that's an issue (motorcycle helmets are a prime
example), there also needs to be some sort of control structure which can
enforce the greater common good. That tends to mean the evils of
legislature and enforcement.
I think we'll see improvements from evolution, it's just that evolution
takes lifetimes and we could really use some genetic engineering.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts () patriot net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
| 
Intro
