Information Security News mailing list archives
RE: Lost in cyberspace
From: InfoSec News <isn () c4i org>
Date: Tue, 11 Mar 2003 04:44:49 -0600 (CST)
Forwarded from: Brendan Koerner <Koerner () newamerica net> Ordinarily I wouldn't respond to such critiques, but the responses to my Slate piece contain several misrepresentations, fabrications, and other rhetorical tricks. I don't fancy myself particularly thin-skinned, but some of what was written really sticks in my craw. Let's start, quite appropriately, with the first response. Believe it or not, Mr. Huggins, I was not invited to help the government craft the Strategy. Does that somehow strip me of my right to comment on its focus and potential effectiveness? As for your additional comments about my caffeine and protest habits (both of which are quite wrong, BTW), what possible purpose do they serve? Such name-calling seems better suited to a cable-news talk show than a discussion list like ISN, methinks. Mr. Huggins also errs by assuming I'd object to some sort of federal security guidelines. Ah, but there's that rhetorical trick again--our opinions differ, so therefore I must be some EPIC-loving, tree-hugging pinko, huh? Always best to stick with what's in the article, rather than make inferences based on nothing more than supposition. If Uncle Sam were to come up with federal guidelines, I might actually applaud--provided they were crafted by more on-the-ball people than were responsible for the Strategy. Lastly, what the heck does this mean:
Attempt to utilize value input from real security experts than publish what leaders from IBM MS and others tell them.
I'll assume that there's a missing "rather" after expert, and an
extraneous "value." If it's your sincere belief that the document does
this, Mr. Huggins, then I'd be delighted to hear exactly what
revelatory security measures the Strategy recommends. As far as I can
tell (and I read the report several times, cover to cover), the best
thing it's got going is the call for better sysadmin training. What
about the other 74-and-a-half pages?
(BTW, quite bold of Mr. Huggins to vow that a "true snapshot of what
can happen" will occur this year. Readers of the article will recall
this is eerily similar to what the Business Software Alliance said
back in February of 2002. Wagers, anyone?)
Mr. Ellingson tries to inject a not-so-subtle plug for his company by
spinning out the notion of how stolen credit-card numbers can abet
terrorists. Let's put aside the fact, briefly, that I do bring up the
financial theft issue in the piece. (With a hyperlinked plug for my
own Legal Affairs piece on Russian cybercrime--I, too, suffer from the
disease of self-promotion.) Is Mr. Ellingson's argument that hackers
abetted the 9/11 hijackers by swiping them new identities? Maybe I'm
living in a very dark place, but this is news to me. And is the
inference that better computer security would have prevented 9/11?
I am not "ignoring the problem," per Mr. Ellingson's words. I am,
instead, questioning the true nature of that problem, and whether the
government is taking the right approach to improving computer
security. To focus our efforts (including hundreds of millions of
dollars) on supporting NIPC and the like, with an eye toward keeping
some mythical Al Qaeda hacker from opening Hoover Dam, while failing
to patch very basic server holes at Citibank is sheer lunacy.
Mr. Reed also uses the classic "strawman" critical approach by
inferring that I'm the sort of person who said airplanes could never
be used as weapons, or that Japan couldn't attack Pearl Harbor. Both
assertions are nonsense, of course--I never believed anything akin to
the former, and I wasn't alive in the early 1940s. Mr. Reed offers no
actual evidence as to why my assertions are incorrect, just a vague
guess that I don't understand the difference between threats and
vulnerabilities.
Would it be overly cynical of me to assume that MITRE has a vested
interest in amping up fear of cyberterrorism? Perhaps, and my
apologies to Mr. Reed if this seems overly snarky. But I'm a big
believer in "truth in advertising," which is why I took the Strategy
to task for its plethora of factual distortions and FUD.
Believe me, I'm all for better security. But I still can't figure out
how the FUD-filled Strategy points us in the right direction.
Cheers,
Brendan
-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Mon 3/10/2003 4:49 AM
To: isn () attrition org
Cc:
Subject: Re: [ISN] Lost in cyberspace
Date: Wed, 5 Mar 2003 09:23:30 -0600 (CST)
From: huggins () airmail net
Subject: Re: [ISN] Lost in cyberspace
Again another slam against the government and how it does its
business. Where was this individual when they were writing the
document. Sitting on the sidelines drinking latte's and protesting
our war more than likely.
Here's my thoughts, the government had two choices
1. Legislate compliance with federal statutes (what dod and the rest
of the government must comply with) for businesses which would have
drawn the ire of epic and people like this author or
2. Attempt to utilize value input from real security experts than
publish what leaders from IBM MS and others tell them.
A true snapshot of what can happen is going to happen this year and
when it does I will be laughing all the way to the bank, and people
like this author will be eating crow.
-=-
Date: Wed, 5 Mar 2003 11:24:36 EST
From: JohnE37179 () aol com
Subject: Re: [ISN] Lost in cyberspace
In a message dated 3/5/03 10:17:37 AM, isn () c4i org writes:
> Yet here we are in 2003, and the cyberterrorism casualty list is
> still barren.
I guess this is true if you live with your head in a very dark place.
Let's see if we can give the writer a clue. Tens of millions of
identities compromised on credit bureau and credit card sites. Let's
connect the dots. 15 out of the 19 hijackers on September 11th were
using multiple identities.
This writer tells the same head in the sand story that everything is
OK, because I am ignoring the problems. Sounds like the NASA approach
to shuttle flight safety.
John Ellingson
CEO Edentification, Inc.
608-833-6261
-=-
Date: Wed, 05 Mar 2003 12:17:47 -0600
From: Vince Reed <vreed () mitre org>
Subject: Re: [ISN] Lost in cyberspace
It is hard to imagine that someone with the credentials to get this
article published could be so wrong on so many points he makes about
the administration's National Strategy To Secure Cyberspace!
Hopefully, it is because Mr. Koerner is just misinformed and doesn't
understand the differences between threats and vulnerabilities.
Brendan fits in with the same people who said that an airliner would
not be used as a weapon because it hadn't been done in the past. He
would probably also fit in well with those who thought that Japan's
naval air power wasn't a threat to America prior to W.W.II because of
the logistic problems in extending such a force across the Pacific.
The only correct conclusion Mr. Koerner draws is towards the end of
his article where he says "Most [of the reports solutions] are
meaningless jargon..." The Government has definitely failed to step up
and taken the actions necessary to secure our critical information
resources.
Vince Reed
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Current thread:
- Lost in cyberspace InfoSec News (Mar 05)
- <Possible follow-ups>
- Re: Lost in cyberspace InfoSec News (Mar 10)
- RE: Lost in cyberspace InfoSec News (Mar 11)