Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.

His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.

3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look for flaws and ... [ Read More (0.1k in body) ]

4. Hackers aren't cool. Yes, please, lets return to the halycon days of 1989 when anyone who published vulnerability research ended up on an FBI watchlist and the unemployment rolls (clears throat, recent drama notwithstanding). Everything was much better then. And whats with this arguement that teaching yourself about system penetration is a patch dependent skill!? There are larger concepts that one learns through such a process that everyone involved in computer security needs to understand. How can you design hack proof security systems if you don't know the first thing about hacking?

I did read that one as a pure troll on semantics. He said that we should have the idea that "Good Engineering is Cool". In my eyes, good engineering and hacking are synonymous.

Rattle wrote:

4. Hackers aren't cool. Yes, please, lets return to the halycon days of 1989 when anyone who published vulnerability research ended up on an FBI watchlist and the unemployment rolls (clears throat, recent drama notwithstanding). Everything was much better then. And whats with this arguement that teaching yourself about system penetration is a patch dependent skill!? There are larger concepts that one learns through such a process that everyone involved in computer security needs to understand. How can you design hack proof security systems if you don't know the first thing about hacking?

I did read that one as a pure troll on semantics. He said that we should have the idea that "Good Engineering is Cool". In my eyes, good engineering and hacking are synonymous.

Yeah, but hacking is something that just like malt liquor, Joe Schmo on the street has shown that he has no self-control with, and will blithely tromp over everything in pursuit of selfish material gains. (We have laws, we have public service announcements, we have telethons, and the dumbasses still wrap their vehicles around unsuspecting flora on a nightly basis.)

Just like hard liquor and cigarettes, we need to start keeping it out of the sight of impressionable young (or just dumb) minds--they don't have the self control to keep from destroying themselves with it (and taking us down with them).

Decius wrote:

Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

They are dumb ideas because there are easier and more reliable ways to do these things. There is no THE answer, but Ranum is clearly identifying the where and the why of how these six notions fail and fail spectacularly when they do so.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

I don't recall him discussing email in that section, but basically, if default deny were applied to email, then we'd only allow non-executeable mails through and quarantine everything else. The shops that I've seen doing this have been rather successful at it, if for no other reason that when a stubborn employee does go out of their way to double- and triple-click for pictures of naked teenage tennis stars, there's still a copy left on the quarantine server as well as the information about where it came from. They might have a user with a blank hard drive, but they've at least retained very invaluable information about what exactly happened so they can start working towards keeping it from happening again.

Trying to determine "goodness" OR "badness" of the text portions of email is something that's going to have to be left up to artificial intelligence researchers for some time to come.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to h... [ Read More (1.0k in body) ]

Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.

His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.

3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look fo... [ Read More (0.2k in body) ]

Dagmar wrote:
The title pretty much says it all. I'm only about halfway through it at the moment, but I don't want to be so full of giggles when I'm done that I forget to pass the URL along.

Read it, email it to co-workers and family. Even meter-maids and politicians should be able to understand the messages carefully contained therein.

It is Clue.

This is unfortunately like a lot of other idealistic rants in that while probably very correct, it is meaningless in a world that does not operate that way. It's like saying that government should be of and for the people and not corrupted. Yes, that's true. But it's impossible to remove corruption because that's just the way the world works. In the case of these ideas, you can't NOT operate in a Penetrate and Patch model because that's what EVERYONE ELSE IS DOING. Even if you were to base all of your internal systems in your control on removing code rather than patching, you don't live in a vacuum, so you'd still be enslaved to the Penetrate and Patch model. So while this is a great mental exercise, it offers little in the way of practicality for the modern CIO/CTO to do anything differently.

I also disagree entirely with the Hacking is Cool idea. If it wasn't for the culture that lures and instigates, perpetuates and expands this ethos, most of the people on this site would not have jobs or useful skills. Hacking is what taught many of us about How Things Work. Reverse engineering is a much needed skill that is woefully underabundant. If anything, we should be encouraging more of this type of curiosity and exploration. You, unfortunately, cannot remove human nature from this equation, so you will continue to get people that chose to use knowledge for evil rather than good. I fail to see how it's any different from anything else in life.

flynn23 wrote:

Dagmar wrote:
The title pretty much says it all. I'm only about halfway through it at the moment, but I don't want to be so full of giggles when I'm done that I forget to pass the URL along.

Read it, email it to co-workers and family. Even meter-maids and politicians should be able to understand the messages carefully contained therein.

It is Clue.

This is unfortunately like a lot of other idealistic rants in that while probably very correct, it is meaningless in a world that does not operate that way. It's like saying that government should be of and for the people and not corrupted. Yes, that's true. But it's impossible to remove corruption because that's just the way the world works. In the case of these ideas, you can't NOT operate in a Penetrate and Patch model because that's what EVERYONE ELSE IS DOING. Even if you were to base all of your internal systems in your control on removing code rather than patching, you don't live in a vacuum, so you'd still be enslaved to the Penetrate and Patch model. So while this is a great mental exercise, it offers little in the way of practicality for the modern CIO/CTO to do anything differently.

I also disagree entirely with the Hacking is Cool idea. If it wasn't for the culture that lures and instigates, perpetuates and expands this ethos, most of the people on this site would not have jobs or useful skills. Hacking is what taught many of us about How Things Work. Reverse engineering is a much needed skill that is woefully underabundant. If anything, we should be encouraging more of this type of curiosity and exploration. You, unfortunately, cannot remove human nature from this equation, so you will continue to get people that chose to use knowledge for evil rather than good. I fail to see how it's any different from anything else in life.

Hacking needs to be uncool to the majority and go back to being cool only in the eyes of our little sub-culture.

If you want an example, there was a time when perhaps you could have 20 hackers in a room, lay a document in front of them detailing something that would "break" significant portions of the internet in a fatal and non-recoverable way, and they would collectively shudder and start creeping away from it after having given it a good look-over for curiousity's sake.

Now we have DefCon, where so many irresponsible twits show up that the idea of any such document being present there fills us with stark, gibbering fear and instead of hackers not wanting to touch said document, there would presently be a Grand Melee of literally hundreds of people fighting tooth and nail for the power to destroy the internet, amid cries of "FOR GREAT JUSTICE!" and "J00 \/\/1Ll pH34R mY 4w3Sum p0W4h!" (and you'll pardon me for not using the proper high-ansi characters).

It's time to begin thinning the herds.

Dagmar wrote:

flynn23 wrote:

Dagmar wrote:
The title pretty much says it all. I'm only about halfway through it at the moment, but I don't want to be so full of giggles when I'm done that I forget to pass the URL along.

Read it, email it to co-workers and family. Even meter-maids and politicians should be able to understand the messages carefully contained therein.

It is Clue.

This is unfortunately like a lot of other idealistic rants in that while probably very correct, it is meaningless in a world that does not operate that way. It's like saying that government should be of and for the people and not corrupted. Yes, that's true. But it's impossible to remove corruption because that's just the way the world works. In the case of these ideas, you can't NOT operate in a Penetrate and Patch model because that's what EVERYONE ELSE IS DOING. Even if you were to base all of your internal systems in your control on removing code rather than patching, you don't live in a vacuum, so you'd still be enslaved to the Penetrate and Patch model. So while this is a great mental exercise, it offers little in the way of practicality for the modern CIO/CTO to do anything differently.

I also disagree entirely with the Hacking is Cool idea. If it wasn't for the culture that lures and instigates, perpetuates and expands this ethos, most of the people on this site would not have jobs or useful skills. Hacking is what taught many of us about How Things Work. Reverse engineering is a much needed skill that is woefully underabundant. If anything, we should be encouraging more of this type of curiosity and exploration. You, unfortunately, cannot remove human nature from this equation, so you will continue to get people that chose to use knowledge for evil rather than good. I fail to see how it's any different from anything else in life.

Hacking needs to be uncool to the majority and go back to being cool only in the eyes of our little sub-culture.

If you want an example, there was a time when perhaps you could have 20 hackers in a room, lay a document in front of them detailing something that would "break" significant portions of the internet in a fatal and non-recoverable way, and they would collectively shudder and start creeping away from it after having given it a good look-over for curiousity's sake.

Now we have DefCon, where so many irresponsible twits show up that the idea of any such document being present there fills us with stark, gibbering fear and instead of hackers not wanting to touch said document, there would presently be a Grand Melee of literally hundreds of people fighting tooth and nail for the power to destroy the internet, amid cries of "FOR GREAT JUSTICE!" and "J00 \/\/1Ll pH34R mY 4w3Sum p0W4h!" (and you'll pardon me for not using the proper high-ansi characters).

It's time to begin thinning the herds.

I blame Hollywood and the scene itself for that. Granted, I'm not going to say that hacking culture has the proper skills or even motivation to police itself, but it should. Scenes have a natural evolution, but that doesn't mean that the scene itself cannot direct its progression. Hacking reached its azimuth in the late 80s. Maybe we were too young or too immature to let the youngins coming up know that with much power comes much responsibility, but certainly we've failed all this time to do just that. Although I do distinctly remember the great feeling of just KNOWING that I could fuck some shit up. It was very satisfying.

Rattle wrote:

For those who do know about computer security, its a good laugh.

I think that was Dagmar's point (which Decius, in his apartment-moving and sarcasm-diluted state, apparently missed). Hell, let's not educate anyone, take away their rights to learn which emails to open and which to ignore, then expect the problem to "self-correct" over time! Of course the writer is talking out of his ass. I only *date* a computer security specialist and even I know how ridiculous that guy's claims are. :-)

-janelane, chuckling

janelane wrote:

Rattle wrote:

For those who do know about computer security, its a good laugh.

I think that was Dagmar's point (which Decius, in his apartment-moving and sarcasm-diluted state, apparently missed). Hell, let's not educate anyone, take away their rights to learn which emails to open and which to ignore, then expect the problem to "self-correct" over time! Of course the writer is talking out of his ass. I only *date* a computer security specialist and even I know how ridiculous that guy's claims are. :-)

-janelane, chuckling

Specialist... or God! BWHAHAHAHAHAHAHAHA!

janelane wrote:

Rattle wrote:

For those who do know about computer security, its a good laugh.

I think that was Dagmar's point (which Decius, in his apartment-moving and sarcasm-diluted state, apparently missed). Hell, let's not educate anyone, take away their rights to learn which emails to open and which to ignore, then expect the problem to "self-correct" over time! Of course the writer is talking out of his ass. I only *date* a computer security specialist and even I know how ridiculous that guy's claims are. :-)

-janelane, chuckling

If they don't know which emails to open and which emails to ignore (in more than just an isolated, "oops" sort of way) then they're lacking the basic skills needed to do their jobs and need to be shown the door. That is what Ranum is talking about. He's not trolling--he's deadly serious.

Where is it explained that while I am required to have a year of formal training to be allowed to replace a floppy drive in a PC (something I swear to you I could probably train a chimp to do in six months), the only real qualification for being able to use the same equipment on a daily basis and have the power to create or destroy all of a department's careful records is reasonable hygiene and not having attempted to put the mouse in one's mouth during the interview!