[Infowarrior] - more on ...OpEd: The MS 'net tax'

Richard Forno rforno at infowarrior.org
Thu Mar 11 12:57:09 UTC 2010 

Thanks RK....  -rf

Begin forwarded message:

> From: Rich Kulawiec <rsk at gsp.org>
> Date: March 10, 2010 5:37:20 PM EST
>
> On Wed, Mar 10, 2010 at 08:07:38AM -0500, Richard Forno wrote:
>> The Charney-Charge: The Health Care Model is Appropriate Framework
>> Richard Forno
>
> Oh, well-played!  This is a really good analogy, one which I will be
> shamelessly swiping (with appropriate credit given, of course).
>
> I've got a rebuttal to a couple of the followup comments on my message
> to the IP list in draft mode; I don't think Dave will choose to
> run it, although sometimes he surprises me.  Here's part of it,
> in quasi-raw, quasi-edited form:
>
> ----------------------
> Charney wants to quarantine infected systems?  That's nice.  Except:
>
> 	1. Where was he most of a decade ago when we were pointing
> 	out this very problem and saying this very thing?  Back then it
> 	was several orders of magnitude smaller and *possibly*
> 	tractable, although I think even then it was probably a longshot.
> 	But now?  See next several points.
>
> 	2. What's the plan for quarantining (to pick a centrist number)
> 	150M infected systems?  Who's gonna pay for that?  Microsoft?
>
> 	I'll pause while everyone laughs at that prospect.
>
> 	3. Suppose that through some highly unlikely twist of fate,
> 	point 2 actually happens.  Great.  Now...what's the plan for
> 	keeping those systems from being re-infected next week?  And
> 	who's gonna pay for that?
>
> 	I'll pause again while everyone refers to Marcus Ranum's:
>
> 		The Six Dumbest Ideas in Computer Security
> 		http://www.ranum.com/security/computer_security/editorials/dumb/
>
> 	to make sure that "the plan" for this point isn't based around
> 	one of those.  We already KNOW those ideas don't work.
>
> 	4. Let's suppose through an even more unlikely twist of fate,
> 	that point 3 actually happens.  Great.  Are we done yet?
>
> 	No.  We're not.
>
> 	Because we're not going to "see" all the infected systems that
> 	aren't doing us the favor of making themselves visible.  And our
> 	adversaries have long since proven to us that they understand
> 	concepts like distributed, fault-tolerant commmand and control,
> 	misdirection, failover -- and reserves.
>
> 	The only way we have to find all the "sleepers" -- and we know
> 	they exist in large numbers, we just don't know how many there
> 	are -- is to go to each individual system, boot it from
> 	known-clean media, and go over it with a fine-toothed comb.
> 	Who's going to do that?  And who's going to pay for it?
>
> 	I'm sure some folks will claim that this step can be omitted.
> 	It can't.  Please see the McNamara Fallacy. [1]  And note that
> 	our adversaries have already demonstrated baseline competence
> 	in using small footholds to create much larger breaches in
> 	a rather short time.
>
> What we have here is classic externalization of costs.  It's quite  
> clear
> that Microsoft should pay for *all* of this, yet they're assiduously
> trying to pay for *none* of it.  (Note how carefully Microsoft's shill
> avoided taking any corporate responsibility for this mess, choosing
> to frame it as a generic security problem rather than the Microsoft- 
> only
> security problem it really is.)
>
> This is the same "business model" as industrialists who use the  
> nearest
> river as a sewer for their effluent and then do everything possible  
> to avoid
> culpability for the resulting pollution -- because they don't want  
> to pay
> the cost of cleaning up the mess they've made, the secondary cost of  
> the
> damage they've done, or the tertiary costs incurred by those trying to
> keep themselves from being contaminated.
>
> [1] The McNamara Fallacy:
>
> 	"The first step is to measure whatever can be easily measured.  That
> 	is okay as far as it goes.  The second step is to disregard that
> 	which can't be measured or give it an arbitrary quantitative value.
> 	This is artificial and misleading.  The third step is to presume that
> 	what can't be measured easily really isn't very important.  This is
> 	blindness.  The fourth step is to say that what can't be easily
> 	measured doesn't exist.  This is suicide."
>
> 	--- social scientist Daniel Yankelovich describes the "McNamara
> 	fallacy".  Quoted by Jay Harris, former publisher of the San Jose
> 	Mercury News, in a speech explaining why he resigned his post.
> 	[http://www.poynter.org/centerpiece/harris.htm]
> ----------------------
>
>
> ---Rsk
>

More information about the Infowarrior mailing list