[ISN] How To Save The Internet

InfoSec News isn at c4i.org
Fri Mar 18 02:29:23 EST 2005 

Forwarded from: security curmudgeon <jericho at attrition.org>
Cc: sberinato at cio.com

This was certainly an interesting article. Bit naive.. bit of FUD.. bit of 
hypocrisy.. it had it all! All in all, I rate this piece a Big load of 
crap. Comments inline..

: http://www.cio.com/archive/031505/security.html
: 
: BY SCOTT BERINATO
: 
: Professor Hannu H. Kari of the Helsinki University of Technology is a 
: smart guy, but most people thought he was just being provocative when he 
: predicted, back in 2001, that the Internet would shut down by 2006.  
: "The reason for this will be that proper users' dissatisfaction will 
: have reached such heights by then that some other system will be 
: needed,"

I don't think I need to cover how absurd "the internet would shut down" 
is. Hell, people still have trouble defining it, let alone declaring "it" 
shut down.

: Kari holds dozens of patents. He helped invent the technology that 
: enables cell phones to receive data. He's a former head of Mensa 
: Finland. Still, many observers pegged him as an irresponsible doomsayer 
: and, seeing as how he consults for security vendors, a mercenary one at 
: that.

Sounds like another case of academia promoting their ideas without 
grounding themselves in a healthy dose of reality. Mensa and patents mean 
nothing really. I think he is confusing user disgust with the internet 
being "shut down". And for all of his stats on worms and viruses and 
cyberattacks and spam (and oh my!), i'd love to see his statistics showing 
any trend of portions of the internet "shutting down" or users giving up 
on the net completely due to frustration. Sure, lots of bad things 
continue to happen and the trend is growing.. but how about this result he 
predicts? Any statistics or trends to back the rest?

: attacking the machines it targeted. Paul Stich, CEO of managed
: security provider Counterpane, reports that attempted attacks on his
: company's customers multiplied from 70,000 in 2003 to 400,000 in 2004,
: an increase of over 400 percent. Ed Amoroso, CISO of AT&T, says that

I think we're close to the ten year anniversary of asking journalists (and 
most security professionals) the following question:

   What exactly do you mean by 'attack'?

Remember, a lot of these FUD spreaders (including .gov agencies) count a 
*ping* as an attack. Without qualifying what 'attack' means, any statistic 
that mentions said 'attacks' are *worthless fluff*.

: among the 2.8 million e-mails sent to his company every day, 2.1 
: million, or 75 percent, are junk. The increasing clutter of online junk 
: is driving people off the Internet. In a survey by the Pew Internet and 
: American Life Project, 29 percent of respondents reported reducing their 
: use of e-mail because of spam, and more than three-quarters, 77 percent, 
: labeled the act of being online "unpleasant and annoying." Indeed, in 

And how many of those people STOPPED using the net as a result? Almost 
everyone I know thinks that driving to and from work is "unpleasant and 
annoying", yet less than 0.01% stopped doing it.

: Kari may have overstepped by naming a specific date for the Internet's 
: demise, but fundamentally, he's right. The trend is clear.

The *trend* has been there for a DECADE. Why say 2006 again?

: What was left was an impressive, broad and, sometimes, even fun list of 
: Big Ideas to fix information security. Let's hope some take shape before 
: 2006.
:
: Get All the Smart People Together and Give Them Lots of Money
: The best place to start is with a Big Idea to concentrate and organize 
: all the other big ideasa Manhattan Project for infosecurity.

Great idea, who pays the bill? Who determines the "smart people"? How long 
does it take for them to define the problems before developing technical 
solutions? Once they figure out brilliant solutions, how do you get 
everyone to implement them?

: Hire a Czar
: A surgeon general-like figure for security is not only a Big Idea; it's 
: a popular one. Several folks suggest creating some kind of "government 
: leader" or "public CIO for security," none more vocally than Paul Kurtz, 
: the executive director of the Cyber Security Industry Alliance.

Hire a Czar, that's an original thought..

  U.S. cybersecurity chief resigns
  http://www.infoworld.com/infoworld/article/04/10/01/HNchiefresigns_1.html

  Amit Yoran, director of the DHS National Cyber Security Division since 
  September 2003 resigns.

  --

  U.S. Cybersecurity Czar to Resign
  http://www.wired.com/news/politics/0,1283,57454,00.html

  Richard Clarke, currently the nation's top cybersecurity adviser, will 
  resign from government.

Having a "cyber security czar" is a pointless task unless his position 
means something, and has some real power.

: Eliminate All Coding Errors Within Two Years
: Mary Ann Davidson, CSO of Oracle and champion of the quality coding 
: movement, says she's tired of coders arguing that their jobs are too 
: creative to eliminate errors such as buffer overflowsthat coding's an 
: art, not a science.
:
: Davidson knows that, with billions of lines of legacy code and billions 
: more in development, eliminating all coding errors is quite a lofty 
: goal.

Oh this is hands down the most amusing, ironic AND disgusting thing I have 
read in a while. Hey Mary, you hypocritical pop tart, YOU WORK FOR ORACLE. 
Your products have more vulnerabilities than features year after year! You 
are the *last* person/company that should EVER speak on security 
practices. Davidson has been with Oracle for more than 15 years and the 
amount of vulnerabilities in their products is getting *worse*, not 
better. You show the rest of the world that your idea can work at Oracle, 
and I am sure the rest will follow.

: Pry PCs from Their Cold, Dead Hands 
: Guns are dangerous; therefore, we license them. We give them unique 
: serial numbers and control their distribution. James Whittaker says 
: programmable PCs are dangerous, so why not treat them like guns?

According to the CDC, there were 17,638 homicides in 2002 [1]. We license 
guns for a reason. In 2001, there were 42,443 deaths from automobile 
accidents injuries [2]. We license automobile drivers for a reason.

In 2001, 2002, 2003 and 2004, how many deaths were attributed to 
computers?

According to one worldwide study, smoking was blamed for 5 million deaths 
in 2000 [3], and we don't even license people to purchase smoking 
products.

Statistics and logic aside, who determines or standardizes the licensing? 
Who issues them? Who polices and revokes them?

: Call the Cybercops
: With a "Cyberpol," you could license private eyes and forensic experts 
: who not only would facilitate the cooperation but also would improve 
: response time, as there already isn't enough law enforcement for 
: cybercrime.

And should this 'Cyberpol' follow 'Interpol'? What happens when a country 
doesn't participate or honor Interpol requests? What happens when a 
"licensed private eye" goes to a U.S. based ISP and asks for logs that 
require a federal supoena? It just added a layer of bureaucracy and 
hindered the investigation, potentially when time is critical.

: Unleash the Power ofXML and Meta-Data
: Several people suggest using XML and meta-data to tag websites with 
: safety, reputation, past performance and other security ratings to act 
: as signposts for dangerous cyberneighborhoods. A virtual Better Business 
: Bureau could manage the data so that when users visit a website, their 
: computers pull down the XML meta-data about that site.

This has an obvious problem. Who exactly decides what sites are bad.. this 
new virtual BBB? Take organizations that try to do this for specific areas 
of the industry right now. SpamCop or other blackhole list maintainers and 
commercial content filter products are the first to come to mind. If these 
are indications of what this virtual BBB might accomplish, no thanks. Many 
people feel they do as much harm as they do good.

My domain has sent out 0 spam in the past 5 years, yet we have been 
blacklisted on at least three different RBL lists including SpamCop 
(several times). Each time it took a small miracle to get the domain 
removed entirely due to THEIR process for handling such cases. Almost 
every single content filtering software blocks my domain .. why? Criminal 
activity says one.. pornography says another.. hacker material says a 
third. Yet every security company and federal law enforcement agency 
*relied* on the information we provided for several years. These 
designations are copletely subjective based on the audience, something no 
software or programmer can adequately determine and enforce.

How exactly is this proposed BBB going to handle rating the 60,442,655 web 
sites available in March of 2005 [4]?


All in all, this list of Big Ideas seem like a Big joke mostly written by 
Big windbags that don't understand the Big internet that they propose to 
drastically change.


jericho
attrition.org


[1] http://www.cdc.gov/nchs/fastats/homicide.htm
[2] http://www.wrongdiagnosis.com/a/automobile_accidents_injury/deaths.htm
[3] http://my.webmd.com/content/article/97/104239.htm?z=1728_00000_1000_nd_04
[4] http://news.netcraft.com/archives/web_server_survey.html

More information about the ISN mailing list