Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
I just got a chance to read "Information Security"'s November, 2000 issue (A TruSecure Publication), and I just could not believe what I was reading. Here we have the issue that is supposed to set out the agenda for 2001 with 30 infosecurity practitioners, and what do we see? Here's a selection:
Microsoft telling how to secure dial-in employees - wasn't it a dial-in employee that brought in several attacks against Microsoft in November?
The state department telling how to keep secure by teaching employees to do the right thing - wasn't it the State Department that found bugs in their classified meeting rooms - over a long period of time?
We had an insurance company telling us about pro-active intelligence - isn't it the insurance industry that can't figure out how to write effective policies with the right price and coverage yet?
We have an independent network security consultant telling us that we cannot keep up with security so we shouldn't try - and what exactly does this person sell us?
I could list plenty more ... there were 30 articles after all ... but I've made my point.
Maybe I haven't quite gotten to the point. I observe with great humility the presidential election in the United States. With statesman James Baker telling me that "The rule of law has prevailed" every time the courts rule in his favor and something about the court not making a definitive ruling every time the court rules against the Bush side. On the other side, we have the son of Mayer Daley of Chicago fame, perhaps the world's leading expert in how to rig an election telling me about a full, fair, and complete counting of the votes. And the commentary beats the band... I keep hearing that there is a constitutional crisis because the election isn't settled within 24 hours of the final vote being cast - even though the write-in votes don't even get counted for a week or so.
What we have here is hyperbole, plain and simple. People push their side of the issue without any controls whatsoever over facts or sensibility. It's all about entertainment and keeping the audience - and that is driven by sex and fear - best of all sinful sex and fear of death. The news media is not exercising any controls at all over content, they are not making any judgments, they are not calling people on outright lies, and they don't even require that people who are running for high office answer questions posed of them. I think we need someone like me asking all the questions, and I want a bull horn with one of those loud beep buttons - like a fog horn and siren all in one - so that whenever I hear a lie or someone refuses to answer a simple question, I cab pull the trigger to shut them up and tell them that they are lying - or that their answer is evading the question - and move on the th next question.
I guess an election is an extreme case, but I don't think so - not today. This rhetorical zeal without any controls seems to me to be reflective of the overall society we are creating with the Internet-based world. Anybody can say anything (I think free speech is a very good thing) and nobody ever checks the facts or calls them on it (but I think that the freedom to slander and lie without recourse for personal gain constitutes a fraud and should be punished). But this does not end in politics and the Internet - not even close...
I have been seeing lots of advertising for security products that compare them to such things as sliced bread and ice cream. The only problem is that there were no computer networks when ice cream was invented, so there must not have been a network firewall back then that was really good that this one just surpassed.
Of course advertising has been over the edge for a long time. What do you expect? Truth in advertising? Don't be ridiculous. The basic principal of advertising is to lie about the worst flaws of your product or service by calling them your greatest features. If your car has a major steering problem, you talk about it as having nimble handling. If the tires blow out, you tell us about safety first. If the engine falls out, you talk about how light and powerful the car is.
The politicians picked up on this, and so has everyone else. The trick is to lie your way into positives. And the problem is that honest people, like many of you and like me, tell the truth and people who are used to reading lies assume we are lying through our teeth. For example, on my web page I say things like:
Now this is actually true, but since it's in the advertising, people probably figure that nobody except them every heard of me.
This advertising thing and the strength of lying for a cause (money, or whatever) hasn't escaped the so-called terrorist organizations of the world - you could also call them freedom fighters, but things may get a bit confusing if we go there...
I define 'terrorist groups' as the ones listed by the US state department - a real convenience for those of us who can't tell the players without a program. Now I bring in terrorists because of the information war that emerged in October of 2000 between the Palestinian sympathizers and the Israeli sympathizers, and which then spread out to include friends and allies of both - as both victims and perpetrators. I bring this war up in this context because the terrorist groups (remember as an aside that before Israel was a country the people fighting for statehood there were considered terrorists as well) are quite skilled at perception management.
Ooops... a new term of art... or an old one... but one I haven't used in this article yet. You can call it propaganda if you like, getting the word out, human engineering, or whatever, but it all comes down to the same thing. This is the practice of trying to control peoples thoughts and beliefs - through changing their perception of reality. Of course drugs are helpful in this effort, but they are unpopular in some cultures, as are electroshock and sleep deprivation technologies - so we simply spread memes - the mental version of genes - through the fertile fields of the human mind. The terrorist groups have created detailed descriptions of how to best do this - complete with what time of day to hold the spontaneous protest to get the best press coverage and create the largest number of non-participants that look like participants in the streets and how to get the most effective news media to show up.
In a way - and it is - in a way. People should be free to say and think anything they want. And that's a real problem for those of us who are dedicated to the search for the truth - whatever that may be. The problem comes when the people who are thinking and saying anything they want spread their thoughts and words to others and, like a virus. Those ideas may come to take over the mind set of the people of the world. I won't get into the origins of religion here, because I don't have to...
In these days of peace, freedom, plenty, and so forth, the validity of these things are not very important. After all, what's the harm in believing that AIDS is a CIA plot against gay people and poor inner city people? And who cares if we call the black and old Jewish people of Florida idiots and make racist remarks about them being unable to read a ballot. The terrorists spread their versions of the truth, and so does everybody else. We are competing in the mental space of other people in order to get them to give us money, land, power, and whatever else we may desire. It is a fair exchange - they give us these things and we give them our version of the truth. None of it matters as long as we all have so much that what we give doesn't hurt.
But it does hurt, and the harm is not just the immediate loss. When we kill the truth - whatever that it - we kill the thing that has given us the opulence we now enjoy, and eventually, it will come back to haunt us.
The agrarians among us till the soil to grow food. We all need this food in order to survive. We have gotten so good at it that the people who make the food for us are no longer worth very much, so we have moved toward automation with a small number of companies owning most of the market and absorbing the means of production and distribution. This works because of the economy of scale due to automation.
The industrial age has changed the equation to the point where the machines till the soil for us - and if we wish, they can build our houses - or nearly so. We have figured out how to do this and manage it so well that we no longer need to worry about it very much. W#e don't need all that many engineers to do those jobs because a few of them can figure out all we need to know to build enough machines to run everything. So engineering expertise is no longer worth all that much, and we have moved toward automation of much of the engineering function to where a relatively small number of companies dominate this field and they will absorb the means of production and distribution. This works because of - you guessed it - the economy of scale due to computers.
The information age, or so the story goes, has changed the equation to the point where the machines do the work for us - and if we wish, they can do the thinking for us - or nearly so. You can fill in the rest of the story if you wish...
But all of these tales are missing something, and I just thought I might want to point it out. I still get hungry and I still need to eat - real food - grown from the soil. And to get it to me, we still need to grow it on farms and pick it and get it onto trucks, and deliver it to me. And - in case you didn't notice it - computers really can't think at all. So if you still believe that the supposed progress we are making is advancing us to a new level, you might check to see who is picking the food you eat and how they live.
I recently turned down an offer for $185,000 a year as a research director at a major consulting firm. Now, don't start calling me an idiot savant, it was quite tempting. But in the end, there is really one and only one reason I turned down the offer. It wasn't because I thought they were making a big mistake in not licensing some of my technologies along the way - I could license them elsewhere. And it wasn't because I wouldn't be able to teach classes any more - I got that one in the offer. In the end, I turned them down because they don't do any experiments.
Now imagine this. You are going to give advice to the top decision makers at the richest companies in the world about something vital to their survival, and yet you don't actually touch any of that stuff yourself. You just read about it, and talk to people about it, and look it up on the web, and use that as the sole basis for your advice to top decision makers. But wait - I'm not done. They swallow it - hook, line, and sinker - and they use it to make their big decisions.
So call me an idiot, but I don't think I can give good advice to people unless I actually test out my theories in a real environment. I need to go see how it really works and find out what its real limitations are before I can advise others on it. I call this seeking the truth - based on old fashioned concepts nobody ever talks about any more - experimentation and experience. I still have the misguided impression that this is how you get to the real issues. I think it is something we are largely missing today in our rush to give our money to other people so they can give us back more money by convincing other people to give them still more of their money.
If that sounds like a pyramid scheme - it is. Making money by taking one person's money and using it to convince someone else to give you their money is a pyramid scheme - unless something of real value is exchanged somewhere along the way. And in the long run, it is food and shelter that we all really need, not more baseless hyperbole, which is where I started from and where I was going all along - assuming you held on long enough to get here.
I am a bit of a history buff now-a-days. I guess I have been since I was a graduate student and learned about the papers written before I was born and that were no longer cited by the time I was a graduate student. I found that by going back and reading the original pacers, I learned some things that other people might have missed. Since then, I have found lots of things in history that other folks have apparently failed to check up on. To me, reading the history of something is one of the ways I get at the truth. And I believe that getting to the truth is a worthwhile activity in making sound decisions.
With all the hyperbole and outright lying going on today, and with the incredible freedom of expression and freedom to deceive brought about by the Internet, I find it more important than ever to seek the truth through independent verification. I find an increasing need to check the facts as presented and not believe all the things people say. I find that the lack of editorial content drives me to check the content myself, and I find that the truth is less and less often what I hear from the media or read from the web.
It's time to get off my soap box now, but I do want to leave you with one last thought. Getting the truth is not cheap, and it never has been. Listening to lies has always been easier, and telling them has always been easier as well. But the truth has a way of winning out in the end. So if you want to win, join me in seeking the truth. Spend the time and the money to check out those claims and back up those words with some facts and some empirical evidence. Once you try, you may find you can't get on without it.
About The Author:
Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates in Livermore California, and educating defenders over-the-Internet on all aspects of information protection as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/