Return-Path: <sentto-279987-1502-996554542-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 30 Jul 2001 21:44:15 -0700 (PDT) Received: (qmail 28046 invoked by uid 510); 31 Jul 2001 03:44:47 -0000 Received: from n31.groups.yahoo.com (216.115.96.81) by 204.181.12.215 with SMTP; 31 Jul 2001 03:44:47 -0000 X-eGroups-Return: sentto-279987-1502-996554542-fc=all.net@returns.onelist.com Received: from [10.1.4.54] by hp.egroups.com with NNFMP; 31 Jul 2001 04:42:22 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_2_0); 31 Jul 2001 04:42:22 -0000 Received: (qmail 69258 invoked from network); 31 Jul 2001 04:42:21 -0000 Received: from unknown (10.1.10.27) by l8.egroups.com with QMQP; 31 Jul 2001 04:42:21 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 31 Jul 2001 04:42:21 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id VAA08496 for iwar@yahoogroups.com; Mon, 30 Jul 2001 21:42:21 -0700 Message-Id: <200107310442.VAA08496@big.all.net> To: iwar@yahoogroups.com In-Reply-To: <Pine.SOL.3.96.1010730205503.12883E-100000@sirius.infonex.com> from "7Pillars Partners" at Jul 30, 2001 08:55:45 PM Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 30 Jul 2001 21:42:21 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] news - on the use of a rant Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Per the message sent by 7Pillars Partners: > Sigh. OK, you asked for it. A counter-rant. This is the best part of the Iwar forum... My counter-rant enclosed... > First, regarding Tony's comments. I've been on the record for a long time in > calling Microsoft a 'national security threat'--their software sucks, their > security sucks, and monopolistic penetration has created a monoculture that > allows even buggy exploits to penetrate a great number of machines. Would I ... Let's get it straight - CISCO is more of a monopoly than Microsoft in their field and their recent vulnerabilities are likely a far greater risk to the Internet than anything Microsoft could do. After all, they dominate the critical part of the critical infrastructure and are far harder and more expensive to fix or patch than a Windows box which you could probably throw out. Then we have Sun - which is actually still a big player and uses proprietary HW and SW and which has defined the standard in incompatability as far as I can tell. And you should also know that Linux versions keep coming out with non-compatable library routines so that lots of SW is not properly backward compatible. ... > any traction. Everybody likes to keep their tools and materials proprietary, > nobody wants to create a standard (like the Generally Accepted Accounting > Principles, or GAAP, that makes financial reporting and transparency possible) > in the open source. Here here - they choose profit over portability and compatability - but isn't that what companies are all about? The real truth underlying this issue is that government is responsible for "The Common Defense" and is not doing its job. > Critical infrastructure protection is a field dominated by > law enforcement, beltway bandits, and the Usual Suspects (anti-viral vendors, > other folks with a business model that profits from a perpetuation of > vulnerability). I can't tell you the amount of flak I've taken for attacking > the Pearl Harbor scenario as the load of crap that it is, but trying to get > people to wake up to the real threat (penetration and subversion). Beating my > head into a concrete wall would approximate the level of fun and excitement > I've had trying to 'do the right thing.' As do we all - from our points of view. I happen to largely agree with yours in this case, but we are still stuck in WWII here in the US - Europe is supposed to still owe us something - we are supposed to dominate the world - etc. The US is to ego-centric to realize that we are slipping badly. We need realistic looks at ourselves - which the structure is designed to prevent from hapenning. > On to a number of other points... ... > - Sure, we understand the problem a lot better than the FBI. Put it like > this... there is a real problem out there. The FBI doesn't know what to do > about the problem--it's outside their level of competence, resources, > jurisdiction, etc. ... So they keep getting more and more money claiming it is never enough and reducing freedoms more and more to try to get a hold of the problem. But soon they will become the problem unless someone stops the foolish public policy decisions and court rulings. The US is heading down a very slippery slope and it is very dangerous for the future of freedom and humanity. > - I would love nothing better than to solve the problems. I've been trying for > years. ... > they just let us use it. Lots of money gets tossed at pretty crappy projects, > but real solutions have one hell of a time getting support. You have that right. The people doing funding do not fund the best of the research - they fund friends and political allies and future employers. The sad truth is that if money is all you seek, you will destroy the US. It is interesting that rich folks set up the whole freedom thing - perhaps they were not so much worried about losing their fortunes as their lives. ... > - We've stopped publishing our work to the net primarily because the bad guys > were using the work, while the good guys kept wandering around in the dark > looking for their privates with both hands. ... Which reflects the situation when computer virus research was first published. The NSF reviewers of proposed research said that viruses were not really possible and that it was all hype - the big expert at MIT said that I should read about access control (he never was able to listen to anything I said) - the bad guys were writing development kits. > - It hasn't been a game for a long time. We aren't getting any calls to play > superhero and rescue the system, so we stick to our clientbase and keep them > out of trouble. To be perfectly honest, I would be very surprised to 'get the > call,' simply because I know our approach is voodoo, witchcraft, and black > magic to most people. They (you know, 'them') want simple answers, quick > fixes, and reassurance. We don't sell that, because we don't bullshit our > clients. Here here - most people just don't want to know - and they should not have to. > - Unlike a lot of folks in this 'industry,'... OK - too much of an advertisement - please flame me back personally for saying so... FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Small business owners... Tell us what you think! http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:38 PDT