Re: [iwar] news - on the use of a rant

From: 7Pillars Partners (partners@7pillars.com)
Date: 2001-07-31 00:05:19


Return-Path: <sentto-279987-1503-996563143-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 31 Jul 2001 00:08:08 -0700 (PDT)
Received: (qmail 31201 invoked by uid 510); 31 Jul 2001 06:08:08 -0000
Received: from n3.groups.yahoo.com (216.115.96.53) by 204.181.12.215 with SMTP; 31 Jul 2001 06:08:08 -0000
X-eGroups-Return: sentto-279987-1503-996563143-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by hj.egroups.com with NNFMP; 31 Jul 2001 07:05:43 -0000
X-Sender: partners@7pillars.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 31 Jul 2001 07:05:43 -0000
Received: (qmail 45508 invoked from network); 31 Jul 2001 07:05:42 -0000
Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 31 Jul 2001 07:05:42 -0000
Received: from unknown (HELO sirius.infonex.com) (63.215.252.2) by mta2 with SMTP; 31 Jul 2001 07:05:42 -0000
Received: from localhost (partners@localhost) by sirius.infonex.com (8.8.8/8.8.8) with SMTP id AAA19924 for <iwar@yahoogroups.com>; Tue, 31 Jul 2001 00:05:39 -0700 (PDT)
X-Authentication-Warning: sirius.infonex.com: partners owned process doing -bs
X-Sender: partners@sirius.infonex.com
To: iwar@yahoogroups.com
In-Reply-To: <200107310442.VAA08496@big.all.net>
Message-ID: <Pine.SOL.3.96.1010731000508.18717A-100000@sirius.infonex.com>
From: 7Pillars Partners <partners@7pillars.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 31 Jul 2001 00:05:19 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] news - on the use of a rant
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Awww, Fred, I don't feel any heat here.  Just to clarify, it wasn't an
advertisement (our client base comes from personal references, so I don't
troll).  Now, on to the points...
- I agree, Cisco is one hell of a problem.  It doesn't make Microsoft less of a
problem, though.  If you want my Cisco rant, I'll be happy to accommodate.  You
did a nice job, but I personally like to add some responsibility for the bubble
(with assistance from talking head analysts, day traders, clueless investors,
etc.).  Sun, Linux, etc. are also great points, so we don't have a dispute
there...
- Heh, you're cheating when you bring up the common defense.  "If NSA was doing
its job, would we be here?"  How much money did BLACKER piss down the drain?
Anyone from NSA-CSC or Honeywell's SCTC that wants to provide a figure, feel
free to use an anonymous email account
- It isn't just the WWII legacy we have to deal with, but the huge organic
community that emerged out of the Cold War, and just can't repurpose itself.
Technology and the sociology that emerges from the technology, are pretty far
in advance of what bureaucracies of any sort can cope with.  It's why I prefer
to look to the market for solutions--the quick survive, the dead get eaten, and
hopefully a bit of wisdom will decide to invest in security for the future.
I'm sorry to hear that enforcement of DMCA (corporate rights) might squash your
relevant research, that's exactly the opposite of what -should- be happening.
You know that, Fred, and you also know that I don't think that's fair
- I agree with you on the FBI, particularly with respect to the erosion of
personal freedoms.  My recollection is about something along the lines of
"innocent until proven guilty" or some such.  On the other hand, when presented
with the Bill of Rights in blind studies, didn't most Americans think they were
a bad idea?  As with most things, I'm afraid the situation will have to get
pretty bad before people wake up and push to make it better.  Meanwhile, I'm
struck by Orwell's image of a 'boot stamping on a human face' forever.  Which
is more important, national security or law enforcement?  If you believe
national security is, then push for strong crypto (again, I know I'm preaching
to the choir here)
- Sigh.  Fred's right, the pursuit of money is a dead end.  "The capitalists
will sell us the rope with which we will hang them."  (Lenin)  We 'do the right
thing' in a lot of cases, and don't get paid, but it's the right thing.  Sorry
if I was getting bitchy about it, but my rant got triggered by a feeling that,
after being a willing horse, I saw an urging to flog us another mile or three.
What is it with venture capital these days?  Way back when, I remember when
people built technology in their garage, then tried to get funding.  Suddenly
we had the Hollywood model--people started to 'pitch the story.'  With a film,
I can sort of understand--you're selling an image, a concept, and it costs
money to put it on screen.  But trillions of dollars just went into a whole
bunch of irrational stuff that should have been vetted by real diligence or,
what a concept, the requirement that it have some success first.  When
'advanced' economies forget those little things (like financial controls), you
really have to wonder
- Fred, I'm with you on the publication issue.  I haven't stopped writing (as
some folks may well be aware), I've just become selective in my audience.
Right now, the 'community memory' (do any of you remember that concept?) favors
the attacker, while the defenders still wander around clueless.  And remember,
stay away from 'experts'--stick with professionals, they're just doing their
job (you're a pro, Fred, so you get the joke)
- Now here's a subject for debate--how much security should be black boxed?
I'm on the record as stating that clients should foster an internal competence
in the area of security, rather than looking to external support.  The best way
to do that is through open discussion, but it has to be well-facilitated, which
is problematic.  I could do a pretty bang-up job of building a consumer-level
secure system, but there's always someone more clever than myself.  Do we open
source a next-generation architecture for security?
- Why would I flame you, Fred?  Nothing you said was off the mark, other than
the fact that it was an advertisement (as I previously observed).  With this
community, we're buying, not selling.  If I had to 'hand pick' a solid group of
folks (well, nominate at least, since nobody is going to trust me to do the
picking), you would be on the list.  So there's no return flame because a) you
didn't merit it, b) you're not saying anything that isn't true, and c) I don't
attack people on the same side of the conflict.

Michael Wilson
7Pillars Partners

On Mon, 30 Jul 2001, Fred Cohen wrote:

> Per the message sent by 7Pillars Partners:
> 
> > Sigh.  OK, you asked for it.  A counter-rant.
> 
> This is the best part of the Iwar forum...  My counter-rant enclosed...
> 
> > First, regarding Tony's comments.  I've been on the record for a long time in
> > calling Microsoft a 'national security threat'--their software sucks, their
> > security sucks, and monopolistic penetration has created a monoculture that
> > allows even buggy exploits to penetrate a great number of machines.  Would I
> ...
> 
> Let's get it straight - CISCO is more of a monopoly than Microsoft in
> their field and their recent vulnerabilities are likely a far greater
> risk to the Internet than anything Microsoft could do.  After all, they
> dominate the critical part of the critical infrastructure and are far
> harder and more expensive to fix or patch than a Windows box which you
> could probably throw out.
> 
> Then we have Sun - which is actually still a big player and uses
> proprietary HW and SW and which has defined the standard in
> incompatability as far as I can tell.
> 
> And you should also know that Linux versions keep coming out with
> non-compatable library routines so that lots of SW is not properly
> backward compatible.
> 
> ...
> > any traction.  Everybody likes to keep their tools and materials proprietary,
> > nobody wants to create a standard (like the Generally Accepted Accounting
> > Principles, or GAAP, that makes financial reporting and transparency possible)
> > in the open source. 
> 
> Here here - they choose profit over portability and compatability - but
> isn't that what companies are all about? The real truth underlying this
> issue is that government is responsible for "The Common Defense" and is
> not doing its job. 
> 
> > Critical infrastructure protection is a field dominated by
> > law enforcement, beltway bandits, and the Usual Suspects (anti-viral vendors,
> > other folks with a business model that profits from a perpetuation of
> > vulnerability).  I can't tell you the amount of flak I've taken for attacking
> > the Pearl Harbor scenario as the load of crap that it is, but trying to get
> > people to wake up to the real threat (penetration and subversion).  Beating my
> > head into a concrete wall would approximate the level of fun and excitement
> > I've had trying to 'do the right thing.'
> 
> As do we all - from our points of view.  I happen to largely agree with
> yours in this case, but we are still stuck in WWII here in the US -
> Europe is supposed to still owe us something - we are supposed to
> dominate the world - etc.  The US is to ego-centric to realize that we
> are slipping badly.  We need realistic looks at ourselves - which the
> structure is designed to prevent from hapenning. 
> 
> > On to a number of other points...
> ...
> > - Sure, we understand the problem a lot better than the FBI.  Put it like
> > this...  there is a real problem out there.  The FBI doesn't know what to do
> > about the problem--it's outside their level of competence, resources,
> > jurisdiction, etc. 
> ...
> 
> So they keep getting more and more money claiming it is never enough and
> reducing freedoms more and more to try to get a hold of the problem. 
> But soon they will become the problem unless someone stops the foolish
> public policy decisions and court rulings.  The US is heading down a
> very slippery slope and it is very dangerous for the future of freedom
> and humanity.
> 
> > - I would love nothing better than to solve the problems.  I've been trying for
> > years.
> ...
> > they just let us use it.  Lots of money gets tossed at pretty crappy projects,
> > but real solutions have one hell of a time getting support.
> 
> You have that right.  The people doing funding do not fund the best of
> the research - they fund friends and political allies and future
> employers.  The sad truth is that if money is all you seek, you will
> destroy the US.  It is interesting that rich folks set up the whole
> freedom thing - perhaps they were not so much worried about losing their
> fortunes as their lives.
> ...
> 
> > - We've stopped publishing our work to the net primarily because the bad guys
> > were using the work, while the good guys kept wandering around in the dark
> > looking for their privates with both hands.
> ...
> 
> Which reflects the situation when computer virus research was first
> published.  The NSF reviewers of proposed research said that viruses
> were not really possible and that it was all hype - the big expert at
> MIT said that I should read about access control (he never was able to
> listen to anything I said) - the bad guys were writing development kits.
> 
> > - It hasn't been a game for a long time.  We aren't getting any calls to play
> > superhero and rescue the system, so we stick to our clientbase and keep them
> > out of trouble.  To be perfectly honest, I would be very surprised to 'get the
> > call,' simply because I know our approach is voodoo, witchcraft, and black
> > magic to most people.  They (you know, 'them') want simple answers, quick
> > fixes, and reassurance.  We don't sell that, because we don't bullshit our
> > clients.
> 
> Here here - most people just don't want to know - and they should not have to.
> 
> > - Unlike a lot of folks in this 'industry,'...
> 
> OK - too much of an advertisement - please flame me back personally for saying so...
> 
> FC
> --This communication is confidential to the parties it is intended to serve--
> Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
> fc@all.net		The University of New Haven.....http://www.unhca.com/
> http://all.net/		Sandia National Laboratories....tel:925-294-2087
> 
> 
> ------------------
> http://all.net/ 
> 
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 
> 
> 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:38 PDT