RE: [iwar] Solicitation for stupid things you have heard.

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 2002-01-07 01:23:07


Return-Path: <sentto-279987-4221-1010395395-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 07 Jan 2002 01:25:07 -0800 (PST)
Received: (qmail 4263 invoked by uid 510); 7 Jan 2002 09:23:39 -0000
Received: from n15.groups.yahoo.com (216.115.96.65) by all.net with SMTP; 7 Jan 2002 09:23:39 -0000
X-eGroups-Return: sentto-279987-4221-1010395395-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.189] by n15.groups.yahoo.com with NNFMP; 07 Jan 2002 09:22:47 -0000
X-Sender: toby.kohlenberg@intel.com
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 7 Jan 2002 09:23:15 -0000
Received: (qmail 4081 invoked from network); 7 Jan 2002 09:23:14 -0000
Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 7 Jan 2002 09:23:14 -0000
Received: from unknown (HELO hermes.fm.intel.com) (192.55.52.18) by mta1.grp.snv.yahoo.com with SMTP; 7 Jan 2002 09:23:14 -0000
Received: from petasus.fm.intel.com (petasus.fm.intel.com [10.1.192.37]) by hermes.fm.intel.com (8.11.6/8.11.6/d: outer.mc,v 1.28 2002/01/02 21:40:45 root Exp $) with ESMTP id g079MqV02848 for <iwar@onelist.com>; Mon, 7 Jan 2002 09:22:53 GMT
Received: from fmsmsxvs040.fm.intel.com (fmsmsxv040-1.fm.intel.com [132.233.48.108]) by petasus.fm.intel.com (8.11.6/8.11.6/d: inner.mc,v 1.11 2001/11/09 23:28:01 root Exp $) with SMTP id g079MuS27897 for <iwar@onelist.com>; Mon, 7 Jan 2002 09:22:56 GMT
Received: from FMSMSX017.fm.intel.com ([132.233.42.196]) by fmsmsxvs040.fm.intel.com (NAVGW 2.5.1.16) with SMTP id M2002010701223914760 ; Mon, 07 Jan 2002 01:22:39 -0800
Received: by fmsmsx017.fm.intel.com with Internet Mail Service (5.5.2653.19) id <CHYFYWG2>; Mon, 7 Jan 2002 01:23:08 -0800
Message-ID: <B6E52B5EDFAFD411BA42009027AE9D5816258643@FMSMSX39>
To: secedu@yahoogroups.com, iwar@yahoogroups.com
X-Mailer: Internet Mail Service (5.5.2653.19)
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 7 Jan 2002 01:23:07 -0800
Subject: RE: [iwar] Solicitation for stupid things you have heard.
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

All opinions are my own and in no way reflect the views of my employer. None
of the statements below come from my current place of employment.

Channeled from a previous life:
"There's nothing on our servers that would be valuable to anyone but us"
"There's no reason to lock the systems at night, our offices are secure
enough"
"Why waste money on intrusion detection? We've never had (seen) a compromise
or
even an attack"
"I think we're not really a target, we stay below the radar" (even though
they do
most of their business online and have multiple T1s and dial-in lines)
"This is the way we've always done it! We've never been hurt by it before."
"There are other problems in the environment that are just as bad, why fix
this one?"
"This is just a temporary solution, it won't be permanent, it's okay that it
isn't
secure" (Toby's rule; There are no "temporary" solutions. The first thing
deployed is
frequently the _only_ thing deployed)
"There's no need to monitor the system! I did my job right when I installed
the box!"

Toby

> -----Original Message-----
> From: Fred Cohen [mailto:fc@all.net]
> Sent: Sunday, January 06, 2002 8:29 AM
> To: secedu@yahoogroups.com; iwar@onelist.com
> Subject: [iwar] Solicitation for stupid things you have heard.
> 
> 
> I want to solicit the list members of these forums to help me with an
> article I am writing for Managing Network Security.  I 
> extract here from
> the current draft beginning of the article in the hopes that those of
> you who are interested will provide the raw material I need...
> 
> -------------
> I have heard many decision makers and executives say things that went
> unchallenged even though they were dead wrong.  the reason they went
> unchallenged varried with the situation, but I think there are three
> basic areas of rational.  (1) The person they were talking to 
> perceived
> themselves as less powerful and did not wish to offend, (2) the person
> they were talking to did not know the facts and simply bought into the
> misimpression of the more senior person without questioning it, or (3)
> the person they were talking to was afraid of offending the executive
> because they wanted something from the executive and figured you go
> along to get along. 
> 
> Well, I don't perceive myself as less powerful than anyone, I 
> know some
> of the facts, and the chances of my getting any money from anyone like
> that are so poor that I have nothing to lose.  So I am going 
> os a brief
> crusade this month fighting the stupid things I have heard high-level
> people say about security issues, particularly those who were believed
> by others and whose expressions found their way into 
> widespread belief. 
> 
> Of course to really do this well, I need a list of the ten most stupid
> things people have said so I can trash them.  Of course to really do
> this well, I need a list of the ten most stupid things people 
> have said
> so I can trash them.  Rather than come up with my own list, I have
> decided to ask others to list the ones they have heard, and I will
> sprinkle in one or two of my favorites along the way. 
> -------------
> 
> Please feel free to respond directly to me (fc@all.net) or to the list
> (if you want the list members angry at you). 
> 
> FC
> --This communication is confidential to the parties it is 
> intended to serve--
> Fred Cohen		Fred Cohen & 
> Associates.........tel/fax:925-454-0171
> fc@all.net		The University of New 
> Haven.....http://www.unhca.com/
> http://all.net/		Sandia National 
> Laboratories....tel:925-294-2087
> 
> 
> ------------------------ Yahoo! Groups Sponsor 
> ---------------------~-->
> Sponsored by VeriSign - The Value of Trust
> Pinpoint the right security solution for your company - FREE
> Guide from industry leader VeriSign gives you all the facts.
> http://us.click.yahoo.com/pCuuSA/WdiDAA/yigFAA/kgFolB/TM
> --------------------------------------------------------------
> -------~->
> 
> ------------------
> http://all.net/ 
> 
> Your use of Yahoo! Groups is subject to 
> http://docs.yahoo.com/info/terms/ 
> 
> 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST