Firewalls: Re: A short dialogue

Firewalls
(October 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: A short dialogue
From:	"Perry E. Metzger" <pmetzger @ lehman . com>
Date:	Sat, 23 Oct 1993 16:35:42 -0400
To:	firewalls @ greatcircle . com
In-reply-to:	Your message of "Sat, 23 Oct 1993 13:03:21 PDT." <9310232003 . AA00812 @ sparkyfs . erg . sri . com>
Reply-to:	pmetzger @ lehman . com

Bryan McDonald says:
> 
> Resources are not easily available to verify who someone is on a list
> of thousands of email addresses all over the word.  I can call AMEX and maybe
> verify you.  What about FooBar Consulting in New Mexico?

Fine. Maybe they decide if they have no real hint on who they are
dealing with they won't talk. However, the guy who handles the
firewall for a giant company isn't someone they can't get information
for. I could understand it if they said "we don't know who you are"
but they said, instead of that, "We don't tell ANYONE." This is hardly
reasonable. They should be able to tell at least some people.

Beyond that, the information they gave out was far far less than they
could be reasonably expected to divulge. Does the bug hurt all
versions of sendmail, for example? Can it hurt machines inside a
firewall? Can it be stopped by disabling the prog mailer? These things
would be easy to tell us.

> So, because we can verify you but not everyone else, we should hang out
> the little sites and companies that may not have the resources to drop
> everything and find this hole right away for the sake of
> the big companies that can do so?  I think not.

I think so. I think that if Lehman went belly up it would hurt tens of
thousands of people, and that its orders of magnitude more likely
someone would try to hack us. If some mom and pop operation goes down
they just spend the evening restoring from backup tapes. You try to
bring back 3000 workstations with a small staff and 30 minutes until
the start of trading.

The police are a lot more likely to investigate a murder than they are
to investigate your car window being smashed, and for exactly the same
reason. Frankly, some people and some things ARE more important than
others. And yes, my site is more important than a mom and pop software
consulting company.

Never get out of your head, though, that they aren't even telling as
much as they could on the assumption that they have to tell everyone
on earth the same thing.

> If your company is so big,

Ten thousand or so employees in thirty branches going round the world
from Baharain to Singapore.

> and security is so paramount,

Thats a given in any financial institution.

> then form your own CERT for your company

And here I thought you were contending that CERT isn't useless. If I
have to do the job myself then its obvious that CERT is indeed
useless.

Perry

Follow-Ups:

Re: A short dialogue
From: Bryan McDonald <bigmac @ erg . sri . com>

References:

Re: A short dialogue
From: Bryan McDonald <bigmac @ erg . sri . com>

Indexed By Date	Previous:	Re: A short dialogue From: Bryan McDonald <bigmac @ erg . sri . com>
Indexed By Date	Next:	Re: A short dialogue From: Gene Rackow <rackow @ mcs . anl . gov>
Indexed By Thread	Previous:	Re: A short dialogue From: Bryan McDonald <bigmac @ erg . sri . com>
Indexed By Thread	Next:	Re: A short dialogue From: Bryan McDonald <bigmac @ erg . sri . com>