"Perry E. Metzger" <pmetzger @
# Brent Chapman says:
# > "John A. Murphy" <jam @
# > # The major problem I see with giving "authorized" people the insights to
# > # vulnerabilities is there are a number of people wearing 2 hats. Valid
# > # admin's working for a company, while at the same time trying to (personal
# > # or professionally) break into a competitor.
# > YES! THIS is exactly the key problem here. Even if I know who you
# > are, I'm not going to tell you the details of a security-sensitive
# > bug, because I don't know how you're going to use the information.
# Mr. Chapman, do you really honestly believe that there would be no
# consequences were I to misuse the information in question? I'm not
# some teenager.
There would be consequences IF you got caught. Now, how many crackers
have been caught lately? As a percentage of the total? Doesn't seem
likely to me that you (if you were doing anything illegal, and I don't
mean to suggest you are) would get caught.
# The folks like me who run firewalls for wall street
# firms (many of whom you have personally insulted in the last few weeks
# -- interesting behavior for a consultant) are people with substantial
I see. Because I'm a consultant, I should go out of my way not to
hold strong opionions, lest they offend anyone? I don't think I've
insulted anyone by saying "I don't know you, therefore I don't trust
you with sensitive information". Nobody I'd want to work for, anyway.
If somebody wants to sign a contract with me that their company will
indemnify me against any legal actions arising out of information that
I share with them, I'd be a lot more willing to share sensitive
information with them, because I'd have something tangible to back
their claims that they _aren't_ going to misuse the information, and
to protect myself with legally if they do.
# personal assets who have a lot to lose if we behave like idiots. (How
# much does the average teenage cracker have to lose?) We are also
# individuals who've been carefully background checked -- I can
# guarantee you that no one who works in the securities industry has
# ever gotten more than a parking ticket -- the SEC would have our
# company's neck if they didn't make sure of that. I've been
# fingerprinted at least three times at every firm I've worked at just
# to make sure of who I am and that I don't have a record.
Weren't Ivan Boeske and Michael Milken (sorry if I've misspelled their
names) subject to those same security checks? Pardon me if I don't
place much faith in them.
# Of course, you presume we are all criminals. I have a question for you
No, I assume that you _may_ be criminals, though you probably aren't.
There's a big difference. If I assumed that you _were_ criminals, I
wouldn't tell you anything I know. Since I assume that you _may_ be,
but probably are NOT, I'm willing to share all but the most sensitive
information I have.
# though, Mr. Chapman -- what assurance do we have that anyone who works
# at CERT isn't using the information to break into hundreds of
# computers? How do we know that YOU aren't using YOUR contacts to break
# into hundreds of computers? I've got no idea if you have a criminal
# record, and I have no idea if anyone at CERT has one, either.
You don't. And that's exactly my point. I'm not trying to imply that
anyone here is doing anything they shouldn't be, but I _am_ saying
that it is a distinct _possibility_.
There are 1000 subscribers to the Firewalls mailing list, and another
500 to Firewalls-Digest. Many of these subscriptions are local
exploders. I'd estimate total readership of this list at 3000 people.
Some of those people are bound to be crackers; I even know who a few
of them are, but there's nothing I can do about it. They all have
legitimate day jobs and no criminal record.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041