This is a repost of a mail message. Although this mail was sent
to the firewalls mailing list, somehow it never made it was never
It has become apparent to me that my previous mail may have been
misinterpreted to have a meaning other than which I had intended.
It was pointed out to me that by not answering specific remarks
made by Julian that I was agreeing with him.
This is definitely NOT the case.
To be honest, I found the unprovoked attacks on CSI disturbing and
uncalled for. I also found many of Julian's comments without merit
for reasons I'll go into later.
To correct any possible misinterpretations in my original mail, it
is probably best if I take Julian's original mail & comment on it
>> Frank Willoughby
> Julian Assange
>> Specifically, the report contains the statements which appear to
>> appear to be contradictory.
>> "Over 50% reported incidents on their internal networks and almost
>> 40% reported frequent incidents on their remote dial-in and Internet
>> connections. These results tear at the "conventional wisdom" that
>> 80% of the information security problem is due to insiders (i.e.
>> disgruntled or dishonest employees, contractors, etc.)."
>> - from the 1996 CSI/FBI Computer Crime and Security Survey
>> Actually, the statements are't contradictory.
>> The graphics chart on page 5 clarifies this. Under the heading
>> "Networks are being probed from all access points", those surveyed
>> were asked to respond to the multiple choice question. The breakdown
>> of this as follows:
>> Internal Systems: 53.5%
>> Remote Dial-in 39.4%
>> Internet 37.5%
>A flawed and useless study. When will these people find some academic
>and statistical rigor?
I thoroughly disagree. IMO, the purpose of a survey isn't to count
the number of widgets which are produced where hard & fast numbers
can be obtained & verified, but an to attempt to identify *trends*.
>From our experience, CSI's survey is a fairly accurate reflection
on what we have seen at customer sites - in the "real world" (not
academic imaginations). Further, I would say that given the
constraints of an attempt to gather the type of data as reflected
in their report, I am amazed at how well their report maps with
>The above figures are useless without error
>margins. Having digits after the decial point implies an error margin
>less than 0.05%. In a field like this, I am confident such a figure is
>one of sheer deception. I suspect strongly that the error margin in this
>sort of study approximates +-49.9%.
First, I think quibbling over percentage points in a survey which is
intended to demonstrate trends is ridiculous and childish.
*** Out of curiousity, Julian, how would *you* conduct such a survey? ***
It's easy to sit on the sidelines & take pot shots at someone
else without offering a suggestion to correct the situation.
I would be interested in seeing how you would ensure the accuracy
of a survey of this type. Personally, from what I have seen of it,
I think that CSI's approach was methodical & logical and made the
best use of the info which was available.
While we're at it, let's look at a couple of input factors:
o All coporations or entities having computers
This is absurd. Asking everyone to respond simply isn't possible.
Forcing people to respond (as mentioned later in Julian's mail)
and hoping to obtain accurate answers is equally absurd.
Further, most companies have only recently started thinking about
InfoSec and have done little, if anything, to protect themselves
adequately. The only reason that things are moving along as quickly
as they are in this arena is due to the huge publicity that hacking
& the Internet have received.
Also, even if you could get all corporations to respond with their
input regarding the number of attempts, the answers wouldn't be
valid - because their security is generally so low, that they
wouldn't be able to detect an intrusion unless the hacker were
very stupid, very careless, or downright unlucky. How can a
company provide answers regarding the numbers of breakin attempts
if they haven't even thought about (or implemented) InfoSec yet?
o Reports from hackers regarding the number of systems they have
penetrated along with quantified data regarding whether the
attacks were inside, or external attacks, etc. This is also
absurd. As many hackers like to brag, there is a fairly high
probability that the numbers will be artificially inflated.
Also, how many hackers would be willing to admit to something
in writing which could be used to send them to jail if the data
accidently fell in the wrong hands?
o This leaves us with the input of the InfoSec officers. This was,
IMHO, the most accurate source of input CSI could have chosen,
as it is soliciting input from people whose job it is to *know*
& *track* these things. CSI mentioned that their survey went
to Information Systems Security Professionals.
>Let us examine the key words.
>1) "reported incidents".
>This implies DETECTED. Undetected incidences we obviously have no
>information about. Now, where will intrusion detection systems (that
>includes security staff) be most strongly keyed for? Internal access?
>Hardly. Logging and analysing a major company gateway is possible, if
>very intensive. For topological and traffic volume reasons, identical
>monitoring of internal traffic is completely impracticle.
Inside attempts - Many systems have the ability to detect intrusion
attempts. Usually it is stored in log files.
Outside attempts - Firewalls & gateways can also log intrusion
The only question which remains is how many people are monitoring
internal & external intrusion attempts on a frequent basis?
>Now let a look at the "reported" component of this phrase. Reported to
>*whom*? The quote does not directly state the answer, but will presume,
>the entity is either the FBI or CERT. Which are more likely to be
>reported to an *outside* agency. Inside or *outside* attacks. I think
>the answer is disgustingly clear.
Is the glass half-full or half-empty? Since all data isn't available
to us, does that mean that we throw the survey out? Absolutely not.
>From the data we do have, I think the results fairly well coincide
>2) "those surveyed"
>How were "those" chosen? On the basis of past contact with
>CERT/FBI? Random telephone calls? Fortune 500 index? Yellow pages?
>Subscribers of a mailing list? Conference attendies?
Apparently, you haven't read the survey very thoroughly or you wouldn't
be asking that question. It mentions that InfoSec professionals were
>3) "were asked to respond"
>*asked* to respond. Not legally forced to respond. If half of those who
>were asked to respond did not respond the error immediately margin jumps
>to +-25%, because some or all of the entities who were surveyed and did
>not respond may have elected that course for reasons related to the
>nature of the survey.
How many accurate answers would get when you force someone to respond?
Probably, not very many.
>Remember the final error margin is the compound of all error margins
>along the way.
And? Again, are we plotting trends or counting beans?
>The writers of report concered (not forgetting the designers of the
>amazing "it must be true because we managed to turn it into a picture"
>CHART) quite simply incompetant morons, or intending to deceive and in
>either event should be severly repremanded.
Concered??? Did you mean admitted or stated or something else?
Regardless, calling them "incompetent morons" and claiming that they
were "intending to deceive" is absurd and beneath your reputation.
Further, it was uncalled for, and IMO, slanderous.
Let's take the two slanderous statements one at a time.
How do you figure this one? I have talked to Richard Power & other
CSI staff & sat in on John O'Leary's classes. (BTW, John O'Leary
is an *excellent* speaker). They are definitely competent and know
what they are talking about. Also, if they weren't competent, it
is unlikely that CSI would have survived for 22 years. Having attended
a couple of NetSec conferences, I am content with the level of
competence they have exhibited. Out of curiosity, on what basis
did you make your statement above? Have you ever attended any of
their conferences? Are you even a member of CSI?
"Intending to deceive"
First, any attorney or prosecutor worth his salt will tell you that
intent is *very* difficult to prove in court. Good thing they aren't
suing you (my assumption). Unless you can *prove* otherwise, I think
it would be appropriate to detract the above two remarks & apologize
to them. Of course, while I understand that you may not feel this
way, I still think it would be the right thing to do.
Second, "intending to deceive" who to do what? What deception is
involved? They are merely reporting the data as they have received
it. I think your comment about them isn't really becoming of your
reputation in the InfoSec community. I have met several of CSI's
staff and have found them to be honest & friendly. IMO, your
unprovoked attack on them was neither.
Also, you may have overlooked that the fact that the survey was a
joint effort between the CSI & the FBI's International Computer
Crime Squad. Quoting from their survey:
"It was stricly an outreach effort on behalf of both CSI and the FBI.
The FBI supplied the questions and CSI took full responsibility for
conducting the survey and publishing the results".
Getting back to the survey, IMHO, CSI obtained their data for the
survey from the best source possible - the InfoSec professionals.
As mentioned earlier, IMHO, they asked the right people the right
questions, tabulated the results and posted them. Given the possible
constraints of such an undertaking, I think they did an admirable job.
In closing, regardless of whether the cause was fever, temporary
insanity, or whatever, I think your attack on CSI was inappropriate,
unprofessional, and incompatible with your current reputation in
the field of InfoSec.
Granted, CSI can defend themselves adequately, but as an interested
observer, I was very disappointed in Julian's posting. He has an
excellent reputation in the InfoSec field and to be honest, I
expected better of his postings.
Last, but not least - I have the highest regard for the staff at
CSI and hold them in high esteem. I have found them to be honest,
competent, friendly, and hard-working. I have talked to several
of them in person and was impressed with their knowledge of the
subjects at hand. FWIW, I have found the CSI membership & the
NetSec conferences worthwhile and would recommend them without
reservation & a CSI membership to any InfoSec professional who
wants to help meet the challenges of today's business & security
That's my 2 cents.
>"Of all tyrannies a tyranny sincerely exercised for the good of its victims
> may be the most oppressive. It may be better to live under robber barons
> than under omnipotent moral busybodies, The robber baron's cruelty may
> sometimes sleep, his cupidity may at some point be satiated; but those who
> torment us for own good will torment us without end, for they do so with
> the approval of their own conscience." - C.S. Lewis, _God in the Dock_
>|Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union |
net | VIC 3122 AUSTRALIA | finger for PGP key hash ID = |
edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
Any sufficiently advanced bug is indistinguishable from a feature.
-- Rich Kulawiec
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817
Home of the Free Internet Firewall Evaluation Checklist