In <v01540b01ae8c8fd2bd02 @
[168 .
121 .
206 .
219]>, on 10/18/96
at 10:49 AM, pelicans @
mindspring .
com (BeachCruiser) said:
�.At 10:31 AM 10/17/96, ericw @
atd .
scs .
philips .
com wrote:
�.
�.>If I buy a firewall, and it blows up on me (ie, it has a glaring >error
�.>that allows a hacker to get into my site and wipe all my disks) then
�.>I would also sue the # @
$% out of the vendor. The big difference
�.>here though is that I would probably lose, even though the disks
�.>were wiped because the product I purchased was defective. People
�.>design products to the point where they won't lose a lawsuit
�.>(among other criteria). If I can't win a lawsuit against a
�.daangerously defective product, then you know I want source code.
�.
Maybe a vendor should permit access to source code in security
products; maybe not. I wrestled with that problem for years
designing software for sensitive applications. I finally settle on a
two part compromise: give the customer (agency...) access on my
premises or in a controlled environment to _all_ the code to verify
that everything passed through primitives vetted for security AND
provide the primitives to the agency to break, if possible.
everybody approaches breaking code slightly differently. I have
terminated more than one good code writer with a fatal fault: when
someone broke something, they would scream: "...splutter... you're
not supposed to use it that way! ...splutter...."
if you wish to get paid $80K/year as a coder in 1982, you had
better be more than a flow charter interpreter; you'ld better be a
global thinker, someone with the second sense or the sixth sense of
good users and stupid users, and the scope of the project, not just
the line of code you are trying to be cute with today --you can come
back later and make your code elegant --first make it work and
interrelate.
�.Well...maybe it's different now, but back in the dark ages in order for
�.developers to become rich they had to design and build products that
�.offered a better result. If the design goals were to avoid law suits
�.then all companies, particularly those in the security business, would
�.be run by lawyers, every product would cost $40 million dollars to bring
�.to market...and someone will sue anyway.
�.
I could not agree more. I've written hundreds of thousands of
lines of application code (not recently, thank you) --and, I have an
LLD going to waste --as I was wrapping it up at Harvard, the
idealism of my classmates disappeared with the interviews --the
issue became money: greed, and more greed. that and the experiences
observing a corrupt system of good ol' boys and lawyers' "clubs" as
they indulged in body trading among themselves and with the
prosecutors finished for the US.
But you never forget the power of the law, or its scope, or its
ridiculous and comic justice for the perceptions of technology and
its value in the progress of society. the law looked at technology
through a narrow port window as just another target to file tort
actions for the failure of designers and their companies to read the
crystal ball of the stupidity of their customers and their desire to
reap financial benefits from their own mistakes in evaluating,
installing, configuring, and operating a software (or firmware for
that matter) product.
If you wish to hamstring operations at a business, hire a
Big-Eight CPA as a controller; if you wish to kill the company from
lack of business even with a dynamite product, hire a lawyer.
I just settled for a reasonable amount of disclosure, common
senses, and working with the client --and, oh yes, for sure: refuse
to sell to the incompetent with a big legal staff.
for those of you who say impossible with the government --you've
never dealt with many of the visible, or all of the invisible where
security, etc. precludes open specifications, etc. most of these
people are not only knowledgeable, but human.
For instance, the CID of the IRS is an entirely different cut of
government employee. Not only significantly competent, but just.
�.Second, the implication that having source code would somehow indemnify
�.one from loss or damage by virtue of a prefered position in court may be
�.betraying the mentality of those who feel that it is the responsibility
�.of "the product" to insure the security of the enterprise. That way we
�.can just blame it and the company that built it, when there is a
�.failure.
�.
other than the evaluation stated above, full disclosure of
software has a very negative aspect to development --witness the
Inslaw/Promis case, just one of many. if the client/end user wants
full software disclosure -acquire freeware; some might even be
better than commercial, but they are all caveat emptor.
developers/entrepreneurs and corporations alike are interested
in one thing in the product arena in general, but particularly in
areas of system security, network security, etc --they want a
success product with a _secure_ reputation. No one company, nor one
end-user, can guarantee protection for one stupid user, let alone
many stupid users which do not read the manual, and refuse to pay
for professional assistance for the system review and the startup.
in other words, you can not protect a company or a network which
already 'knows it all' --and commits various sins of omission and
commission! but the incompetent client expects you to protect them
for the ignorance they do admit...
�.Third, if I were the CEO of the company that got got hacked, because we
�.installed a swisscheese firewall, I would really be interested in
�.knowing how in the hell my highly skilled and compensated IT staff came
�.upon the decision to allow "a dangerously defective product" to enter
�.the organization and create such a mess. We live in an age where it's
�.alot easier to beat-up on some product manufacture, than it is to face
�.the fact that some organizations and their staffs are just not up to
�.task of dealing with the fundamental responsibilities inherent in their
�.jobs...risk management.
�.
absolutely, risk management starts at _home_. at the CEO level,
expecting a vendor to cover the stupidity and failures of security
staff to learn and install correctly, is its own brand of corporate
irresponsibility and incompetence. just like an argument with a
"fool" --check in a mirror to see if you arguing with a fool.
�.If anyone is having that kind of a crisis in confidence about ANY
�.product let alone a commercially developed security device then for
�.god's sake don't buy the product, go hackup your own, or pull the damn
�.ethernet cable out of the wall. But to those who would suggest that
�.life on electronic road will be safe and secure again if only the
�.product developers would pull down their pants, I suggest that they
�.might want to seek out an occupation where the issues are a bit less of
�.a challenge.
�.
all of 'em, from the CEO down.
we will all see "managers" who expect total security but are
unwilling to pay for it --the ultimate security is to pull the
internet feed from the wall --you are correct.
I have seen situations where Internet access is banned for
security reasons --yet internal users connected to this secure
internal network will have modems on their desks --there is NO
firewall protection at all -- they are opening their secure internal
network to an observant cracker who can exploit their browsers.
this, of course, also happens with secure networks who are
connected --maybe even with dual firewalls and proxies. all it
takes is one modem and a user with NT, and the can opener is
in the door.
�.uh...more tea anyone?
sorry, lds... but, thanks for the offer.
--attila
�.___________________________
�.Bob McKisson
�.Cypress Systems Corporation
�.(757) 425-4195 Voice
�.(757) 425-4196 FAX
�.(757) 422-0888 STU-III
� .
pelicans @
mindspring .
com
--
"I don't make jokes.
I just watch the government and report the facts."
--Will Rogers
References:
|
|
