[IP] more on Chinese hackers
Begin forwarded message:
From: Marc <marcaniballi@xxxxxxxxxxx>
Date: November 27, 2005 4:41:54 PM EST
To: "'David Wagner'" <daw@xxxxxxxxxxxxxxx>
Cc: wilsonrj@xxxxxxxxx, dave@xxxxxxxxxx
Subject: RE: [IP] more on Chinese hackers
Hello David;
I pretty much agree with your concepts, with the exception that I
never said
"all systems are equally insecure." What I said was that all man-made
systems are vulnerable to man. The measure of vulnerability (as is the
measure of risk) is largely arbitrary and based upon historical
precedent
along with some inductive reasoning and often a bit of financial
analysis.
The reality of risk in an evolving technological environment is that
it is
generally present yet specifically unknowable. We can build models to
predict probabilities and impacts, but they can only be built using
history
and conjecture - there is no way to KNOW what all potential risks
are, and I
would submit that when it comes to technology, we can't even know
HALF of
the risks a system faces over the course of a year into the future.
Whether
a network is internet connected or not does not appreciably affect
its risk
profile unless you consider the systems to be otherwise naked. The
assessed
risk profile of an internet connected system is likely different, but
not
necessarily less secure than a private system.
As any security professional will tell you, the number one cause of
failure
in any security plan/procedure is people - machines don't make security
errors. So I can only agree that IF a hacker finds information they
shouldn't, then somebody didn't do their job - the real problem then
becomes, WHO didn't do their job? The base commander, the security
officer,
the security consultant, the software vendor, the hardware vendor, the
telecom provider, the implementation team, the content management
team . . ?
Of course, it may be that the "guilty parties" involved actually were
doing
what they were told! One of the more interesting forms of security is to
misdirect your adversary.
Marc
-----Original Message-----
From: David Wagner [mailto:daw@xxxxxxxxxxxxxxx]
Sent: Saturday, November 26, 2005 8:51 PM
To: marcaniballi@xxxxxxxxxxx
Cc: wilsonrj@xxxxxxxxx; dave@xxxxxxxxxx
Subject: [IP] more on Chinese hackers
In article <4388F42D.1070904@xxxxxxxxxx> you write:
As everyone knows, there is no lock made that
cannot be picked. If man made it, man can hack it. So whether these
folks
put their systems on the Internet (with good security and DMZ etc)
or on a
private leased line network (hugely expensive) they are in effect
JUST AS
VULNERABLE. A motivated attacker will find a way in, sooner or
later. With
enough research and effort, they may even know exactly where to go
and what
to look for.
This doesn't follow. Security is not black-and-white. When you leap
from
"no system is perfectly secure" to "all systems are equally
insecure", you
have made a bogus leap of reasoning. By this reasoning, there would
be no
point in ever locking the doors of any building, no matter how critical,
and there would be no point in locking the door on the bank vault.
This reasoningwould suggest we might as well leave them all unlocked all
the time, since no matter what you do you are "JUST AS VULNERABLE",
right?
Well, that's wrong. Completely wrong. Security is about managing
risks,
and it is often helpful to do your best to reduce or manage the risk,
even if you cannot completely eliminate it.
The military does have rules that prohibit storing their most sensitive
information on Internet-connected computers. And that is a sensible
precaution. It doesn't completely eliminate all risk, but it's a good
first step. If a hacker finds classified information stored on an
Internet-connected computer, odds are that someone wasn't doing their
job.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/