(A Javascript-enabled browser is required to email me.)

Opinions on Zero Tolerance -- Chuq Von Rospach

This material is Copyright © by Chuq Von Rospach <chuqi@plaidworks.com>.

At 10:40 PM 1996-04-16, Keith Dawson wrote:

> Gentlemen -- care to step into a foodfight? You're admins whose opinions I
> respect, and if you have the time I would appreciate your comments on the
> "zero tolerance" philosophy of system security practice.

Thanks. I'm honored.

Interesting situation.

> If you reply, please include any conditions or stipulations you want honored
> with respect to my making your reply public in a future issue of TBTF and in
> its permanent archive.

No restrictions on distribution, private or public.

> ||| Anatomy of a protracted Net attack |||

> > Take a zero-tolerance attitude toward investigating attempts to scan or
> > enter your system.

Right off the bat, IMHO, this is a no-win situation. People will poke.
This is "Just Say No" gone on-line. Might have worked for Nancy Reagan,
but it sure didn't do much but feed the anti-drug bureacracy.

If you want to build a job description with security, this is a great
way to do it. For those of us who have real jobs, it's not practical.
There are realistic levels of security that do at least as good a job
(perhaps better) at a much lower resource utilization (and/or wastage)
and a much lower level of paranoia. Besides, being so hard-core and
uptight does tend to make you a target. Proclaim yourself 100% secure
and all of the "oh yeah? we'll see about that!" types will flock in...

>  >The idea that one attempt to guess a password or gain
> > unauthorized entry is too small to bother with opens a giant hole.

How? Unless they can get it the first time, it doesn't. Reasonable
tools can set a level of attack awareness and go off when they're
reached, maintaining a level of security without going lunatic.

This "no tolerance" approach reminds me of a guy who's so afraid of a
building catching on fire he sets his alarms to turn on the sprinklers
and calls the fire department every time someone lights a cigarette in
a no smoking zone. The building won't burn down, but the side-effects
make you forget the advantages. And the fire department will get really
pissed at you...

> > With
> > modern attack tools, instead of scanning for a lot of services on one
> > computer, I can scan for a few services at many computers. By staying
> > below your incident detection threshold, an attacker can go after sys-
> > tems at will and without fear of recourse.

I'm curious -- has he ever succeeded with an attack approach like this?
Are there papers showing the efficacy of this approach? Sounds an awful
lot like a strawman to me. Is there any data to back up this attitude?
Or was it created to back up the policy?

> > With zero-tolerance, each
> > questionable activity results in another message to the systems admin-
> > istrator at the site where the attack originates. Pretty soon, the ac-
> > tivities will be seen as significant.

Pretty soon, the administrator will write that system off as a twit and
throw them all out unread, so that REAL problems will also be ignored.
(See also, "Wolf, Crying". Or any car alarm after dark in a downtown
parking lot.)

I get a lot of email. If a system starts babbling at me, it'll get
filtered. If an ADMINISTRATOR comes to me for help, I'll do what it
takes to deal with a problem -- but when an autobot starts nattering at
me and it's clear no human's even looked at the situation, I'll deal
with it with the respect it deserves. In fact, I'll go a bit further.
By sending out auto-bot notes like this, without any verification of
the situation by human hands, the administrator is trying to foist
responsibility for his system's security on other admins and refusing
to take responsibility himself.

I have enough trouble watching my own house. I don't appreciate someone
coming along and using a robot to tell me to watch his, too. And this
is fairly serious -- System Admins who aren't very knowledgable might
well choose to shoot people first and ask questions maybe, so this kind
of messaging without validation is a very serious security issue in
itself. The first time an Admin over-reacts and kills a student's
account or gets an employee in trouble over one of these auto-bot
security warnings, I'd say that person has a really good basis for a
lawsuit. I know I'd have a lawyer give this guy a call, just to scare

Hmm. Interesting hacker attack -- start sending these notes out,
simulating admins, to get people you don't like in trouble. What checks
and balances are there that the messages themselves are true? Only the
ability to sit down and talk to the Admin and compare notes. In this
case, the admin has no clue, because he was never in the loop. There
ARE no checks and balances here. It's completely bogus to me.

> > ...there is a more basic flaw in the URLs used in the Internet that ap-
> > pears to make firewalls very weak prey for attackers and enables Web
> > sites to launch highly distributed and hard-to-trace attacks.

Published papers? Research? Any facts at all?

> Cohen's alarmist messages had the
> potential to cause harm (loss of accounts, financial losses, disciplinary
> actions) to innocent people.  This was incredibly irresponsible of him.

Agreed completely.

> It was also hypocritical of Cohen to send the complaints.  Before sending
> his alarmism, he would attack the machine the connection was coming from in
> an attempt to discover the identity of the user responsible. This is
> actually a serious security violation at one of my sites.

Ah, but this is different -- he was on the side of good. This is the
logic that allows the DEA to confiscate a house because of two joints
of hemp. It's for the good of whatever side God is fighting on this

> Others who were irritated with Cohen's irresponsiblity, in a
> wonderfully done melding of protocols, set up web pages to increase the
> load on Cohen's system.

I don't support this kind of activity. Understand it, definitely, but
not support. In the Science Fiction Fandom world, it's known as
"freaking the mundanes". It's a giggle, but creates more problems than
it solves. Kids will be kids, but I don't have to give permission.

Better to just let him sit alone in his corner, muttering about
communists in the cupboard. But no, some folks have to knock on the
door and run away giggling....

> Perhaps they were attempting to show Cohen how his irresponsibility could
> be met with distributed social control.

No, they were just being immature. Let's not throw high morale values
onto things that better fit the kind of practical jokes you get from
Frat Houses....

> Basically, Cohen needs to get a clue.

I might go a lot further, but I won't. Cohen is clearly out of step
with Internet Reality. His attitude's more in line with Nancy Reagan
than the Internet. Just Say No. Always behave. Warning labels on
everything. No fun [allowed].

> He should especially not
> _automatically_ make unfounded alarmist accusations.

Jesus, no. He should talk to his lawyer about the legal implications of
doing this. If I brought this up with my lawyers, they'd have a cow,
and charge me for the delivery.

> In the end, it is only Cohen's irresponsibility and overreactions that have
> caused his woes.  Any siege he was under was of his own making, brought on
> by his absolutist and bombastic attitude.

>From what I've seen in this, I agree. Is Cohen involved in any of the
mainstream Internet security groups? My wife is a member of COAST and
FIRST, and the CERT contact for Apple, and her initial response was
"who IS this guy?" -- so he's not exactly well-known to the serious
security folks. He may consult on net security, but he's not involved
in the Internet Security circles that she knows of.

> Enough for now, I have to go 'telnet all.net' to see how Cohen has changed
> his attack system.

Me, I'm going to ignore him. He's not worth wasting time on. I have
real work to do. Paranoids should be allowed to be paranoid, but they
can be so on someone else's nickel....

             Chuq Von Rospach            Software Gnome and Internet Tweaker
                     Apple Solutions Marketing Webmaster
     (<http://www.solutions.apple.com/> +-+ <chuq@solutions.apple.com>)

                            Plaidworks Consulting
          (<http://www.plaidworks.com/> +-+ <chuqui@plaidworks.com>)

"It was to be a journey that they would remember for a very, very long time."

[ TBTF for 1996-04-21 ]