This material is Copyright © by Chuq Von Rospach <email@example.com>.
At 10:40 PM 1996-04-16, Keith Dawson wrote: > Gentlemen -- care to step into a foodfight? You're admins whose opinions I > respect, and if you have the time I would appreciate your comments on the > "zero tolerance" philosophy of system security practice. Thanks. I'm honored. Interesting situation. > If you reply, please include any conditions or stipulations you want honored > with respect to my making your reply public in a future issue of TBTF and in > its permanent archive. No restrictions on distribution, private or public. > ||| Anatomy of a protracted Net attack ||| > > Take a zero-tolerance attitude toward investigating attempts to scan or > > enter your system. Right off the bat, IMHO, this is a no-win situation. People will poke. This is "Just Say No" gone on-line. Might have worked for Nancy Reagan, but it sure didn't do much but feed the anti-drug bureacracy. If you want to build a job description with security, this is a great way to do it. For those of us who have real jobs, it's not practical. There are realistic levels of security that do at least as good a job (perhaps better) at a much lower resource utilization (and/or wastage) and a much lower level of paranoia. Besides, being so hard-core and uptight does tend to make you a target. Proclaim yourself 100% secure and all of the "oh yeah? we'll see about that!" types will flock in... > >The idea that one attempt to guess a password or gain > > unauthorized entry is too small to bother with opens a giant hole. How? Unless they can get it the first time, it doesn't. Reasonable tools can set a level of attack awareness and go off when they're reached, maintaining a level of security without going lunatic. This "no tolerance" approach reminds me of a guy who's so afraid of a building catching on fire he sets his alarms to turn on the sprinklers and calls the fire department every time someone lights a cigarette in a no smoking zone. The building won't burn down, but the side-effects make you forget the advantages. And the fire department will get really pissed at you... > > With > > modern attack tools, instead of scanning for a lot of services on one > > computer, I can scan for a few services at many computers. By staying > > below your incident detection threshold, an attacker can go after sys- > > tems at will and without fear of recourse. I'm curious -- has he ever succeeded with an attack approach like this? Are there papers showing the efficacy of this approach? Sounds an awful lot like a strawman to me. Is there any data to back up this attitude? Or was it created to back up the policy? > > With zero-tolerance, each > > questionable activity results in another message to the systems admin- > > istrator at the site where the attack originates. Pretty soon, the ac- > > tivities will be seen as significant. Pretty soon, the administrator will write that system off as a twit and throw them all out unread, so that REAL problems will also be ignored. (See also, "Wolf, Crying". Or any car alarm after dark in a downtown parking lot.) I get a lot of email. If a system starts babbling at me, it'll get filtered. If an ADMINISTRATOR comes to me for help, I'll do what it takes to deal with a problem -- but when an autobot starts nattering at me and it's clear no human's even looked at the situation, I'll deal with it with the respect it deserves. In fact, I'll go a bit further. By sending out auto-bot notes like this, without any verification of the situation by human hands, the administrator is trying to foist responsibility for his system's security on other admins and refusing to take responsibility himself. I have enough trouble watching my own house. I don't appreciate someone coming along and using a robot to tell me to watch his, too. And this is fairly serious -- System Admins who aren't very knowledgable might well choose to shoot people first and ask questions maybe, so this kind of messaging without validation is a very serious security issue in itself. The first time an Admin over-reacts and kills a student's account or gets an employee in trouble over one of these auto-bot security warnings, I'd say that person has a really good basis for a lawsuit. I know I'd have a lawyer give this guy a call, just to scare him. Hmm. Interesting hacker attack -- start sending these notes out, simulating admins, to get people you don't like in trouble. What checks and balances are there that the messages themselves are true? Only the ability to sit down and talk to the Admin and compare notes. In this case, the admin has no clue, because he was never in the loop. There ARE no checks and balances here. It's completely bogus to me. > > ...there is a more basic flaw in the URLs used in the Internet that ap- > > pears to make firewalls very weak prey for attackers and enables Web > > sites to launch highly distributed and hard-to-trace attacks. Published papers? Research? Any facts at all? > Cohen's alarmist messages had the > potential to cause harm (loss of accounts, financial losses, disciplinary > actions) to innocent people. This was incredibly irresponsible of him. Agreed completely. > It was also hypocritical of Cohen to send the complaints. Before sending > his alarmism, he would attack the machine the connection was coming from in > an attempt to discover the identity of the user responsible. This is > actually a serious security violation at one of my sites. Ah, but this is different -- he was on the side of good. This is the logic that allows the DEA to confiscate a house because of two joints of hemp. It's for the good of whatever side God is fighting on this time. > Others who were irritated with Cohen's irresponsiblity, in a > wonderfully done melding of protocols, set up web pages to increase the > load on Cohen's system. I don't support this kind of activity. Understand it, definitely, but not support. In the Science Fiction Fandom world, it's known as "freaking the mundanes". It's a giggle, but creates more problems than it solves. Kids will be kids, but I don't have to give permission. Better to just let him sit alone in his corner, muttering about communists in the cupboard. But no, some folks have to knock on the door and run away giggling.... > Perhaps they were attempting to show Cohen how his irresponsibility could > be met with distributed social control. No, they were just being immature. Let's not throw high morale values onto things that better fit the kind of practical jokes you get from Frat Houses.... > Basically, Cohen needs to get a clue. I might go a lot further, but I won't. Cohen is clearly out of step with Internet Reality. His attitude's more in line with Nancy Reagan than the Internet. Just Say No. Always behave. Warning labels on everything. No fun [allowed]. > He should especially not > _automatically_ make unfounded alarmist accusations. Jesus, no. He should talk to his lawyer about the legal implications of doing this. If I brought this up with my lawyers, they'd have a cow, and charge me for the delivery. > In the end, it is only Cohen's irresponsibility and overreactions that have > caused his woes. Any siege he was under was of his own making, brought on > by his absolutist and bombastic attitude. >From what I've seen in this, I agree. Is Cohen involved in any of the mainstream Internet security groups? My wife is a member of COAST and FIRST, and the CERT contact for Apple, and her initial response was "who IS this guy?" -- so he's not exactly well-known to the serious security folks. He may consult on net security, but he's not involved in the Internet Security circles that she knows of. > Enough for now, I have to go 'telnet all.net' to see how Cohen has changed > his attack system. Me, I'm going to ignore him. He's not worth wasting time on. I have real work to do. Paranoids should be allowed to be paranoid, but they can be so on someone else's nickel.... -- Chuq Von Rospach Software Gnome and Internet Tweaker Apple Solutions Marketing Webmaster (<http://www.solutions.apple.com/> +-+ <firstname.lastname@example.org>) Plaidworks Consulting (<http://www.plaidworks.com/> +-+ <email@example.com>) "It was to be a journey that they would remember for a very, very long time."