Re: [iwar] news - on the use of a rant

From: 7Pillars Partners (partners@7pillars.com)
Date: 2001-07-30 20:55:45


Return-Path: <sentto-279987-1500-996551795-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 30 Jul 2001 21:00:16 -0700 (PDT)
Received: (qmail 26949 invoked by uid 510); 31 Jul 2001 02:59:06 -0000
Received: from n11.groups.yahoo.com (216.115.96.61) by 204.181.12.215 with SMTP; 31 Jul 2001 02:59:05 -0000
X-eGroups-Return: sentto-279987-1500-996551795-fc=all.net@returns.onelist.com
Received: from [10.1.4.55] by c3.egroups.com with NNFMP; 31 Jul 2001 03:56:40 -0000
X-Sender: partners@7pillars.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 31 Jul 2001 03:56:35 -0000
Received: (qmail 31394 invoked from network); 31 Jul 2001 03:56:34 -0000
Received: from unknown (10.1.10.26) by l9.egroups.com with QMQP; 31 Jul 2001 03:56:34 -0000
Received: from unknown (HELO sirius.infonex.com) (63.215.252.2) by mta1 with SMTP; 31 Jul 2001 03:56:34 -0000
Received: from localhost (partners@localhost) by sirius.infonex.com (8.8.8/8.8.8) with SMTP id UAA14266; Mon, 30 Jul 2001 20:56:31 -0700 (PDT)
X-Authentication-Warning: sirius.infonex.com: partners owned process doing -bs
X-Sender: partners@sirius.infonex.com
To: iwar@yahoogroups.com
Cc: abz@llnl.gov
In-Reply-To: <20010731025852.2987.qmail@web14501.mail.yahoo.com>
Message-ID: <Pine.SOL.3.96.1010730205503.12883E-100000@sirius.infonex.com>
From: 7Pillars Partners <partners@7pillars.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 30 Jul 2001 20:55:45 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: Re: [iwar] news - on the use of a rant
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Sigh.  OK, you asked for it.  A counter-rant.

First, regarding Tony's comments.  I've been on the record for a long time in
calling Microsoft a 'national security threat'--their software sucks, their
security sucks, and monopolistic penetration has created a monoculture that
allows even buggy exploits to penetrate a great number of machines.  Would I
answer a call from Microsoft to fix their problems?  Sigh.  Probably.  We'd get
screwed on the deal, but at least it would get a better solution out to many
systems, an economy of scale we (7Pillars) can't achieve with piece-meal
clients.  Incidentally, we tried to start an effort called OpenAudit, which
would have made auditing and penetration tools, as well as an open source
standard for evaluation freely available to the community, but we couldn't get
any traction.  Everybody likes to keep their tools and materials proprietary,
nobody wants to create a standard (like the Generally Accepted Accounting
Principles, or GAAP, that makes financial reporting and transparency possible)
in the open source.  Critical infrastructure protection is a field dominated by
law enforcement, beltway bandits, and the Usual Suspects (anti-viral vendors,
other folks with a business model that profits from a perpetuation of
vulnerability).  I can't tell you the amount of flak I've taken for attacking
the Pearl Harbor scenario as the load of crap that it is, but trying to get
people to wake up to the real threat (penetration and subversion).  Beating my
head into a concrete wall would approximate the level of fun and excitement
I've had trying to 'do the right thing.'

On to a number of other points...
- Sure, we understand the problem a lot better than the FBI.  Put it like
this...  there is a real problem out there.  The FBI doesn't know what to do
about the problem--it's outside their level of competence, resources,
jurisdiction, etc.  So they do what they know--if all you have is a hammer,
every problem looks like a nail.  So they go out and arrest some kids, alienate
a hell of a lot of people, and nothing gets solved.  Worse, it criminalizes the
hacker community, which pushes them into the arms of the real threats, and
doesn't give them a way back over to this side.  There is no easy answer--they
have a responsibility, and the problem is out of their scope.
- I would love nothing better than to solve the problems.  I've been trying for
years.  Long, long ago I developed a system that prevented (not detected, which
software does, but prevented) infection from computer viruses.  It used
cryptography, which made it problematic, since 'crypto is evil' to a lot of
folks.  No, it isn't evil, it's a technology, and it can solve the problems, if
they just let us use it.  Lots of money gets tossed at pretty crappy projects,
but real solutions have one hell of a time getting support.
- We understand IWAR better than a lot of folks.  I can make a very good case
for being the guy who coined the term (look up 'infrastructural warfare' some
time; infowar and info ops are a subcategory).  Darling computer hackers get
called before the Senate to gush and get fawned over, and talk about *gasp* it
recently occurred to them that someone could attack the power grid.  Welcome to
the real world kids, we've been here longer than you've been alive.  The
political side isn't going to help anyone--the real solutions have to come from
the market, because that's the real playing field.  Government is a consumer,
so security has to be integrated in every commercial-off-the-shelf (COTS)
system possible.  If you know someone that's wired and has the bucks, I'll be
happy to explain to them what needs to be done--I'll use math, cartoons,
semaphors, or interpretive dance to get the point across.
- We've stopped publishing our work to the net primarily because the bad guys
were using the work, while the good guys kept wandering around in the dark
looking for their privates with both hands.  I'm not going to cop an attitude,
since I don't need the ego strokes.  Free speech requires some responsibility,
but saying that aloud these days is grounds for being committed to an
institution because of diminished capacity.
- Sure, the National Security Advisor and the 21 Usual Suspects are going to be
confused.  On the other hand, what progress was being made before?  I'm
slightly more cynical, perhaps, but to me it's just six of one, half a dozen of
another.  Give me someone with command authority that really wants to do
something, and can withstand political attacks...  but that isn't going to
happen until something Very Bad occurs to scare everyone shitless.  It's the
pattern in security, which follows spending and attention like a sinewave.
Something happens, up goes the spending until the problem is mostly solved...
and then the system freezes.  Vulnerabilities develop while the budget drops
(security is a cost center, friends) and protective measures 'fall out of step'
with the real world, and then someone attacks again, which sparks increased
spending, and so on, and so on...
- It hasn't been a game for a long time.  We aren't getting any calls to play
superhero and rescue the system, so we stick to our clientbase and keep them
out of trouble.  To be perfectly honest, I would be very surprised to 'get the
call,' simply because I know our approach is voodoo, witchcraft, and black
magic to most people.  They (you know, 'them') want simple answers, quick
fixes, and reassurance.  We don't sell that, because we don't bullshit our
clients.
- Unlike a lot of folks in this 'industry,' we're a firm that can pull triggers
and hack systems.  I'm capable and willing to do either, and lots in-between,
to solve the problems.  Why?  Because I've seen, up close and personal, what
it's like in poverty, in the middle of attempted genocide, in police states,
and all the lovely shit people watch sitcoms to escape knowing about.  To
paraphrase _Fight Club_, I want to shoot every neo-Luddite that wants to stop
progress and screw up our future.  I would also happily do the same to our
various adversaries--I'm pro-freedom, pro-individual, and until you've seen the
worst, you don't have an appreciation for what the U.S. has to offer.

/end rant

Michael Wilson
7Pillars Partners

On Mon, 30 Jul 2001, e.r. wrote:

> You have my second as well with one large exception.  Some members of
> this group understand the problem better that your average FBI type
> does, HENCE IT IS incumbent upon us not to let matters worsten.  To
> bitch and rank it to do nothing.  If no one with IWAR understanding
> does not work to gain political backing and the bucks to protect that
> infrastructure, I, for one, will not give the play book away to the bad
> guys simply to cop an attitude vis a vis how badly things are being
> handled.  Conde Rice and her 21 Deputies from nearly every large agency
> will be as useful as dopey, laughy, sneezy  and their pal, brain dead
> of the new seven dwarves.
> 
> This is no longer a game and it is time to put your money where your
> mouth is.  To claim we are the "all knowing" of the IWAR circut and
> then to do nothing makes you look just as bad as the AOL lover-Im not
> kidding- on Dr. Rice's Committee.  In fact it makes you look worse
> because you know better.
> Fred, Tony and company, we have to attempt to effectuate change, or at
> a min. not allow these fools to damage national security dependent
> parts of the cyber infrastructure beyond repair.  It is a real
> possibility with the attacks like Code Red, and others from foreign
> nationals whose goals are to trash that system we rely on. I hate being
> correct in such situations, but it is hard to deny. I did grow up in a
> second rate nation and I will do whatever I can to slow down the
> adversaries. How about you, folks?  It is gut check time and I hope you
> will take the chance at intervention.
> --- Tony Bartoletti <azb@llnl.gov> wrote:
> > 
> > >
> > > > ``The Internet has become indispensible to our national security
> > and 
> > > economic
> > > > well-being,'' said Ron Dick, head of the National Infrastructure 
> > > Protection
> > > > Center, an arm of the FBI. ``Worms like Code Red pose a distinct
> > threat to
> > > > the Internet.''
> > >
> > ><RANT>
> > >No, crappy software poses a distinct threat to our economy and
> > >national security.  These idiots never seem to get the clue that
> > >until software doesn't suck, we are going to continue having these
> > >problems.
> > ></RANT>
> > 
> > I second that emotion.
> > 
> > ___tony___
> > 
> > 
> > Tony Bartoletti 925-422-3881 <azb@llnl.gov>
> > Information Operations, Warfare and Assurance Center
> > Lawrence Livermore National Laboratory
> > Livermore, CA 94551-9900
> > 
> > 
> > 
> > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
> 
> 
> ------------------
> http://all.net/ 
> 
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 
> 
> 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:38 PDT