Re: Odd security concept from M$

On Thu, 13 Sep 2007, barsalou wrote:

> I'm not sure I understand what your getting at. I did find it an
> interesting read, however.
>
> Mike B.
>
> Quoting David Edge <dedge@alaska.net>:
>
>> Interesting read, see if you can spot all the straw-men the author
>> throws out.
>> http://www.microsoft.com/technet/community/columns/secmgmt/sm0907.mspx
>>
>> David Edge

There's a reason this guy's title is "Advisor" -- not engineer,
administrator, or technician. This is a PHB with a pocket protector and
suspenders.

I see lots of drivel here, with the only coherent thought being security
needs to be a core tenet. In other words, crunchy all the way through, not
with a soft, chewy center. I think that flash of the obvious was first
addressed, oh, a few decades ago.

Some of the straw men: that nothing can be done about naked HTTP/SMTP/etc.
protocols that are allowed through the network boundaries. Not true. One
could force all traffic through controlled relays & proxies, through which
you could perform in-line scanning to prevent hostile payloads from
traversing in either direction. And, yes, there are things that can be done
about SSL as well. If all your clients are managed you could push your root
CA cert to them and forge certificates for their intended end-points all day
long with no alarms raised on the client, for instance. And there's still
things you can do without performing man-in-the-middle attacks as well.

He also purports to say that IDS systems are worthless because managing
noise-to-signal ratios are impractical. Hogwash. Apparrently statistical
analysis (even automated analysis) doesn't exist within the MS ecosystem
because they haven't been able to patent it yet.

What this shill neglected to provide was this follow-up paragraph to "What
De-permieterization Is Not":

   What De-perimeterization Is

   De-perimieterization is another meaningless and mind-numbing techno-
   market-speak term whose only purpose is to inspire the knee-jerk reaction
   of purchasing and deploying "solutions" which will provide revenue to
   "security vendors". "Security vendors" must be quoted in this case
   because in keeping with the techno-market-speak theme it doesn't really
   refer to any company that actually knows a damned thing about security.
   In fact, it actually refers to one company in particular, Microsoft.

Note the blatant plug for no less than three MS products.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Sep 13 17:00:41 2007