Slashdot Mirror

for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:

They shouldn't have to listen; the system should be designed for security from the ground up.

2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that

This is not a new problem, and, frankly, a problem that only education.... can fix.

This hasn't worked yet. Why should we expect it to work now?

Rather than repeat the argument, read point number 5 in The six dumbest ideas in computer security

you could have a look at

http://www.ranum.com/security/computer_security/ed itorials/dumb/index.html

Click here for a fascinating article describing how the CIA and FBI managed to sell to the Soviets some chips with bungled operations "hidden" in the chips, to be used for their shiny, new Trans-Siberian natural gas pipeline. The result was the largest non-nuclear explosion ever seen from space.

What goes around, comes around, and the government is getting nervous...

The kernel has a reputation for being not particularly bad.

The reason the kernel is an issue, is that the new "threat" against Windows security is the owner/administrator of the machine. Microsoft needs to try to implement DRM, in order to get into bed with the media companies and sell music and Zunes to play it. You can't implement DRM if the user can patch the kernel to work around the DRM. Thus, they're going to try to prevent end-users from having the capacity to modify this behavior of their own computer.

The "security companies" are taking collateral damage from this, because their applications have to intercept all reads/writes (to files, the network, whatever) in order to scan all data against a blacklist of known malware in order to try to protect the comically fragile userspace. This scanning is implemented through kernel patches, I guess.

I'm convinced that the days are numbered on all of these signature-based anti-virus applications. It's what Marcus Ranum refers to as "Enumerating Badness". There is nearly infinitely more malicious code than trustworthy code. Why bother trying to discover them all?

And by definition, signature-based AV requires at least one customer organization getting infected before the signatures can be distributed to customers. How many customers will be dumped on before they wake up and realize that taking an inventory of all legitimate applications and technically enforcing a policy that allows only those to run is a much more effective approach at maintaining an infrastructure? Signature-based AV is the easy-chair of the Windows Admins.

If you really want to know what value AV vendors have added to the IT world it's that IT organizations have effectively "outsourced" the inventory functions of identifying good vs. bad software. Whether Microsoft wipes them off the face of the planet or not, it's really irrelevant: very soon organizations will inventory their legitimate code and implement a "Default Deny" policy where no code can execute except what is explicitly allowed, instead of vice versa. Why will they? Because the Finance guys will finally figure out how it works. Signature-based AV = Lazy Admins. Smart CFOs will drive the end of Symantec and McAfee (or the diversification of their product line).

Microsoft already has a tool that could (with tweaking and better deployment tools) one day put all the AV vendors out of business, if this new SDL delivers as expected (Vista will of course be the first OS under the new SDL) and the number of privileged-service exploits is reduced.


The real topic of interest here in this thread is that slashdot readers/critics like to knock Microsoft whether they they are susceptible to malware OR whether they are making efforts to eradicate it. Funny how the critics don't complain about how Symantec and McAfee have been bumped out of the Mac OSX AV business ...


-Tim

"No firewall can keep all hackers out." With these words, security consultant Bob Toxen began his sermon, or workshop, on the "seven deadly sins" of Linux security. Any IT manager who commits one of these sins will "get nailed sooner or later,"

"Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers"

'"Enumerating Badness" is the idea behind a huge number of security products and systems, from anti-virus to intrusion detection, intrusion prevention, application security, and "deep packet inspection" firewalls'

"Hardware routers only block incoming traffic"

You don't need to escape strings.

Just don't build your query on the fly. Bind ALL parameters to placeholders in a prebuilt query. Binding is an instant kill for any SQL injection attack. It is also much more effecient on many databases.

another thing is that these pages work as a kind of "enumerating goodness" page.

http://www.ranum.com/security/computer_security/ed itorials/dumb/

see point 2.

For those who haven't read it, Richard Feynman's Personal observations on the reliability of the Shuttle is a fascinating look at some of NASA's inner workings, and the problems that led to the challenger disaster. What is suprising (or perhaps totally expected) is that once again we hear managers and engineers differ on what is acceptable levels of risk.

For those who don't know Richard Feynman, he won the Nobel prize, helped develop the atom bomb, and suggested ways for geeks to pick up women.

Here is what Marcus Ranum had to say about this topic.
Inviting Cockroaches To The Feast http://www.ranum.com/security/computer_security/ed itorials/lawyers/index.html

On a related open source topic read this
Stupid About Software http://www.ranum.com/editorials/software-lawsuits/ index.html

Here is what Marcus Ranum had to say about this topic.
Inviting Cockroaches To The Feast http://www.ranum.com/security/computer_security/ed itorials/lawyers/index.html

On a related open source topic read this
Stupid About Software http://www.ranum.com/editorials/software-lawsuits/ index.html

Analogies are dangerous verbal tools. Basically, they treat the listener as a patsy by presenting a carefully constructed world-view that is tailored to explain and prove the analogist's point, while omitting everything that would argue against it. While the concept of "monoculture" is an attractive analogy for a security problem, it ignores the simple truth that we could just as easily talk about the actual problem in its real context without resorting to cute analogies. For example, if you take the CCIA paper and rewrite it into a pure computer security conceptual framework, I think the authors' argument might read something like: "Microsoft's products suck; they are insecure. Everyone keeps buying Microsoft's products anyhow, which makes the situation worse rather than better. There is a very real danger that if everything relied on sucky products then we'd all be vulnerable all the time and some cataclysmic software chernobyl is more likely to happen." It happens I agree with that statement. But if you avoid the analogies and pseudoscience and pose the problem in the terms I did above, then you've avoided intellectually painting yourself into a corner and you can ask the interesting questions such as: "how can we reduce the suckiness?" "are we applying the wrong market forces?" "what alternatives are better?" etc. In fact, these questions are so obvious (and profound) that asking them around most seasoned security experts will generate a tired "well, DUH!" as a response. I think, honestly, that the CCIA authors' reliance on analogy helped them catapult a "well, DUH!" anti-Microsoft whine into a major whitepaper. Professionally it's good for them, but for the industry, intellectual honesty is better in the long run.

It's a good read.

This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be.

As opposed to what?! Bad is bad, especially in security, where one breach is all you need. I don't think there's any such thing as "secure to a degree". You're either secure or you're not.

Perhaps you meant that "the consequences are not as bad as they could be". But how much worse do you want it to get? So far the bad guys have been using victims' computers to send spam, DDoS attacks, phishing, empty bank accounts, steal email and IM accounts, spy your surfing, or bring the computer to a crawl with malware. What more do you want?

The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.

In that case, you're in serious need of some required reading. Try this for size: The Six Dumbest Ideas in Computer Security.

I think you'll find that the state of security today is bad, because it's being designed poorly from the ground up. Why blame the criminal who breaches the system when you can blame whoever made the system? A system of any kind should only allow break-ins if it was meant to, not by accident.

Why blame viruses and play catch-up with antivirus definitions instead of making the OS virus resistant? Why blame whoever sent you a self-executable IM or email message instead of the dumbass who allowed your IM or email client to execute it? Why blame phishing attacks instead of designing the DNS system properly? Why blame spammers instead of the happy-go-lucky thing called SMTP? Need I go on? If a system has potential for abuse, it will be abused, period.

They RESPOND to the spammer?

So basically they are running a service for spammers, showing them which addresses are valid...

Why do I bother? I am compelled.

Twit: This article is a great description of how it works. Most specifically, from that article:

"In The FTC's report on the feasibility of a national do not email registry,[1] they conclude that a registry would be a greater detriment to the Internet community than it would be a benefit. The report even considers the possibility of using a hashing algorithm to make it impossible for the "harvester" to directly use the registry as a recipient list, and concludes that hashing would not help because the harvester could use the same hashing approach to validate addresses from their existing email recipient list, thereby defeating the purpose of the hash. In fact, this is poor logic because there is no evidence that bulk emailers care about the accuracy of their lists - since it costs them nothing to send the messages in the first place, there is no reason for them to concern themselves with ensuring that their lists are accurate."

Would it help you to STFU if I put your tinfoil hat in your mouth?

Marcus Ranum's opinion
-----------------------
Monoculture Hype Alert!
NSF Grants Two Universities $750,000 to Study Computer Monocultures (25 November 2003)
With the help of a $750,000 National Science Foundation grant, Carnegie Mellon University and the University of New Mexico will study computer "monocultures" and the benefits of diverse computing environments. "The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerability less effective as a means of attack against the population as a whole."
$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!

The Myth of Monoculture
Recently, my friends Dan Geer and Bruce Schneier (along with other smart people) published a paper postulating that our computing environments are at risk of security disasters because of a "Microsoft Monoculture." This paper has gotten a tremendous amount of attention lately. Unfortunately, I think that many of the papers' proponents have forgotten that the paper is an analogy and not real science. Arguing by analogy is illuminating but also distracting.

See link below for the full opinion on "The Myth of Monoculture".

http://www.ranum.com/security/computer_security/ed itorials/monoculture-hype/index.html

Would be to have seperated the class into two teams with two networks and then have them secure their networks. Then launch attacks angainst one another.

I dunno, some security experts seem to think that "penetrate and patch" is not such a brilliant idea after all.

Trouble is, on Windows, by the time it's locked down enough to be secure, people can't do useful work on it

Which is, of course, complete cobblers. Badly designed software which runs on Windows may make it substantially harder, but we're talking about a stock exchange here. The amount of money in question is easily enough to ensure that software which requires admin privileges simply doesn't exist.

It's easy to make something secure - at least in theory. When you're dealing with a system which has well defined requirements, and people who are only likely to be using one or two systems as part of their work, it's really not that hard.

Start with the basic premise that nobody can do anything. Group policies make this quite possible to enforce across an enterprise which is running Windows. Next, start dividing people into groups according to their job, and allowing those groups to do what they need, and nothing more, in order to do their job.

Yes, this does take a long time. Yes, it is harder work than just giving them PCs and locking down anything which appears to be a security hole as and when you see it. But it's a helluva lot more secure. Just disabling the Windows Scripting Host and wrapping any admin scripts in a batch file which temporarily re-enables it would go a long way towards improving security.

A bit of careful configuration at the server completes the task. Block all attachments in email, then let through what you think you need. That which is let through should go through a thorough virus scanning, from a virus scanner which receives regular updates, before the user even sees it.

http://www.ranum.com/security/computer_security/ed itorials/dumb/

Who cares. Enumerating badness = dumb by design.

I agree -- Google doesn't have enough leverage to go in and say "we're going to operate here without your censorship, and there's nothing you can do about it."

Another way to look at it (or state it) is whether the Chinese people would be "more free" with a censored Google, or no Google at all. I think the answer is that even a censored Google will help them to gain more awareness of the situation. For one thing, censorship is an enumerating badness type of deal; the government is always going to miss things. Another improvement is that after Google is in the market for some time, they will gain some leverage to be able to loosen some of the censorship restrictions.

I honestly can't think of any way in which the Chinese people are worse off with a censored Google than no Google at all. Hence, no evil. QED.

I'd like to know how Microsoft would respond to the Six Dumbest Ideas in Computer Security. Especially #3, "Penetrate and Patch". It seem like they're trying to address the symptoms, without addressing the architectural issues. At least, I've not seen them make any architectural changes in the (what is it now, 5?) years since they decided to "concentrate" on security.

They couldn't have been designed from the ground up to be immune viruses because they were designed before they were even around.

Which goes to prove what good security design should be about. Think it right from the planning stage, in the right frame of mind, and you won't have to worry patching it later.

You can't wave your hands on your wip in photoshop (well, you can, but it wouldn't be very productive and you would look funny :P), but you can "mimic" the effect it has on the final print. Thus, it's just a matter of different interface for the same intent.
  For example, I recall an article (ranum.com) by Marcus Ranum about how to do "enlarger diffusion" in photoshop, It mimics the effect, but of course has nothing to do with using a lens in front of your monitor.

Fourthly, you are correct in saying that security is reactionary. It will most likely be nothing more than that. Virus writers already have the upper hand, they always have, and they always will.

You know, that's one of the things that bothers me the most about security. It doesn't have to be reaction-only.

Many people will suggest otherwise, but they are often those who lack a formal education and background in designing secure, scalable, high-reliability software systems.

I have an M.S. in Computer Science, spent my first three years as a professional developer working on the development of a secure (TCSEC B3 targeted) operating system, then another year and a half on a firewall project based on a secure OS. I've also worked in the telecom and space sciences fields for well-known companies such as Hughes, IBM, and TRW, designing and developing secure and reliable software. These days I work for a small company, still doing my best to design and develop secure and reliable software - now in PHP.

I don't claim to be a security expert - I've met some of the experts and they're far beyond where I'll ever be on the topic. But I certainly don't fit your description of uneducated or inexperienced. And I find your claims wrt PHP bogus.

Taking a quick look at the http://www.hardened-php.net/advisories.15.html"> advisories for the "Hardened PHP" project you mention, I see 1) issues with applications written in PHP - not the language's fault; 2) people doing stupid things with the language (for example, leaving phpinfo() called in deployed scripts), which is not a language issue; or 3) addressing implementation bugs, which is no different than those found in other languages - except that with PHP we call something a "PHP bug" that in, for instance, C, would be a "libc bug".

If you've got specific claims, please, put them out. But all I see in this thread so far is vague allegations. Or maybe trolling.

Actually, Ranum tends to speak out against blind panics and failed attempts at security (see point #6) and attention-whoring. While I understand your point, I'm not sure that it's fair to accuse him of doing what he speaks against just because he says that the state of a particular facet of computer security is scary.

Actually, Ranum tends to speak out against blind panics and failed attempts at security (see point #6) and attention-whoring. While I understand your point, I'm not sure that it's fair to accuse him of doing what he speaks against just because he says that the state of a particular facet of computer security is scary.

Wow, that's a long post. Thanks for taking the time to write that. Still, I can't agree with many of your points. Perhaps a little more explanation on my part will help.

``your point about "centralized" is just picking at symantics. He said "centralized lists" so this could be on a single server or multiple servers manage by different people.''

Alright, so maybe I mistook the gist of his post. So then lets reframe the discussion: my claim is that a centralized trust database would be a bad idea, but a number of trust databases that people can chose from is a good compromise between security and usability. The basic assumption here is that running only trusted software makes for good security, but users won't put up with having to manually decide whether to trust some app or not. Not to mention that the overwhelming majority wouldn't be able to make a good judgment.

``Either way, each individually maintained list faces the same problems as a single list created by a single authority,''

I disagree. Separate individually mantained lists do not fall victim to a company's whims (recall that Microsoft is proposing a centralized trust database of sorts, maintained solely by them), and the effects of compromising a central list used by everybody are much graver than the effects of compromising a list that is just one among many.

``a system where you have to aggregate multiple lists from different sites(creating your own centralized list) doesn't do much to solve the problem that you, or the system administrator, has to keep track of all "good" software and then make the assumption that all other software is malware.''

That's exactly the idea. There is essentially a limited amount of sofware you _do_ want to run, and an ever increasing amount of software that you don't want to run. So you whitelist all software you want to use, and everything else is blocked. See also The Six Dumbest Ideas in Computer Security, particularly point #2.

``A list of "good" software is useless to most people. Unless you're grandma or grandpa, who's practically computer illiterate and lacks the technological common sense to distinguish between malware and legitimate applications, what use is a list of "good" software?''

The use of the list is that the maintainers of the list decide for grand{m,p}a. They don't have the technical skills to distinguish good from bad software, but they can identify (through friends' advice, perhaps) trustworthy authorities who do have those skills. Using a list maintained by someone else saves them the trouble of having to decide for themselves, and protects them against their own incompetence.

``Unlike the case with security vulnerabilities/exploits in software, the "good" far outnumbers the "bad" in the case of legitimate software versus malware.''

That may be true, but the software that you want to use tends not to change too much, whereas the malware you'll be bombarded with changes all the time. I think that maintaining a whitelist is less work than maintaining a blacklist, and you get the added bonus of being protected against any malware, even if nobody has put it on a list yet.

``A list of "good" would bar users from using most new applications, or applications written by independent developers, programming enthusiasts, or anyone else who might not be included in popular "good" software lists''

Maybe, maybe not. If you solely rely on a slow-to-adapt list and trust nothing else, you're right. But there is no reason you can't also trust other software. This is one of the advantages of having multiple lists; you can add, say, SourceForge as a trustworthy source, and get the lastest and greatest open source software immediately trusted. Or you can decide for yourself to trust some package. Mix and match until you find a solution that suits you.

Another point is that you fundamentally _can't_ trust the sort of software you mention. Wouldn't you

Couldn't help noticing the similarity between this title and item number 2 on Marcus Ranum's list of the Six Dumbest Ideas in Computer Security. :)

Treat it just like any other project that uses a cyclic lifecycle management. I'm supposing you already have your foot in the door, you are just unsure as to how to conduct yourself. At the end of each round, the customer can decide if they like the kind of progress being made and has the option to cancel the contract after each round if they disagree with methods or results. Start small and simple and develop their trust. If they really have security problems, you are best off finding a way to make them want to change rather than just telling them off.

Round 1: Spend one week writing a paper on the intellectual or physical property deemed essential to the company, and then document what measures the company believes they are practicing to protect them. At this point, you should also define your known enemies, be it a competitor or vast amounts of time wasted during virus outbreaks. Don't dwell on anything but the obvious as we all learned in the Six Dumbest Ideas In Computer Security document.

Round 2: Propose a paper exercise approach to physical security, both in the server room and in the cubicle farms. Spend a week and not too much money. This will confirm or deny that declared in Round 1.

Round 3: Address disaster recovery options because arson and other DOS techniques are just as bad for protecting IP as is an electronic attack. This is a check to see if the current protections methods covered this usually underfunded area. Don't forget offsites.

Round 4: Propose, via contractual methods, solutions for closing gaping holes in the protection measures. That is, cover the areas for which no protection is provided, be it physical, procedural, or electronic. Implement if approved and have alternate, albeit less-effective approaches for those rejected due to cost or time.

Round 5: Propose a development area be established to test current and future configurations of electronic equipment for known attack vectors (e.g. new patches on a firewall don't open new ports). [At this stage, your customer has confidence that you know what you're doing, but it took you this long before you really started touching the inside of their network.] You never subject the production network to most scans, except maybe for proper patch deployment. All the exploit attempts happen in the lab.

Round 6: Like every good reader of Bruce Schneier's Secrets and Lies , you now propose methods and procedures for monitoring and reacting to attacks against the core intellectual or physical property documented in Round 1. Depending on your company goals, you can hope to win this one, or you can let them run the service while you move on to another customer.

Tips: If you get lots of resistance at Round 1 telling you that you aren't moving fast enough, beware because you will be the victim of the blame game in Round 6. Don't forget that sometimes the attack vector is physical theft - encrypt core files anywhere they are found, most especially on laptops. Round 1 may have identified Internet access as a risk, so in Round 4, consider using a private, internal network and force all users to use thin-client tools for Internet access - no removable media, highly-enforced group policies, and the ability to quarantine viruses at the door. For that matter, proxy all Internet access and monitor it in Round 6.

If NASA's administrators say this is 10 times safer, and they haven't changed their criteria since Feynman's days, it's probably about 1/100 as safe. Count me out.

i don't think you can say "if it did not happen by now, it is safe...".
i can't remember where but it's somewhere in there: http://www.ranum.com/security/computer_security/ed itorials/dumb/index.html

Here is Ranum's talk on the whole phenomenon—and why it should stop.

and then blindly run it...

Indeed, in terms of hapless users opening executable attachments however, I defer to http://www.ranum.com/security/computer_security/ed itorials/dumb/ #5 and my hope that in the future, users will have to actually jump through some hoops before allowing themselves to be pwnd.

With so many choices, there will never be Windoze type problems on free software.
This is just wrong...

The exploits will not carry into more than 10% of the install base at a time.
This is much more likely however.

The idea that security through obscurity only leads to a monoculture of what was once obscure. Good coding practices and quality software design with open auditing of the code however do afford a much better chance of dodging known as well as unknown remote attacks, regardless of what portion of hardware out there runs said code. This is most certainly not something Windows has going for it.

From his bio page:

Marcus J. Ranum is a world-renowned expert on security system design and implementation. He is recognized as the inventor of the proxy firewall, and the implementor of the first commercial firewall product. Since the late 1980's, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system.

One need only refer to his other articles in this category to tell you're probably not far off.

On point #1, it seems to be a debate of "he's dead on" vs. "he's dead wrong". I wager it's somewhere in between.

Agreed: clicking a zillion zone alarm alerts when installing new software sucks. Yes: having to login to an admin account to install said software when you've got a deadline at 9am tomorrow and that widget/website/whatever needs to get installed *now* is an annoying ten minutes you didn't have to spare.

Then again, Default-allow has had decades of usability testing. If default-deny is going to work economically (and I would assume this is what we want it to boil down to), it has to be mostly transparent. It's a usability challenge even more than a security challenge.

Aside: If you want people to stop clicking "ok" blindly on every warning and alert that comes up so they can get to the good part, redesign the warning and make it thoughtful.

Traditionally designed alerts and their ilk are completely ineffective in getting their message across to the common user, most specifically because when they click okay it usually does the thing they want it to do*


*plus gives them cancer of the aids, but hey, at least they got to the porn.

Really good points.

I worked in "security research" field for 10 years. I loved it.

Then companies got involved, certifications/courses/books appeared, pentesting became a business...

I moved to another field, for the very reasons MJR explained in his editorial.

Everyone wanted to be "secure", but noone wanted to invest time or brains in order to achieve that goal.

In 4 years of pentesting (and I'm talking about BIG players and companies with bright people, big budgets), I have only ONCE seen a company that actually took SERIOUS measures in order to improve its' security. I'm not talking about adding another layer of firewalls or installing new toys, but actually redesigning their security infrastructure/thinking.

All the others wanted signed paper which says "You are secure now".

I ended up pointing all of them to MJR's Ultimate Firewall

Who is Marcus Ranum?

"One clear symptom that you've got a case of "Penetrate and Patch " is when you find that your system is always vulnerable to the "bug of the week." It means that you've put yourself in a situation where every time the hackers invent a new weapon, it works against you. Doesn't that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind." (http://www.ranum.com/security/computer_security/e ditorials/dumb/) Is time to mozilla people to worry more about security.

Marcus Ranum said it best: Six dumbest Ideas in Computing Security.

Having worked on the 10Gbps IPS, I can tell you that this is becoming a rapidly dumb idea (along with firewall). My experience in signature writing was telling me that this is becoming an exercise in futility.

If you can ascertain that your network-based application are secured (via code-review), none of these ancillary cash-burning network security add-on infrastructures would matter. A fool is soon parted with his money.

Spending some time reviewing the application code may be more cost effective.

Web Server? Go tinyHTTP. Fewer codes, less (or no) exploits.

Simplify, simplify, simplify (K.I.S.S.)

Sheesh.

Here is the best IPS in the world..

http://www.ranum.com/security/computer_security/pa pers/a1-firewall/

- thewalled

Read Marcus Ranum's rant about "accountability". There is no such thing.

Marcus J. Ranum (who was certainly involved in invention and creation of firewalls) has the best advice, for the ultimate firewall:

The Ultimately Secure DEEP PACKET INSPECTION AND APPLICATION SECURITY SYSTEM

>But when you're a $4bn+ healthcare operation, you've gotta have someone to sue.

Read what Marcus Ranum (firewall and NIDS pioneer) has to say about suing software companies.

http://www.ranum.com/editorials/software-lawsuits/ index.html

Whenever a new management gimmick like this comes along a million "target employees" roll their eyes. Anything like this where the aim is for management to connect with the younger elements in their company by communicating "on their level". This usually means trying to appear like you understand where they're coming from by implementing some BS program like this.

Speaking as someone who was a kid in the 80s, I don't want my bosses to make work "like a game".
How about:
a) listening to what your employees need/want
b) be clear in what your expectations are
c) make those expectations reasonable
d) give direction without dictating or micromanaging (following 'a' will usually bring you here)
e) Be reasonable, receptive, and real (i.e. don't act like you "understand them" and make management decisions based on that)

All this kind of stuff is like the corporate "team building" bullshit that became so popular in the 90s. From anyone I've ever talked to who had to participate in this crap it pretty much has opposite the intended effect.

Found this good rant about this corporate motivation stuff: http://www.ranum.com/editorials/business-motivatio n/index.html

i was reading through his articles yesterday after seeing the article posted on slashdot yesterday.
and one of them was touching this subject: http://www.ranum.com/security/homeland_security/ed itorials/outsource_baghdad/index.html

This isn't really a new argument. Marcus Ranum's web site, for example, contains a counterargument, links to articles discussing arguments for and against, a link to the paper by Dan Geer that brought the monoculture argument into the limelight, and some sarcastic comments on the new monoculture study that the C|Net article mentions. ("$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!")

Marcus Ranum gave an interesting talk on intrusion detection systems and security including physical threats at ALS last year. I'd also recommend secrets and lies by Schneier. It also takes an interesting look at physical security issues. As for crisis week the last one I can think of was Y2K but that wasn't really a mock up type thing. The only other crisis preparedness we were trained for was 'fire'.

I saw Marcus Ranum speak at the Atlanta Linux Showcase on intrusion detection systems. He's an excellent speaker stayed vendor neutral and has tons of cool stories yet the security community hates him.