Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spafford On Infrastructure Risks

Posted by michael on from the other-kings-said-i-was-daft-to-build-a-castle-on-a-swamp dept.

nealmcb writes "In a major report from the AAAS, Eugene Spafford, director of CERIAS, summarizes the many risks to our information infrastructure (viruses, bugs, single points of failure, etc.), their causes (explosive growth, primacy of time-to-market over quality, lack of support for basic information security research, etc.), and the negative effects of the DMCA, CBDTPA, and other corporate maneuvers."

5 of 85 comments (clear)

  1. Re:Lord. Protect me from academics. by chefmonkey · · Score: 4, Informative

    For those of you that find PDF a Pain In The Ass, you can grab an HTML version of this chapter from here.

  2. Perpetuating the myth by Enigma2175 · · Score: 3, Informative
    From the article:
    The amount of traffic we see on the backbones of the networks has been doubling approximately every 90 to 120 days.

    I thought that myth had been debunked. It now has passed into the realm of the 'factoid'.

    --

    Enigma

  3. Re:Lord. Protect me from academics. by chefmonkey · · Score: 2, Informative
    Can someone please find the original so we can verify this for ourselves?

    Yep, it's a load of horsehockey.

    The passage he's trying to cite, I beleive, is from an essay Louis Aragon wrote in La Révolution surréaliste, n 4 (published in 1925):

    "Que les trafiquants de drogue se jettent sur nos pays terrifiés. Que l'Amérique au loin croule de ses buildings blancs."

    I'd translate this more as "That the drug traffickers throw themselves on our terrified countries. That far away, America's white buildings collapse."

    I wouldn't even interpret the first sentence as relating to America, since Aragon clearly considered America to be quite distant from himself and, consequently, any countries he would feel compelled to call "our."

    Using such a questionable quote without checking sources was extremely irresponsible on the part of Dr. Greenwood. On the other hand, Wlad Godzich should be summarily dismissed from his position at UC Santa Cruz for such academic dishonesty as daring to translate the same phrase as "The time will come, America,/When the hordes of Afghanistan/Will crash your gleaming airplanes/Into the shiny towers of Manhattan."

  4. The Infamous Spafford. by Tadghe · · Score: 3, Informative

    I'm sorry, but how can I take a "study" seriously when there not even citations of sources.

    Spafford is the master at soundbytes, but I'm still not convienced he knows what he's talking about.

    We could talk about the scare tactic scenario (page 4) he presents about 50% of the phones going down along with the internet (ok, anyone with half a cluepon, tell me how "the internet" can go down...portions of it yet (we saw it effectively "down" on 911) but it's pretty well impossible to take down the public 'net unless you nuked the entire planet. Ditto for the phone systems (even the legandary Blotto Box (assuming it would work) could only take down a NPA.)) but suspending reality for a moment and living in the the Spaff's world....

    His basic math does not add up (another poster has already pointed this out already) and does not agree with the data avaliable (talking about his virii numbers). even the virii whores at Mcafee don't claim there are new worms/virii ever 75-90 mins (page 4.2)

    Consider such statments he makes, such as...

    "[...] on average over 1 million each year from computer misuses and computer crime [lost each year]. Worldwide, as much as 1 trillion may be lost in downtime and damages each year. Not only is poor security costing us real money, it is also harming our national competiveness."

    The FBI study is not cited only mentioned. The numbers he mentions are not backed up with facts, neither are there facts to back up the "national competiveness" loss he cites (surely it's not because our economy is in the tanker no?).

    He goes on to say that only "100 (maybe 60)". people in higher Ed have training in Security (as he defines it I might add). But again, no facts to back that up, only conjecture.

    I loved the paragraph.
    "As best I as I can tell, the total amount of money available this most recent fiscal year for *basic* research in information security was about $2 million (through the National Science Foundation); a great dealof the money is being spent on acquisition and development of technology for security, but rather that is money spent on extentions of known methods rather than basic reasearch"

    Ok, from a basic logical thinking point of view...either the 2 mill was avaliable for basic research or not (he says both, he says at the begining it is, but then says that most of the money was spent on "extentions of known methods")

    after this he goes on to say that comp sci as a discpline was created at Purdue (where he works).

    Finally for some WorldCom quotes...
    "The amount of traffic that we see on the backbones of the networks has been doubling ever 90 to 120 days" That's pretty much a direct quote from some of the FUD that the WorldCom guys were pitching back in 99-2000.

    He goes on to bitch about people intering the Comp Sec field without a degree and tries to pitch those folks as having no real level of depth or expertise. I can only point out that the great and powerful Spaff has been personally hacked by those selfsame people....

    My point being in this that you gentle reader, need to take Spafford with a very large grain. Always ask for the proof.

    If you wish to learn more about spafford simply browse some of his old Usenet posts.
    in particular you may find such threads as "CERT as told by Spafford" entertaining. Spafford used to be one of the honchos that kept general security info from the hands of the unwashed masses....

    You can also read his "the sky is falling" report to the Whitehouse a few years ago, again it makes interesting reading.

    Mark this as a troll if you must, but don't accept every blind statment by somone with a PHD as gospel.

    --
    Bugs Bunny was right.
  5. The wrong approach. by Restil · · Score: 3, Informative

    Constantly, the money that companies are forced to spend on recovering from various infrastructure attacks are should not always be referred to as "losses". Certainly, if someone broke into your building and stole something, that is a loss. But if your entire corporate network is down for two days while your IT department is working overtime and the rest of the company is not, while getting paid, this is not a loss. This is an operating expense. This is part of the expected cost of using software that has well known vulnerabilities. This is part of that "total cost of ownership" that Microsoft is only so proud to bring up when discussing their software prices when compared with those of competitors.

    So for now on, don't suggest that companies LOSE this money whenever they're attacked. This is just part of the total cost of ownership when you run insecure software, and when you hire substandard IT personel, and when you don't have reasonable company policies regarding non-business related applictions.

    Companies can take the cheap way out. They can put Windows boxes in front of every employee of the company, content that everyone can quickly figure out what to do with minimal expense. Hire some just out of college whackjobs with no useful experience to run the network. They're cheap afterall. Nobody to train, nobody to waste money on. No need to spend money on security audits. That's just wasted money. Of course, you'll "lose" all of it the first time someone hits you, but that's the way you've decided to budget your technical department. You get what you pay for.

    -Restil

    --
    Play with my webcams and lights here