Posted by Andrew DeFaria on 09/05/05 21:29

Jerry Stuckle wrote:

>> And a lot of companies don't need the security you are pushing.
>
> And a lot of "consultants" have their heads up their anal orifices
> when it comes to security.

You mean like you...

>> Yes, but I remain unconvinced that such a need exists still. And you
>> can't tell if it's necessary either. Neither of us have the specs,
>> requirements, etc.
>
> The clueless normally do.

I'm not clueless - just not paranoid like you.

> Are you also unconvinced you shouldn't leave your front door
> unlocked? Or the keys in your car? I suspect so.

Right. I can say that sometimes I lock it and sometimes I don't.

>> No you are wrong. The data is not facing the outside world - it's in
>> the intranet and not accessible by the outside world. It is
>> accessible to the inside world as it were. (Later you admit that you
>> have knowledge that this is an intranet only situation. Why then do
>> you say "If the database is being directly access by the web site, it
>> is facing the outside world" when it clearly is not - at least not in
>> most people's common usage of "inside world" = intranet and "outside
>> world" = internet? Are you just trying to be argumentative?)
>
> By "outside world" I mean areas which do not normally have access to
> that data. It may be inside the company or outside the company.

How convenient that you have chosen to redefine common usage of such
terms so as to cover your ass...

>> You assumed there was a need for security did you not?
>
> I assumed nothing. I pointed out a potential weakness in their
> proposed design, and an easy way to limit the exposure.

Are you really this dense? Of course you assumed stuff. You assumed that
there was a need for security and that they were concerned about it. Now
they may or may not be - but assumptions you made nonetheless.

>> You're selling FUD, plain and simple. Most security people do -
>> that's their thing.
>
> ROFLMAO! First of all, I am not a "security person".

I know - you're just pretending to be!

> I am a developer with almost 40 years of programming experience. I
> have worked on every sized system from PC's to mainframes, in almost
> 20 different languages.
>
> I started learning about data protection in my 13 years with IBM.
> I've continued during the last 15 years as a consultant.

Toot, toot. BFD.

> I've worked with "security people". They have a much different job.
> If you knew anything about security, you'd understand that.

I do know about security - at least enough to know that it's not always
a requirement.

>> I stated my opinion, that it was overkill, especially given the lack
>> of a security requirement at all.
>
> And you are totally clueless.

No.

> Do you think every requirement was specified in the original post?
> And do you think the customer understands everything about potential
> exposures?

I would think, especially after haggling about this for this long, that
if there were any requirements then they would be been stated by now, or
at least an acknowledgment that there were at least some security
requirements. But they still haven't said anything, and that says a lot
- all in my favor.

>>> Not understanding the customer's situation, you really have no idea.
>>
>> Nor do you. In general, however, if you are exposing parts of your
>> database to update from a web interface and wish to have other parts
>> remain secure then most DBMS' provide various forms and ways to
>> accomplish such security. It is reasonable to assume that the whole
>> damn database is not open wide to anybody who gets in, therefore the
>> idea of having to replicate just parts of the database so as to keep
>> the other parts "safe" seems ludicrous to me because it assume that
>> there is absolutely no security implemented in the database to start
>> with.
>
> I have enough understanding to indicate a potential exposure and a
> possible solution - which is all I did. It is up to them to determine
> if the risk is acceptable or not.
>
> And if you understood ANYTHING, you would realize that the security
> that "most DBMS' provide" is very minimal.

And your supposed solution adds nothing really to make things more
secure. Mere replication merely replicates. If you allow updates to the
replicated data and them sync them the updates get replicated. If the
aim of the hacker was to say change or erase data then you're
replication has done absolutely zip to stop him from accomplishing his
goal save made him wait until sync time. BFD!

> If the database is accessible, it can be hacked. Just ask some major
> companies with serious DBMS' like Oracle, SQL Server and DB2. All of
> these have been hacked.

Anything can be hacked. Security is never 100%. If it's the data that
you are protecting then you're solution has added no security - at least
no security the DBMS couldn't have equally done.

> And these are just the big cases. There are numerous other cases
> where data has been accessed by unauthorized people. As I indicated
> earlier, industry estimates are that > 85% if all security breeches
> are internal - from disgruntled employees, for instance. But you
> normally don't hear about them on the national news. However, this
> doesn't mean the breech is not costly to the company.
>
> And data which isn't there cannot be hacked.

But the data is there - it's replicated according to you.

>> As I said, and you seem to agree, it adds complexity and yet another
>> point of failure. What we are really arguing is is such added
>> complexity worth it? It may be, if the data is highly confidential
>> and requires extra security measures. Your assumption is that it
>> does. What you base that assumption on is questionable to me as you
>> have not seen the specs. My assumption is that it does not. What I
>> base my assumption on is the lack of any clear statement of required
>> security. Hey it may very well require such security precautions or
>> even more. But so far that still has not been specified.
>
> No, we don't agree.
>
> You're "adding complexity" by putting up a web page. You're "adding
> complexity" by accessing a database. You're "adding complexity" by
> providing password protection.
>
> This implementation adds less complexity to the system than any of the
> above.

Yes however the whole frigging point here is that they are implementing
the web page and adding access to the database based on
username/passwords to provide utility and functionality to a subset of
people. This is indeed useful, otherwise they wouldn't be doing it in
the first place! You're idea of securing things by replication adds
little additional security that is probably already present in the DB
itself (or at least it should be). IOW it adds light not heat.

> Replication is already built into the database - and well tested.
> Setting up the replication is < 30 minutes. Then it runs itself - and
> is as reliable as the DBMS itself.
>
> You still have to read from the database. And write to the database.
> This is still being done.

Which doesn't increase security as it is still possible that the hacker
can write or read the data he or she wants.

> The only difference is the writing is done from a separate system.

Which really means nothing at all (save possibly another system sale).

> And there must be all of a couple of dozen extra LOC to do this. Yea,
> when compared to a couple of thousand lines on a web site, it's pretty
> minimal.

Most of those couple of thousand lines on the web site is just
descriptive text - not code. Descriptive text never has bugs save say
misspellings which doesn't actively perform any action!

>> So it should not be implemented unless requested (or unless you
>> really know the data and feel the company is risking things perhaps
>> not knowing the risks involved but again we don't know that).
>
> No, we don't know that.

Oh so your previous implication that you were privy to the requirements
was a pure fabrication and you're pulling assumptions out of your
frigging ass! I see - not surprised but I do see.

> So you can't say it's unnecessary, can you? Oh, but you have. Do you
> have some magic ESP or something?

No but it's not necessarily rocket science to assume that since it was
not mentioned it probably was not wanted. Sure you can propose anything
you want. I could, for example, propose that they relocate the systems
to some underground secret lab and require that anybody wishing to have
access to said data pass through 2 guards, a finger print check and a
retina scan before being allowed to access a terminal into the secure
system. That surely would be even more secure than your solution however
it is equally unwarranted. Before suggesting such things it makes sense
to understand the nature of the data and it's importance. Then you can
suggest additional security.

> Remember - all I did was mention a potential exposure and how it could
> be minimized. I left it up to them to determine if it was necessary
> or not.

So did I above. And it was silly, just like your suggestion.

> YOU are the one who determined it was overkill - with absolutely no
> more knowledge of their situation than I had.

Absolutely, because I'm reasonable and not paranoid.

> I love your kind of consultant. You know more about the "solution"
> than you do the problem. You don't take the time to understand the
> customer's needs. But you know the answer. They don't need security!

What? How is this any different than you! You know the solution before
you do the problem too. You make a suggestion, one that will take
effort, perhaps hoping that they'd hire you (i.e. self interest). You
have not taken the time to understand the customer's needs either and
then you play between implying that you understand the requirements to
you just don't know. You also suggest you know the answer too - they
need additional security, and yet you have no indication that they do.
On my side is the fact that they didn't request it. On your side is
nothing - ' cept FUD of course, which was my original point.

> I've made hundreds of thousands of dollars in my consulting business
> by picking up after people like you.

Bingo! You wish to sell them security.

> But then I bother to understand my customer's needs, clearly explain
> possible solutions and risks involved with each solution, and let them
> make the decision.

'Cept you surely didn't bother to understand this customers needs before
offering your solution. Just like any other two faced consultant
speaking out of both sides of your ass at the same time. Good work there!

>> Expand that to a myriad of other companies that have the same info.
>> Do you really believe that your SS# is secure at every company that
>> has that info?
>
> I believe it's secure in every company system I've work on. I don't
> believe it's secure in ANY system you've worked on.

Nor is it secure in hundreds of other systems that neither of us have
worked on, which is my point! The data is not secure to start with.
Making it secure in this instance does little to nothing to secure the
this data as this data does not solely emanate from only secure system.
This it is not secure by definition. As an analogy, it's like putting 2,
3 or 4 locks on the driver's side door of a car when the passenger's
side has no locks. It's a foolish and stupid activity.

>>> But my SSN is NOT replicated to the external database.
>>
>> Did you miss that first word were I said "If"?
>
> No, I didn't miss the "if". My SSN was not replicated - so the rest
> of your statement was meaningless.

But your SS# was indeed replicated - not by a DBMS nor even by the same
company. To use the analogy again, yes that 4th lock on the drivers door
did add additional security to that side - however the other side it
still totally open. To assume your "car" is therefore now safe is stupid!

>>> Part of security is to replicate ONLY THE REQUIRED DATA.
>>
>> Thus making such data less useful. Then again it's hard to say that
>> because again (I know I sound like a broken record) neither you nor I
>> have any inkling of the requirements and needs of this web
>> application. Maybe the SS# is required. Maybe even it needs to be
>> available for update. We just don't know the specifics. We could
>> continue to speculate if you like but I really don't see the point.
>
> Wrong again. Data which is unnecessary does not make the anything
> less useful.

Yes but your assumption is that the data is unnecessary. As you don't
know which data is necessary or unnecessary you just can't say - even
though you will. For all you know all of the data is necessary.

> If I'm designing an inventory control system, I really don't care what
> about the orbit of Jupiter. It's unnecessary data, and does not
> affect my HR system at all. However, if I'm working on a guidance
> system for a space probe, details on the orbit of Jupiter are important.

Come on! Really. What DBA designed a database that contains both
inventory control data with guidance data into the same database?!?
Geeze what a weak argument. And BTW, why does the HR database have
inventory control stuff in it and why would HR care to access it? Geeze
if this is how you build databases it's no wonder you are so paranoid.
Hell I wouldn't even want anybody to see such a crummy design!

> The same here. SSN's are of no importance to the marketing
> department, and HR doesn't care about sales figures. To each, the
> other's data is superfluous and does not affect the usability of their
> own data.

And thus shouldn't be in the same database to start with!

>> Yeah, right. But I sure know overkill when I see it. Of course our
>> government is the model of efficiency, modern data processing and
>> sharing of information, that's for sure! Hell just take the USCIS for
>> example. Last I checked it they still haven't updated their PDF files
>> with the correct pricing information. It's only been about 2 years
>> now but then again that's way faster than most normal businesses!
>
> Again, you understand the user's company, the data involved,
> requirements for how the data is to be used, the potential exposures
> if the data is misused, and the consequences thereof.

I do understand that in normal operations of thousands, if not millions
of other businesses it surely does not take 2 years to fix a pricing
error in a PDF file. In fact it takes minutes! But not for our
government thanks to asinine thinking from government contractors like
you. It really has nothing to do with a user's company (this is no
company involved here rather the government) nor the data involved (save
to say that the data is incorrect). As for requirements of the data it
seems pretty clear to me that the requirement of this particular piece
of data is to inform the sure of the data what the fucking price is! And
it's wrong, and has been for the last 2 years! Potential for misuse?!?
Are you kidding! The misuse of this data is to either pay too much or
too little for the service. In either case the government only accepts
the exact amount. Pay too little and you don't get the service (and you
get months of additional delay). Pay too much and you get the same
thing. This is unlike most business where if they did list the wrong
price they would be forced to accept the price they listed.

Then again wasn't it those wonderful contractors who actually approved
the visas of several of the 9/11 terrorists 6 months after 9/11! Ah yes,
government efficiency and superior skills in securing what needs to be
secured and making available data to only those who need it. A fine
example indeed.

> Gee, you must have the greatest ESP around!

Not ESP but indeed practical intelligence. And yes I knew this already.

>> Yeah I understand security. Security only really keeps honest people
>> honest. The dishonest people hardly slow down at all with security.
>> It just causes more frustration for honest, regular users and makes
>> it so that it's actually quicker to do things without computer
>> systems! Yeah but we have to throw up these security barriers, even
>> when unasked for and unneeded, otherwise we'd process too many things
>> at once and lord knows different branches of the government that are
>> supposed to talk to one another will actually talk to one another and
>> then the terrorists will have a tough time and we wouldn't want that
>> happening!
>>
>> Give me a break!
>
> Of course you believe that. Minimal security as you propose only
> keeps the honest people honest.

Yes it does. Maximum security promote uselessness.

> Fortunately, my bank, my doctor, the government and virtually every
> medium and large company understand that this isn't true - and that
> you can implement higher security which will keep dishonest people out.

As well as make systems that frustrate honest people enough that they
just don't even use them anymore or that cause correcting a simple
pricing error a 2 year or longer affair. Meantime honest people get hurt
badly. But that's OK because you cannot argue nor sue government for
their screw ups and you give such government employees such wonder
excuses to justify their ungodly and otherwise unacceptably long wait
times. Wonderful system you got there.

> What I suggested will not keep everyone out. But it will provide a
> lot more protection.

Unwanted and unasked for protection that is.

>>> Because I know the person who designed this part of the web site,
>>> and we have discussed its implementation in detail.
>>
>> Then you are working with details that I am not. Now you could have
>> simply stated up front that you knew this and that such security was
>> required for this project, but no you figured you'd argue a little
>> first. I see...
>
> Again, I didn't say that such security was necessary for the project.
> I only pointed out a potential weakness and a possible solution,
> leaving it up to them to determine if it was necessary.

I still think they should go with my "under the mountain, must give a
DNA sample to access the secure lab" idea. Much, much more secure... ;-)

> It was YOU who, in all of your great knowledge, indicated that this
> level of security was unnecessary. Again - your ESP must be on
> overtime because you knew the security was unnecessary from the little
> bit of data given.

Yes, thank you very much for recognizing my superior insight here. :-P

>>> It is relevant when you're questioning whether I understand Federal
>>> government systems.
>>
>> Not really but you can continue to think so if you want. Federal
>> government systems don't all emanate from DC ya know.
>
> No, they don't all emanate from D.C. But they are all managed from
> D.C. in one way or another.

Again adding the irrelevancy...

>> Good for you. I hope you don't resort to the same argument tactics
>> you do here with them.
>
> No, I don't argue with them. They're not clueless.
>
> And BTW, YOU are the one who hopped in uninvited and indicated my
> solution was "unnecessary". And you continue to indicate my solution
> is unnecessary. Despite no knowledge of the customer's needs or
> situation.

And you have very little knowledge too, but pretend to know it all. And
BTW, how did I hop in here any more uninvited than you. Your solution
was not asked for either. Finally, why do you think I need an
invitation? This is, after all, an open forum.

>> Just as soon as you reveal yours! ;-)
>>
>> However, if I say "I'm everywhere" then you can just assume it's
>> "everybody".
>>
>> Have a nice day! Now go away because I really have no time for
>> somebody who withholds information like they have seen the
>> specifications just to argue with somebody else. You could have been
>> up front and clear but instead you decided just to be argumentative
>> and quite frankly I do not wish to argue with such deceptive people.
>
> Speaking about yourself, huh? Remember - you started it!

No I didn't. You posted first. I commented on your post - remember? Or
are you that senile. I do not need permission to offer my opinion, nor
do you. As for information of requirements I'm still not clear that you
have that information or not. Sometimes you say you do, and sometimes
you say you don't. In any event it seems clear to me that you selling
security and you do so through FUD.

> And no, I don't have any other information on the customer's needs.
> But I don't tell him something is necessary or unnecessary. But I do
> offer options.

Yes I have not one but two options. One is that perhaps additional
security is not a concern. The other is the secure bunker option. Pick
one! :-D

> And I have no desire to have a discussion with a "know it all" idiot
> who is way out of his league - but too stupid to realize it.

That's funny but one couldn't prove that. After all you keep yapping and
yapping! (As I do back at you but at this point it's more to expose you
and to have fun at your expense).
--
If it's true that we are here to help others, then what exactly are the
others here for?

[Back to original message]