I've lamented the loss of historical memory a few places this year. I grouched about it on the firewall-wizards mailing list yesterday, wherein I corrected a perfectly nice guy who said "This is the classic "eggshell" weakness of network security, hard and crunchy on outside, soft and chewy on the inside."

I said, that this was an an example of the loss of historical data we experience in network security. I pointed out the the "classic" is Bill Cheswick's, "crunchy shell around a soft, chewy center. (This is from "The Design of a Secure Internet Gateway," whose date is not stated in the version I have.")

At this point, you're perhaps thinking that I sound like a grouch, I grouched about it because I am a grouch. Well, maybe.

In my defense, please see some previous blog entries. I referred to this as a problem in this blog entry from 20 Sep 2004. That entry references an earlier blog entry Security Redux and a column I wrote.

In response to my firewall-wizards posting, Dr. Tina Bird, e-mailed the following:

2004 compromises look very similar to 1989 compromises: bad passwords, insecure configurations, unpatched software. For example:
"Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems." - October 17, 1989

So let's see:

Blaster/Sasser/SQL Slammer -- unpatched software
• hordes of exploits propagating over peer-to-peer apps with insecure configurations...

It's not an OS insecurity issue, it's the bloody humans!

References for compromised machines from CERT:

• CERTR Advisory CA-1989-03 Telnet Breakin Warning
• CERTR Advisory CA-1989-05 DEC/Ultrix 3.0 Systems
• CERTR Advisory CA-1991-03 Unauthorized Password Change Requests Via Mail Messages
• The first Web server bug: CERTR Advisory CA-1995-04 NCSA HTTP Daemon for UNIX Vulnerability

Thanks, Tina. I wish it weren't so.

Infoworld reports "EU moves closer to biometric passports." But, they already use them. It's biometrics in use when a passport must have a photograph of the user to compare with the observed face of the user by an passport control official.

A few years ago on the firewalls mailing list, someone disclosed management's lack of security clue in the following plea (dated Mon, 20 Nov 2000 06:22:10 -0600):

Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!

(You can read my reply by searching for this on the Internet -- you will find it, or by reading NetSec Letter #15, which refers to it.) I read something scarier yesterday. I've anonymized it... a bit.

We are a small software business ... located in [a country providing lots of software development outsourcing for government and industry all over the world, but especially in the US]. We have a machine running Linux/Redhat to which all our computers connect for internet access through a DSL/Modem ...

For the last 6 months our DSL bills are extremely high. We examined our logs and there is someone using the bandwidth from our host every night. We can turnoff the machine but not sure if this is the right solution.

We have [taken some specific countermeasures]... But we still continue to see the nightly breaks into our host machine. We have no Linux expertise except as developers. We checked out firewall software price and it's expensive, and there is no expert support available. Can someone suggest a fix for this. Even a policy fix/advice would be helpfull.

So far, no one on the list has expressed horror about this situation. Will software developed ny this company end up in missle guidance systems? What about other companies -- in that country or anywhere in the world? How often are companies that develop critical systems audited for security practices and events? Shouldn't they be?