worth reading -- loophole in FISA?

Ridgely Evers revers at evers.org
Sat Dec 24 12:25:40 PST 2005 

Dave,

David Reed is right on the money in terms of the false positive issue.

Actually, the "more hay" methodology has been shown to be ineffective in
other, related fields, and even worse has been shown to be an
effective tool
for _evading_ detection.

Simply put, it is relatively easy for an attacker to determine the
kinds of
things that trigger alerts, and to flood the detection system with those
types of events.  Intrustion detection systems on networks are
classic cases
in point: they are so overwhelmeed by false positives that in very short
order the people monitoring the systems stop paying attention.  A
"boy who
cried wolf" problem, exacerbated by the fact that the marginal cost of
creating a false positive is many orders of magnitude less than the
cost of
responsing to one.

Ultimately, the IDS systems end up being used either (a) to show
uninformed
management that "we're doing something", and/or (b) as part of the
forensic
process _after_ a breach has occurred to try to see if the attacker
left any
useful footprints (hint: the answer is "no").

There's a trend to watch for, as well.  The follow-on technology to IDS,
optimistically referred to as Intrusion Prevention Systems, has been
touted
as a tool to actually stop attacks in progress.  Essentially, it's a
combination of detection capability coupled with 'drop the connection'
capability.  It came into existence because security people thought
it would
be cool, and because customers were complaining about the overload on
human
resources that the IDS technologies imposed.  The theory was that
technology
could operate with sufficient speed to prevent bad things from
happening.

The real world response (as noted in a recent Network World review of
IPS)
has been that the systems are getting deployed, but without the 'P'
feature
enabled.  It seems that users are not willing to take the risk of
shutting
off a good connection (the 99.9999% case) in order to prevent an
attack (the
0.0001% case).

But I expect that the next layer of proposals out of the NSA data mining
mess will be to create and deploy some magic system that can operate
at the
speed of the technology being monitored.

<Insert massive (unsuccessful) budget here.>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." - Ben Franklin, ~1784

--Ridge

-----Original Message-----
From: David Farber [mailto:dave at farber.net]
Sent: Thursday, December 22, 2005 3:40 PM
To: Ip Ip
Subject: worth reading -- loophole in FISA?



Begin forwarded message:

More information about the Testlist mailing list