Evolution and Lack Thereof


It s one of these generic meeting rooms in a glass and concrete building for a generically large and inflexible company. The ground must have cost the equivalent of a small African state s revenue for a year and was used to create a business container that only the architect likes. The meeting room is equipped with the things you would expect, namely, fancy-looking tables and designer chairs with a light blue fabric, a whiteboard including two pens, and a few hooks on the wall to hang your jacket in case you wear one. On the tables is the usual assortment of drinks in 0.5 liter bottles that don t help to fight any serious thirst but are good enough to fight increasing boredom in this or that meeting.

Dizzy sits at one end on the left side of the table and watches the other people in the room. The majority of them are suits . A full team of five consultants from some company everyone except Dizzy seems to know, all dressed up as if they have a model appointment afterward with the Manager Magazine. Two other people just arrived a few minutes ago. One of them is a fairly heavy-built guy with a blond pony tail wearing a t-shirt and jeans . Even if he didn t know him, Dizzy would have guessed that this is one of the system administrators. The other one is a guy in a less expensive suit than the consultants wear. His shirt is hanging out of his pants on the back, but everybody tries to appear as if this is normal or they didn t notice it. The guy is middle-aged and looks tired , although “ or because “ he is the manager in charge of servers running databases and other important applications of this company.

Dizzy shakes his head slightly and tries to remember what company this is. Looking out of the window doesn t help him much; it s a generic view over a generic city somewhere. Judging from the logo on top of the stack of fresh printouts one of the suit consultants now distributes around the table, this is an insurance company. Then the usual introduction round starts and Dizzy is even more bored. Trying to remember the names and positions of those people doesn t even come as an idea to him. It would be the equivalent of trying to remember all RFCs published so far. When it s his turn to introduce himself, he simply says, I m the security consultant responsible for the firewalls and system security with the new servers. This gains him strange looks from the suit consultants. Some of them just go through the people-rating checklist of shaved, what haircut, tie or not, price of suit, etc. Dizzy is actually surprised that none of them looks under the table and checks on the type of shoes he wears. Two of the suits throw aggressive looks over to him as to say, Don t get in our way, we are doing serious business here.

Then the discussion starts. Dizzy is delighted to see that the poor manager recites the reason for this meeting as an introduction to the agenda. Maybe he also didn t know why he was here and helped himself out of the situation by reading the Outlook e-mail printout aloud . So the topic is the new web shop system this company wants to set up. Suddenly, the memory flashes back to Dizzy. Right, those suits are with a small consulting company that got an allowance equivalent to printing its own money by becoming officially certified SAP consultants. One of them pulls out a little portable projector and connects his IBM laptop to it. It looks like he is performing some serious brain surgery. Since he doesn t get the projector to display the contents of his computer screen, the other suits start to participate in the process, press random buttons on the projectors top and in general mess up the whole setup completely. After a while they manage to get the projection to work and a Windows XP desktop with a number of PowerPoint files appears on the wall. The suit with the laptop stands up and starts the presentation. He talks about the integration project, how important the task is, and what technological advantages arise from installing this type of solution. He also mentions that they agreed in a former meeting on the SAP ITS server instead of the much newer solutions provided by SAP because of the already existing know-how in the company. The sysadmin looks at Dizzy with an expression as to say, What know-how?

While the speaker crawls through the boring slides, Dizzy fights his own boredom without much success. After about an hour , they finally arrive at the pretty pictures that are supposed to show the security concept they came up with. It shows a burning brick wall with a little line connecting it to a cloud titled the Internet . Behind the other side of the brick wall, there are scaled down photos of big IBM servers, taken directly off the vendor s website. An arrow denoted HTTPS goes through the brick wall and points to one of the big boxes. The other one is labeled AGate and has another line through another flaming inferno brick wall to the first box. Next to that AGate is the graphical equivalent of a large waste basket . This fat cylinder is simply labeled R/3 . The suit who does the talking drones on, Here we see the security concept for the installation. The WGate server is protected by a firewall that keeps hackers out and lets your customers in. For additional security, only encrypted connections using the unbreakable SSL protocol are possible. This alone would make the system already more secure than Fort Knox, but we decided upon your request for a modern DMZ design. The connection to this AGate server is protected by another firewall that only lets the WGate servers through. Even if a hacker would break into the first computer, which is your job to prevent , he says and looks at Dizzy, the second firewall will keep him locked there.

Unfortunately, Dizzy doesn t know exactly how this WGate/AGate magic is supposed to work, but the label ISAPI on the WGate picture gives him a bad feeling. They are going to place a Windows machine with IIS as the front-end server. This alone is not a security risk, assuming you really stayed up-to-date with the patches. But those ISAPI plugins tend to be really bad in terms of security and that can break the neck of an IIS server as fast as a missing patch can. So he uses the moment the suit takes a sip from his glass of fancy French bottled water and asks, How does the WGate machine communicate to the AGate backend system?

The suit looks at him, annoyed that he is interrupted in his wonderful promotion-supporting presentation. What exactly do you mean? he asks back. Well, Dizzy says, let s just for a moment assume that someone broke into the WGate system. What open ports would he see to the AGate box and what protocols will run there? The question hangs in the room for a moment, then the head of the suit consulting team, probably thirty-something years old and the living incarnation of Barbie s Ken says, Let s try to not get sidetracked here. The SAP ITS communication architecture is used by many important customers and there have never been any problems with it. And additionally, we already placed a firewall between the two systems. So I don t see how these technical details would help us in the current context. We can provide you with the documentation for the product if you are not familiar with it.

Dizzy feels his face to get just a little hot. This guy has not only no clue what he s talking about but also attacks him directly. He says, But if an attacker is able to get into the WGate using some exploit he might also have exploits for the AGate system. Now the head suit tilts his eyes slightly to the ceiling, then looks to the manager who already shows signs of annoyance, probably because he wants to get out of the meeting and considers Dizzy s interruption as an additional waste of his time. Barbie s lover says, If you don t feel comfortable with setting up these firewalls, we can provide you with a technical consultant from our partner company. He has supported us in several engagements and is very familiar with the product. The two of you could discuss the technical details and he could answer your concerns regarding the technical specifics. Mr. Meyer, Ken addresses the manager, should we try to find a free slot with our partners to bring in the additional expert?

Mr. Meyer looks like he just woke up from a bad dream and throws confused looks around between Ken and Dizzy. Slowly, he shifts his weight in the chair and says, I don t think this is necessary. Dizzy here will implement the firewall design as it is. In case he runs into problems, he can still get in contact with you. Getting the documentation to Dizzy is also a good idea. Dizzy, do you think you can handle that? Now it s Dizzy s turn to keep control and not roll his eyes. He simply says, Yes, sure. The artificially tanned skin on Ken s face starts to move and shows a bright winning smile, complete with perfectly white teeth. Dizzy, on the other hand, leans back in his chair , puts one leg over the other and inspects his boots in detail. It s not like he s not used to such outcomes of security- related questions, but the total technical ignorance these people show really pisses him off. There is not much point in continuing the discussion.

The meeting goes on for another full hour while the suits discuss the details of their contract. Although they don t talk about money directly in numbers, Dizzy catches a few glimpses on their contract paper, which is an even bigger volume than their presentation handouts were. The same is true for the numbers on the paper.

Dizzy scribbles something on the paper in front of him:

 K = Knowledge F = Power t = Time M = Money Since it is K = F, t = M and F = W/t where W is Work, K = W/M and therefore M = W/K  The less you know, the more money you will make. Q.E.D.  

After the meeting, he slips the paper into Mr. Meyer s beaten up executive case in the hope that he will find it some day and make the backward connection that if your consultant s dress doesn t cost millions, he might actually know what he is talking about. His wish never comes true.

Dizzy became a security consultant after being a system administrator himself for quite a while. He used to run the university network of bszh.edu, which resulted in the Sisyphean task of trying to patch systems and prevent other people from messing with the configurations. The thing that made him really dive into computer security was a series of incidents where a single hacker started to mess with the router network, using the network-connected printers as jump points. He eventually lost the battle against this hacker, at least from his point of view. Soon after the incidents, Dizzy started to read up on hacking, beginning with such simple things as Improving the security of your site by breaking into it by Dan Farmer and Wietse Venema and going on with articles on securityfocus.com and other well-known websites .

Getting into the material proved to be a fairly complicated matter because, since the time of Farmer and Venema s paper, things became seriously more complicated. Today, it isn t knowing about finger and the possibility of cracking crypt-encrypted passwords anymore. There are already so many areas in computer security that the whole trade can t be handled by a single person anymore. Knowing all the commonly used network protocols and their use by heart is a big challenge on its own, but that leaves out essential knowledge on several of the major operating system platforms, password protection and storage mechanisms used, web application hacking, vulnerability research in source and binary code, exploit development, firewall and IDS technology, encryption and certificates. Eventually, he felt well- educated enough to apply as a security consultant with a small consulting company, the one that he works for right now. He wouldn t call himself a hacker, since his understanding of the term requires knowing a few more things he doesn t know yet.




Stealing the Network. How to Own a Continent
Stealing the Network. How to Own a Continent
ISBN: 1931836051
EAN: N/A
Year: 2004
Pages: 105

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net