[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) FC: Two depressing views on the state of information secsecurity
- To: debate@lists.fitug.de
- Subject: [FYI] (Fwd) FC: Two depressing views on the state of information secsecurity
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Tue, 21 May 2002 19:28:34 +0200
- Delivered-To: mailing list debate@lists.fitug.de
- List-Help: <mailto:debate-help@lists.fitug.de>
- List-Id: <debate.lists.fitug.de>
- List-Post: <mailto:debate@lists.fitug.de>
- List-Subscribe: <mailto:debate-subscribe@lists.fitug.de>
- List-Unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
- Mailing-List: contact debate-help@lists.fitug.de; run by ezmlm
- Organization: NONE
- Priority: normal
------- Forwarded message follows -------
Date sent: Tue, 21 May 2002 10:14:25 -0400
To: politech@politechbot.com
From: Declan McCullagh <declan@well.com>
Subject: FC: Two depressing views on the state of information security
Send reply to: declan@well.com
---
Date: Tue, 21 May 2002 09:42:58 -0400
Subject: Response to State of Security Comments
From: Richard Forno <rforno@infowarrior.org>
Organization: www.infowarrior.org
Jay Dyson is a friend of mine and a fantastic technology security
professional. Recently he posted a note to various security lists
expressing his frustration with the state of internet security
affairs, and I've got to say that I agree completely with his
observations.
Jay's original comments will be followed by my response that was sent
to ISN. We should be mindful of his comments - and seriously
consider how much of a difference we in the security profession are
really making in the 'big picture' of technology security.
Cheers from DC,
Rick Forno
infowarrior.org
From: Jay Dyson 05/20/02
>> I see that you signed off the ISN list, and I am VERY curious why?
> > Look over the last four years. In all that time on this and
every > other security list, what difference has been made in railing
against the > FUD, waste and general idiocy of the commercial and
government sector with > respect to computer and network
[in]security? The answer: none. > > DMCA passed, SSSCA is coming,
and it's just going to get worse > from there. You think the
government or the industry gives a rat's ass > about what a bunch of
open-source advocates think? Guess again. We've > been marginaziled
for decades, criminalized for years, and all the days > that have
been used fighting against it have been a waste. A pure, > fucking,
unadulterated waste. > > Given enough time and discouragment, anyone
can see when it's time > to stop fighting the tide and get the fuck
off the beach. I've reached > just that time. > > And you can quote
me on that. > > - -Jay
From: Richard Forno 05/21/02
I've got to agree with Jay here. This is one reason why I got out of
the 'hands-on" product-oriented (or 'operational' side of the)
security business -- I found it to be a stressful, frustrating and
ultimately unrewarding area....we'd go in, effect changes, draft
policy, etc, etc, etc. and the client would still do whatever they
wanted. Further, as a former CISO, trying to get security implemented
at the executive levels was like pulling teeth from a rabid
rhinocerous.
The industry and government talks about the need for increased
computer security measures and spending, yet nearly everything
implemented is for future threats and long-term projects (eg, college
training in security), instead of spending on actions that will deal
with the known exploits/problems of the HERE and NOW. When they DO
discuss industry-wide security strategies (such as the just-announced,
high-priced membership in the Secure Software Engineering initiative
at CMU, or the equally-priced Internet Security Alliance) it's only
done with the best interests of large companies in mind - those with
deep financial resources - despite what is said to the public. Little
security firms, the open source community, and those who actually have
a clue about security are often left in the dust. The goal, is to
consolidate the knowledge of security issues in the hands of the
controlling minority, and enact a culture of 'security through
obscurity' -- indeed, operating under the Orwellian premise "your
ignorance is our power."
Nobody wants to talk about implementing REAL information systems
security, since doing so would mean someone has to accept
responsibility for the current state of affairs, plus it means rocking
the status quo boat to implement needed change. In Washington - in
America, for that matter - neither of these actions are held in high
regard.....it seems that (unlike in Truman's days) passing the buck
and following the collective groupthink (despite the negative
consequences) is the American Way. The People don't rule, the Sheeple
do.
DMCA, SSSCA, CBDTPA, and other looney laws (real and proposed) further
demonstrate that only those with campaign dollars have any influence
in designing effective technology law. In the case of CBDTPA,
Hollywood (averaging about $15B/year or so) wants to rewrite the $500
billion/year technology business just to save their failing and
outdated industrial-age business models. The result is a legal
clusterfsck, which makes the lawyers happy, and alienates the majority
of law-abiding net users, treating us all as potential criminals (soon
to be indentured corporate servants) instead of valuable customers.
Until folks of the "Net Generation" - my contemporaries of GenX and
later who are comfortable with technology and the Information Age -
move into national corporate and elected leadership positions,
enacting technology policy balanced for all sides will continue to be
biased heavily toward the profiteering interests of special interest
groups and Industrial Age cartels.
Until this collossal demonstration of national and social cognative
dissonance is remedied, Jay's comments are correct - we're in a
"Matrix"-esque world where FUD, illusion, deception, and consolidated
entities (government and commercial) have most of the power in the
technology world. Unfortunately, few in any position of national
influence want to take the "Red Pill" and see exactly how fscked-up
things really are in the technology society, being content to swallow
the vendor-provided "Blue Pills" showing a narrow (but
corporate-centric) view of the technology society and its associated
problems.
Anyone who's read my column @ Securityfocus or Infowarrior.org will
see I've been saying this for years.
Thus, I fear we'll continue seeing increased frustration by the
security and IT communities, more goofy laws and lobbying, and an
endless series of worms, virii, trojans, exploits, buffer overflows,
snake-oil security solutions, FUD, and more, particularly since nobody
cares about holding vendors financially, criminally, or civilly
accountable for their products and their many recurring 'features'
that plague the wired world.
In the meantime, to kick-off your hiatus, hoist a triple-shot latte
for me, Jay - and have fun!!!!
Rick
infowarrior.org
----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if you include this
notice. To subscribe to Politech:
http://www.politechbot.com/info/subscribe.html This message is
archived at http://www.politechbot.com/ Declan McCullagh's photographs
are at http://www.mccullagh.org/
----------------------------------------------------------------------
--- Like Politech? Make a donation here:
http://www.politechbot.com/donate/
----------------------------------------------------------------------
---
------- End of forwarded message -------
--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de