Create an Account
username: password:
 
  MemeStreams Logo

RE: Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.
search
Home Agent Weblogs Social Network Post Help About

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
RE: Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.
Topic: Computer Security 2:53 pm EST, Nov 30, 2006

noteworthy wrote:

A long-overdue wake up call for the information security community.

This popped up on Slashdot recently. I'm curious to get feedback from the security experts here at Memestreams.

I wrote up a long response to this yesterday and unfortunately I managed to accidentally kill the browser window. Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

Clearly, we have failed to solve the problem of disease! Healthcare professionals are responsible! They are complacent and lazy! Look at all the health problems we face! AIDS, Cancer, Heart Disease, Lung Disease, Polio, Black Death, the Flu! Look at all these poor people who have been impacted by these diseases! We're one random mutation away from a flu virus that will wipe out all of humanity! And the CDC has the audacity to not be in a permanent state of emergency! Why? Diseases are out evolving our protections and healthcare is inaccessible!

Would you take this article seriously? Would you agree that the entire healthcare industry is a failure? Would you stop going to the doctor because you figure its a big waste of time? Would you get mad at your doctor for being a complacent member of the healthcare industry?

In fact, there have been significant improvements in the state of the technical situation, due to things like more vulnerability research, automated patching, IPS technology, and exploit protection technologies. A vast number of problems have been solved. DOS attacks are much harder than they used to be. Worms don't propagate as well as they used to. Most modern attacks cannot be targeted. Trying to entice people to click on your evil web page is harder than owning their network directly. The directed attacks we see today are very sophisticated. Compare the complexity of the most recent sendmail bug to bugs in sendmail 10 years ago.

We're not done yet, but its ignorant to argue that nothing substantial has been accomplished.

Attacks are up because there are more financial motivations today then there were 5 years ago despite the fact that its harder to perform attacks than it was 5 years ago. Computer security professionals will never "solve" crime because its not a technical problem and it doesn't have a "solution." With respect to things like phishing attacks and consensually installed spyware, computer security professionals also cannot fix the reality that a fool and his money are easily parted.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, its not true, and its not useful.

RE: Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.

Thread [12]


  
 
Powered By Industrial Memetics		RSS2.0