Re: [ISN] Symantec: Boom Times For Hackers (Two messages)

From: InfoSec News (isn@private)
Date: Fri Mar 19 2004 - 03:39:05 PST

  • Next message: InfoSec News: "[ISN] Security groups call for crisis coordination center"

    Forwarded from: "Jack Whitsitt (jofny)" <xaphan@private>
    
    > Am I not sure if I am the only one here that is concerned about this
    > fact or not, so here it goes. Isn't it at cross purposes perhaps
    > even a ethical question, that a report like this was created by a
    > company that sells the stuff to prevent all this bad stuff from
    > happening to you? Why has no one ever suggested this before? It
    > seems like a logical conclusion.
    
    It is a logical conclusion if that's the last question you ask. The
    next thing that needs to be thought about, however, is: How many
    groups are there with that many resources in that many places who have
    that many sources of information but don't have some sort of vested
    interest in the answer? My suspicious is that the answer to that is
    "none".
    
    > For me independent sources, even if only in appearances, would help
    > to validate this information adding credibility and trust.
    
    > It appears that each and every group from Symantec to PWC, E & Y and
    > CSI/FBI has a different story to tell and its difficult to tell
    > which one is correct because none of them support each other.
    
    All of them are looking at different data sets with different focuses.  
    Global Trends are usually pretty meaningless unless the questions are
    asked from a specific viewpoint / vector. Unfortunately, this also
    means that with different focuses, you see different trends.
    
    What is unethical about releasing a report based on your interests
    (focus and vector) and available data? Nothing unless you're making it
    up. The fact of being involved in the data might make it poorly suited
    for court, but stating your view of the world is a perfectly
    acceptable and - in this case - a probably helpful thing to do.
    
    Jack
    
    
    > ----- Original Message -----
    > From: "InfoSec News" <isn@private>
    > To: <isn@private>
    > Sent: Tuesday, March 16, 2004 3:44 AM
    > Subject: [ISN] Symantec: Boom Times For Hackers
    >
    >
    >> http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171
    >>
    >> By Gregg Keizer
    >> TechWeb News
    >> March 15, 2004
    >>
    >> Symantec Corp.'s twice-annual Internet Security Threat Report
    >> paints a menacing picture, one that security professionals know all
    >> too well.
    
    
    -=-
    
    
    Forwarded from: Julie Ryan <jjchryan@private>
    
    You are not alone, Mark.  There is an undercurrent of dissatisfaction
    with the data available for characterizing the problem space in
    security.  At least one article has been written on this issue, the
    citation for which follows:
    
    Ryan, Julie J.C.H. and Theresa I. Jefferson. ""The Use, Misuse and
    Abuse of Statistics in Information Security Research," Proceedings of
    the 2003 ASEM National Conference, St. Louis, MO.
    
    The problems inherent in the data not only include a lack of
    similarity and cross-referencing, but also some subtle and some
    not-so-subtle problems in some of the research processes.  For
    example, the CSI/FBI survey has long included a disclaimer that the
    data is not scientifically collected.  There are significant issues
    with item and content level validity as well as in responder biases
    and conflicts of interest that need to be addressed before any data is
    interpreted.  That has not, however, stopped a whole generation of
    students, journalists, and government officials from (mis)quoting from
    the reports as if it were the truth from on-high.
    
    
    On Mar 18, 2004, at 3:29 AM, InfoSec News wrote:
    
    > Forwarded from: Mark Bernard <mbernard@private>
    >
    > Dear Associates,
    >
    > Am I not sure if I am the only one here that is concerned about this
    > fact or not, so here it goes. Isn't it at cross purposes perhaps
    > even a ethical question, that a report like this was created by a
    > company that sells the stuff to prevent all this bad stuff from
    > happening to you? Why has no one ever suggested this before? It
    > seems like a logical conclusion.
    >
    > For me independent sources, even if only in appearances, would help
    > to validate this information adding credibility and trust.
    >
    > It appears that each and every group from Symantec to PWC, E & Y and
    > CSI/FBI has a different story to tell and its difficult to tell
    > which one is correct because none of them support each other.
    >
    > Regards,
    > Mark.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:15:40 PST