> If there is one thing to learn from the CRIME list, it's that computer > security security people are a cynical, skeptical (probably even bitter > :-)) bunch. It's our job to be skeptical, to find the many flaws and > assume the worst of whatever we're looking at. I find this to be a very incomplete view of the security industry. I consider myself part of the security industry but I do not see myself as a cynical, skeptical, or bitter person when it comes to my work. I think this is a problem in some regards with security people. They are so consumed with finding faults, they forget (or ignore) methods to patch or repair those faults. I see my role as a person who has to actually patch up those holes. And that is a very different perspective than the academics and pundits who want to terrify people into action. Spreading FUD may be fun and emotionally satisfying, but it isn't very productive. Somebody, like me has to help people patch those holes. And scaring people with "Microsoft is bad, you're an idiot for using it," rhetoric may help fan the flames of anti-Microsoft sentiment, but it isn't really practical for IT managers who then have to return to their office and confront 500 Windows machines. > Oh, and as for Robert Graham's article, he seems to advocate punting > and doing nothing. "Gee, taking your car keys out of the ignition > and locking/unlocking your car door is an inconvenience? Well, leave > it unlocked with the keys in the ignition, then. Furthermore, why does > Fnord Motors get beat up by the auto security community for not putting > locks in cars at all?" Sure, it's an exaggerated analogy, but in essence > that's what he's saying. Since most of us (in urban Portland, anyway) > manage to deal with the inconvenience of locking our cars, the notion that > users shouldn't have to put up with even minor inconveniences seems false. I don't think locking a car and uninstalling a complex software component are really very comparable. This is what happens when we start to reason metaphorically. The metaphors become twisted. The fact is most people simply do not understand how their PC functions. The don't care about services, ports, or access control lists. They want to go down to Best Buy, purchase a digital camera, plug it in and have it immediately work. Ever notice how the aisles at Frys are filled with obviously returned products. I would bet that a large percentage of those returns were simply because the person who bought the product did not understand how to integrate that product with their existing environment (and the awful documentation probably didn't help.) Graham's point then, is that most people really are not concerned with security. They want usability and security is second. The challenge to security folks is to find ways to provide both. And that is not easy and it won't happen overnight. You are not going to convince people to just throw off their Windows boxes and adopt highly secure UNIX terminals tomorrow. > However, and I think this is the most crucial point that Robert Graham > misses, the best security solutions are those that are neither a nuisance > or inconvenience and yet provide real security. It is a failure of both > designers and security experts that security and convenience are seen > as opposites, to be traded off against each other. That's what we all, > including Microsoft, should be working towards. I think the fact that Graham designed an intrusion detection product (BlackICE now the core technology in ISS's RealSecure) is demonstrative of his commitment to building solutions that are neither a nuisance or an inconvenience. In fact, I would argue (although I have a rather obvious bias here) that Mr. Graham's technologies are some of the least intrusive security products that still deliver outstanding capabilities. Andrew Plato
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:55 PDT