Andrew Plato writes: > > If there is one thing to learn from the CRIME list, it's that computer > > security security people are a cynical, skeptical (probably even bitter > > :-)) bunch. It's our job to be skeptical, to find the many flaws and > > assume the worst of whatever we're looking at. > > I find this to be a very incomplete view of the security industry. I consider myself part of the security industry but I do not see myself as a cynical, skeptical, or bitter person when it comes to my work. I think this is a problem in some regards with security people. They are so consumed with finding faults, they forget (or ignore) methods to patch or repair those faults. Andrew, that's just cause you don't know what people are saying behind your back. I used to be happy and optimistic until I became enlightened. Now I know all the things people(Zot & George) say about me behind my back and those happy days are gone. ;) Honestly, finding security faults is a major piece but the problem is we end up cynical and skeptical after spending waaaaay too much time patching and repairing things that weren't designed right in the first place. I am OS-agnostic. I'll use whatever is best or whatever is available if I have to. That said, I have found it is easier to lock down some systems than others and personally, I don't even bother using Outlook for certain lists that get lots of hostile traffic because I have no good way of securing it. It was poorly designed and implemented when it comes to security. You cannot argue that point (well, you could but you'd be wrong) As to hardening Win2K. It is certainly easier than previous MS products. But answer me this- is it easier to shut off services or limit services for NFS via one of the many GUIs that are available or is it easier to go into the registry and find the setting that will actually allow you to kill the administrative & IPC shares on every MS system? > I see my role as a person who has to actually patch up those holes. And that is a very different perspective than the academics and pundits who want to terrify people into action. Spreading FUD may be fun and emotionally satisfying, but it isn't very productive. Somebody, like me has to help people patch those holes. And scaring people with "Microsoft is bad, you're an idiot for using it," rhetoric may help fan the flames of anti-Microsoft sentiment, but it isn't really practical for IT managers who then have to return to their office and confront 500 Windows machines. > It isn't about spreading FUD. It is about telling the truth about products and not sugar-coating it. Fuck "right-sizing" a company, tell people they are being laid off. This attitude of sunshine and light is silly. We've gone from reviewing the good vs. bad things about something, to talking about "plusses and minuses" to talking about "plusses and challenges for next time". Scaring people unnecessarily is bad, you are right. Telling people that it is okay to run through a warzone painted bright red and wearing a bullet proof vest that won't actually stop a paintball is NOT. Spreading FUD is not satisfying to most people, personally I get REALLY FUCKING SICK AND TIRED OF HAVING TO EXPLAIN THIS TO PEOPLE OVER AND OVER AND OVER AND OVER AND OVER again. Microsoft has a miserable, horrible history when it comes to many many things. Security is just one of them. It happens to be one that they seem to be trying to make some level of improvements to. We'll see if they do better. > > I think the fact that Graham designed an intrusion detection product (BlackICE now the core technology in ISS's RealSecure) is demonstrative of his commitment to building solutions that are neither a nuisance or an inconvenience. In fact, I would argue (although I have a rather obvious bias here) that Mr. Graham's technologies are some of the least intrusive security products that still deliver outstanding capabilities. > Rob writes some very good stuff (stop calling him "Graham" dammit! He has a name and he isn't in the military). That is not what Crispin or anyone else has said. Crispin said the article misses the point. Toby
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:26 PDT