Michael, > The FBI has a conflict-of-interest, Can you elaborate on this? How does the FBI have a conflict of interest, w/ regards to the context of this thread? > even though they are in the stone age > when it comes to computers and computer systems. How so? Both NIPC and the Computer Crime Squad have some pretty bright guys and gals. > 'cyber-terrorism' and 'information warfare,' as well > as 'Electronic Pearl > Harbor' (I LOVE that one!) are red herrings > contractors, government agencies > and the military play the "Me Too!" game for more > funding. Please be clear when you make statements like this. First off, "Electronic Pearl Harbor" is a phrase first attributed to Winn Schwartau. Second, it was Congress that held ineffectual hearings regarding security, throwing their own 'red herring'. Third, how has the military adoption of "information warfare" generated an increase in funding, particularly at a time when all services (except the Marine Corps) are having difficulty bringing in enough new people to sustain their forces? > That comes from > 27 years active duty in the Navy. Then, it was > 'terrorism.' Now, it's > "cyberterrorism." It's become just a money game. I > don't want my > profession to be associated with such yellow > journalistic tactics. In all fairness to those who _are_ using those terms, perhaps there is a reason for it. Not too long ago, the teachers in Oakland, CA, started a similar campaign. They claimed that their kids spoke "ebonics". As odd as it may sound, the reason for doing this was that all other channels for requesting necessary funding had been exhausted. Also, I sense that you're mixing targets here. You say that you don't like what gov't agencies and the military are calling this activity, then you say that you don't want your "profession to be associated with such yellow journalistic tactics". I've been out of the military for only a little while, but I can't believe that they've all turned into journalists. > The bottom line is, in most cases, if you're hacked > and you're functioning > as the sysadmin, IT'S YOUR FAULT!!! I somewhat agree with you on this. Any sysadmin who hadn't disabled the ida/idq script mappings on IIS or hadn't installed the patch had best be very, very happy that Code Red wasn't nearly as destructive as it could have been. However, where I disagree is in the sense that managers are not making sysadmins responsible for security. Most other jobs...sales, admin, HR, recruiting, etc...all have quantifiable metrics by which the employee can be judged. Did the admin person process payroll and pay the office rent on time this month? How many leads did the sales rep generate, and how much revenue have they brought in? Yet, when it comes to security, very few managers seem to assign the responsibilities and provide the necessary resources (ie, training, etc). > until > we canonize that in people's minds, the ISVs and > vendors will continue to > duck responsibility with the EULAs and the > integrators and consultants will > continue to duck THEIR responsibilities, too. Again, this "ducking" can be obviated or mitigated through the use of contracts. Yes, I've been a consultant, and I've been releaved in some cases that the customer wasn't bright enough to pin the sales rep down on a couple of items. Yet, in the long run, this only hurts the customer. If you know what it is you're looking for, or can articulate your needs, then you can put the necessary language and stipulations in the contract. > It hasn't happened yet. The thought that we, > sitting in air-conditioned > offices, with laptops or CRT screens in front of us > are 'warriors' fighting > the 'good fight' is just laughable. So you mean when I'm playing a Quake tourney, I'm NOT a warrior? ;-) Seriously, I fully agree. A lot of folks billing themselves as "cyber-warriors" are really slip-shod in their work. Many of them are very technically adept, and can make a Linux kernel sit up, hop around on one leg, and bark. But what good does that do for a client who doesn't have any Linux, and very little *nix...maybe an HP-UX system, or some Solaris? > After all, who is the last person you know who died > because of a buffer > overflow? I've seen the stuff from intelligence folks that says that real, legit terrorists aren't comfortable with the use of computer technology to meet their aims...yet. Why break into a computer system to open the gates of a dam and flood an area, when it's easier to just blow it up? __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 02:24:49 PDT