FC: Two depressing views on the state of information security

From: Declan McCullagh (declanat_private)
Date: Tue May 21 2002 - 07:14:25 PDT

  • Next message: Declan McCullagh: "FC: Even stranger spam -- and Afghan-scam-spammer terminated"

    ---
    
    Date: Tue, 21 May 2002 09:42:58 -0400
    Subject: Response to State of Security Comments
    From: Richard Forno <rfornoat_private>
    Organization: www.infowarrior.org
    
    Jay Dyson is a friend of mine and a fantastic technology security
    professional. Recently he posted a note to various security lists expressing
    his frustration with the state of internet security affairs, and I've got to
    say that I agree completely with his observations.
    
    Jay's original comments will be followed by my response that was sent to
    ISN.   We should be mindful of his comments - and seriously consider how
    much of a difference we in the security profession are really making in the
    'big picture' of technology security.
    
    Cheers from DC,
    
    Rick Forno
    infowarrior.org
    
    
    From: Jay Dyson  05/20/02
    
     >> I see that you signed off the ISN list, and I am VERY curious why?
     >
     > Look over the last four years.  In all that time on this and every
     > other security list, what difference has been made in railing against the
     > FUD, waste and general idiocy of the commercial and government sector with
     > respect to computer and network [in]security?  The answer: none.
     >
     > DMCA passed, SSSCA is coming, and it's just going to get worse
     > from there.  You think the government or the industry gives a rat's ass
     > about what a bunch of open-source advocates think?  Guess again.  We've
     > been marginaziled for decades, criminalized for years, and all the days
     > that have been used fighting against it have been a waste.  A pure,
     > fucking, unadulterated waste.
     >
     > Given enough time and discouragment, anyone can see when it's time
     > to stop fighting the tide and get the fuck off the beach.  I've reached
     > just that time.
     >
     > And you can quote me on that.
     >
     > - -Jay
    
    
    
    From: Richard Forno   05/21/02
    
    I've got to agree with Jay here. This is one reason why I got out of the
    'hands-on" product-oriented (or 'operational' side of the) security business
    -- I found it to be a stressful, frustrating and ultimately unrewarding
    area....we'd go in, effect changes, draft policy, etc, etc, etc. and the
    client would still do whatever they wanted. Further, as a former CISO,
    trying to get security implemented at the executive levels was like pulling
    teeth from a rabid rhinocerous.
    
    The industry and government talks about the need for increased computer
    security measures and spending, yet nearly everything implemented is for
    future threats and long-term projects (eg, college training in security),
    instead of spending on actions that will deal with the known
    exploits/problems of the HERE and NOW. When they DO discuss industry-wide
    security strategies (such as the just-announced, high-priced membership in
    the Secure Software Engineering initiative at CMU, or the equally-priced
    Internet Security Alliance) it's only done with the best interests of large
    companies in mind - those with deep financial resources - despite what is
    said to the public. Little security firms, the open source community, and
    those who actually have a clue about security are often left in the dust.
    The goal, is to consolidate the knowledge of security issues in the hands of
    the controlling minority, and enact a culture of 'security through
    obscurity' -- indeed, operating under the Orwellian premise "your ignorance
    is our power."
    
    Nobody wants to talk about implementing REAL information systems security,
    since doing so would mean someone has to accept responsibility for the
    current state of affairs, plus it means rocking the status quo boat to
    implement needed change. In Washington - in America, for that matter -
    neither of these actions are held in high regard.....it seems that (unlike
    in Truman's days) passing the buck and following the collective groupthink
    (despite the negative consequences) is the American Way. The People don't
    rule, the Sheeple do.
    
    DMCA, SSSCA, CBDTPA, and other looney laws (real and proposed) further
    demonstrate that only those with campaign dollars have any influence in
    designing effective technology law. In the case of CBDTPA, Hollywood
    (averaging about $15B/year or so) wants to rewrite the $500 billion/year
    technology business just to save their failing and outdated industrial-age
    business models. The result is a legal clusterfsck, which makes the lawyers
    happy, and alienates the majority of law-abiding net users, treating us all
    as potential criminals (soon to be indentured corporate servants) instead of
    valuable customers. Until folks of the "Net Generation" - my contemporaries
    of GenX and later who are comfortable with technology and the Information
    Age - move into national corporate and elected leadership positions,
    enacting technology policy balanced for all sides  will continue to be
    biased heavily toward the profiteering interests of special interest groups
    and Industrial Age cartels.
    
    Until this collossal demonstration of national and social cognative
    dissonance is remedied, Jay's comments are correct - we're in a
    "Matrix"-esque world where FUD, illusion, deception, and consolidated
    entities (government and commercial) have most of the power in the
    technology world. Unfortunately, few in any position of national influence
    want to take the "Red Pill" and see exactly how fscked-up things really are
    in the technology society, being content to swallow the vendor-provided
    "Blue Pills" showing a narrow (but corporate-centric) view of the technology
    society and its associated problems.
    
    Anyone who's read my column @ Securityfocus or Infowarrior.org will see I've
    been saying this for years.
    
    Thus, I fear we'll continue seeing increased frustration by the security and
    IT communities, more goofy laws and lobbying, and an endless series of
    worms, virii, trojans, exploits, buffer overflows, snake-oil security
    solutions, FUD, and more, particularly since nobody cares about holding
    vendors financially, criminally, or civilly accountable for their products
    and their many recurring 'features' that plague the wired world.
    
    In the meantime, to kick-off your hiatus, hoist a triple-shot latte for me,
    Jay - and have fun!!!!
    
    Rick
    infowarrior.org
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue May 21 2002 - 08:38:57 PDT