--- Date: Tue, 21 May 2002 09:42:58 -0400 Subject: Response to State of Security Comments From: Richard Forno <rfornoat_private> Organization: www.infowarrior.org Jay Dyson is a friend of mine and a fantastic technology security professional. Recently he posted a note to various security lists expressing his frustration with the state of internet security affairs, and I've got to say that I agree completely with his observations. Jay's original comments will be followed by my response that was sent to ISN. We should be mindful of his comments - and seriously consider how much of a difference we in the security profession are really making in the 'big picture' of technology security. Cheers from DC, Rick Forno infowarrior.org From: Jay Dyson 05/20/02 >> I see that you signed off the ISN list, and I am VERY curious why? > > Look over the last four years. In all that time on this and every > other security list, what difference has been made in railing against the > FUD, waste and general idiocy of the commercial and government sector with > respect to computer and network [in]security? The answer: none. > > DMCA passed, SSSCA is coming, and it's just going to get worse > from there. You think the government or the industry gives a rat's ass > about what a bunch of open-source advocates think? Guess again. We've > been marginaziled for decades, criminalized for years, and all the days > that have been used fighting against it have been a waste. A pure, > fucking, unadulterated waste. > > Given enough time and discouragment, anyone can see when it's time > to stop fighting the tide and get the fuck off the beach. I've reached > just that time. > > And you can quote me on that. > > - -Jay From: Richard Forno 05/21/02 I've got to agree with Jay here. This is one reason why I got out of the 'hands-on" product-oriented (or 'operational' side of the) security business -- I found it to be a stressful, frustrating and ultimately unrewarding area....we'd go in, effect changes, draft policy, etc, etc, etc. and the client would still do whatever they wanted. Further, as a former CISO, trying to get security implemented at the executive levels was like pulling teeth from a rabid rhinocerous. The industry and government talks about the need for increased computer security measures and spending, yet nearly everything implemented is for future threats and long-term projects (eg, college training in security), instead of spending on actions that will deal with the known exploits/problems of the HERE and NOW. When they DO discuss industry-wide security strategies (such as the just-announced, high-priced membership in the Secure Software Engineering initiative at CMU, or the equally-priced Internet Security Alliance) it's only done with the best interests of large companies in mind - those with deep financial resources - despite what is said to the public. Little security firms, the open source community, and those who actually have a clue about security are often left in the dust. The goal, is to consolidate the knowledge of security issues in the hands of the controlling minority, and enact a culture of 'security through obscurity' -- indeed, operating under the Orwellian premise "your ignorance is our power." Nobody wants to talk about implementing REAL information systems security, since doing so would mean someone has to accept responsibility for the current state of affairs, plus it means rocking the status quo boat to implement needed change. In Washington - in America, for that matter - neither of these actions are held in high regard.....it seems that (unlike in Truman's days) passing the buck and following the collective groupthink (despite the negative consequences) is the American Way. The People don't rule, the Sheeple do. DMCA, SSSCA, CBDTPA, and other looney laws (real and proposed) further demonstrate that only those with campaign dollars have any influence in designing effective technology law. In the case of CBDTPA, Hollywood (averaging about $15B/year or so) wants to rewrite the $500 billion/year technology business just to save their failing and outdated industrial-age business models. The result is a legal clusterfsck, which makes the lawyers happy, and alienates the majority of law-abiding net users, treating us all as potential criminals (soon to be indentured corporate servants) instead of valuable customers. Until folks of the "Net Generation" - my contemporaries of GenX and later who are comfortable with technology and the Information Age - move into national corporate and elected leadership positions, enacting technology policy balanced for all sides will continue to be biased heavily toward the profiteering interests of special interest groups and Industrial Age cartels. Until this collossal demonstration of national and social cognative dissonance is remedied, Jay's comments are correct - we're in a "Matrix"-esque world where FUD, illusion, deception, and consolidated entities (government and commercial) have most of the power in the technology world. Unfortunately, few in any position of national influence want to take the "Red Pill" and see exactly how fscked-up things really are in the technology society, being content to swallow the vendor-provided "Blue Pills" showing a narrow (but corporate-centric) view of the technology society and its associated problems. Anyone who's read my column @ Securityfocus or Infowarrior.org will see I've been saying this for years. Thus, I fear we'll continue seeing increased frustration by the security and IT communities, more goofy laws and lobbying, and an endless series of worms, virii, trojans, exploits, buffer overflows, snake-oil security solutions, FUD, and more, particularly since nobody cares about holding vendors financially, criminally, or civilly accountable for their products and their many recurring 'features' that plague the wired world. In the meantime, to kick-off your hiatus, hoist a triple-shot latte for me, Jay - and have fun!!!! Rick infowarrior.org ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ ------------------------------------------------------------------------- Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 21 2002 - 08:38:57 PDT