Security Basics mailing list archives
RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."
From: "Craig Wright" <cwright () bdosyd com au>
Date: Thu, 18 May 2006 08:09:45 +1000
Hello, Security can never be correct 100% of the time. This is not true even in high level military establishments. I am not stating that you should not do the best you can given a set of circumstances, but security is based on risk. 100% secure systems for one do not exist nor can they. This is a computationally intractable issue. Users are also an issue. They will not put up with the costs, both fiduciary and to freedom that 100% security requires. Even enforcing MAC (mandatory access control) in an organisation is difficult. The old wire cutter firewall example fails to provide security as an example. CIA - the triumberant foundation of information security requires availability of information. Cutting the cable cuts the legs out of security. Nothing is ever 100% secure. Welcome to life. Regards, Craig -----Original Message----- From: Jason Muskat [mailto:Jason () TechDude Ca] Sent: Wednesday, 17 May 2006 12:14 PM To: Saqib Ali; Bob Radvanovsky Cc: Sadler, Connie; email () securityabsurdity com; security-basics () securityfocus com Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Hello, Security has to be correct 100% of the time. One omission can lead to an exposure. Count yourself lucky that your vulnerabilities haven't been exposed (that you know of -- Think Ohio State's exposure <http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations cover up (do not report to governmental authorizes) every exposure that occurs. This is the norm. Consider the following; 10 persons information were known to be stolen. Everything from address, SSN, account numbers, credit cards, driver lic., health ins. forms, employment data, etc.. It goes unreported. Years later you receive letters for failing to pay your mortgage, credit cards, taxes, car lease, speeding tickets, you didn't show up for sentencing, and have a warrant for your arrest. Things like the above happen. I read how a case of mistaken identity had some fellow jailed for a few months before it was resolved. Imagine how it could have went if the perpetrator had stolen his ID. Once your information is exposed you soon realize that there is nothing you can do to protect yourself, it's too late. For evermore you, not the organization, has to check your credit reports, accounts, put flags up in your accounts over and over again until you die and all at your, not the organization's, expense. Most organizations don't even offer help to the people they adversely effected. At the very least an organization should set up a department to help the customers that have harmed. Regards, -- Jason Muskat | GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: Saqib Ali <docbook.xml () gmail com> Date: Fri, 12 May 2006 21:22:03 -0700 To: Bob Radvanovsky <rsradvan () unixworks net> Cc: Jason Muskat <Jason () techdude ca>, "Sadler, Connie" <Connie_Sadler () brown edu>, <email () securityabsurdity com>, <security-basics () securityfocus com> Subject: Re: Article: "Security Absurdity: The Complete,
Unquestionable, And
Total Failure of Information Security.""Security" is a matter of perception. If the companies don't see it
as an
issue, it (quite simply) is *not* an issue.That is fine for the company in question. But NOT fine for the customers / other companies interfacing with the company that does not see INsecurity is an issue. I wouldn't wanna have my credit card info stolen from an online merchant, neither would you. One option is that I do not deal with compannies that do take security seriously. But how do I know which companies do NOT take security seriously? Maybe they should put a disclaimer on their website???? -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
Current thread:
- Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." email (May 10)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Saqib Ali (May 15)
- <Possible follow-ups>
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Sadler, Connie (May 10)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Craig Wright (May 20)
- Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Jason Muskat (May 20)
- RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security." Robinson, Sonja (May 23)