RE: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Security can never be correct 100% of the time. This is not true even in
high level military establishments. I am not stating that you should not
do the best you can given a set of circumstances, but security is based
on risk.

100% secure systems for one do not exist nor can they. This is a
computationally intractable issue.

Users are also an issue. They will not put up with the costs, both
fiduciary and to freedom that 100% security requires. Even enforcing MAC
(mandatory access control) in an organisation is difficult.

The old wire cutter firewall example fails to provide security as an
example. CIA - the triumberant foundation of information security
requires availability of information. Cutting the cable cuts the legs
out of security. Nothing is ever 100% secure. Welcome to life.

Regards,
Craig

-----Original Message-----
From: Jason Muskat [mailto:Jason () TechDude Ca]
Sent: Wednesday, 17 May 2006 12:14 PM
To: Saqib Ali; Bob Radvanovsky
Cc: Sadler, Connie; email () securityabsurdity com;
security-basics () securityfocus com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security."

Hello,

Security has to be correct 100% of the time. One omission can lead to an
exposure. Count yourself lucky that your vulnerabilities haven't been
exposed (that you know of -- Think Ohio State's exposure
<http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations
cover
up (do not report to governmental authorizes) every exposure that
occurs.
This is the norm.

Consider the following; 10 persons information were known to be stolen.
Everything from address, SSN, account numbers, credit cards, driver
lic.,
health ins. forms, employment data, etc.. It goes unreported. Years
later
you receive letters for failing to pay your mortgage, credit cards,
taxes,
car lease, speeding tickets, you didn't show up for sentencing, and have
a
warrant for your arrest.

Things like the above happen. I read how a case of mistaken identity had
some fellow jailed for a few months before it was resolved. Imagine how
it
could have went if the perpetrator had stolen his ID.

Once your information is exposed you soon realize that there is nothing
you
can do to protect yourself, it's too late. For evermore you, not the
organization, has to check your credit reports, accounts, put flags up
in
your accounts over and over again until you die and all at your, not the
organization's, expense. Most organizations don't even offer help to the
people they adversely effected. At the very least an organization should
set
up a department to help the customers that have harmed.


Regards,

--
Jason Muskat  | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: Saqib Ali <docbook.xml () gmail com>
> Date: Fri, 12 May 2006 21:22:03 -0700
> To: Bob Radvanovsky <rsradvan () unixworks net>
> Cc: Jason Muskat <Jason () techdude ca>, "Sadler, Connie"
> <Connie_Sadler () brown edu>, <email () securityabsurdity com>,
> <security-basics () securityfocus com>
> Subject: Re: Article: "Security Absurdity: The Complete,
Unquestionable, And
> Total Failure of Information Security."
>
> > "Security" is a matter of perception.  If the companies don't see it
as an
> > issue, it (quite simply) is *not* an issue.
>
> That is fine for the company in question. But NOT fine for the
> customers / other companies interfacing with the company that does not
> see INsecurity is an issue. I wouldn't wanna have my credit card info
> stolen from an online merchant, neither would you.
>
> One option is that I do not deal with compannies that do take security
> seriously. But how do I know which companies do NOT take security
> seriously? Maybe they should put a disclaimer on their website????
>
> --
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------




Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.