Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."

[Bob Radvanovsky <rsradvan () unixworks net>]

But you've left out *one* very important factor: Mr. Winkler is a former intel operative from the U.S. federal 
government.  For him, he *is* "Mr. Security", and would understand its intricacies; however, don't discount other 
people's judgements or decisions who are simply discussing alternative possibilities, but aren't considered "resident 
experts", like as yourself.  You are implicating (again) that security is an "absolute" instead of a "resolute" (that 
being "relative" to any given environment).  If this helps people understand its philosophy, "security" can be 
expressed as an entity -- if you will -- an organism, one that evolves just like a living, breathing organism.

What you have to understand is that people like Mr. Winkler are in the business fortifying an environment or system -- 
by first destroying it.  By being an intel operative, and breaking into a system or environment, they are (effectively) 
destroying it by demonstrating its ineffectiveness in stopping (or preventing) them from gaining access.  How does 
making a comparison to that mean that something is or is not secure?  Another question might be, if an organization 
were to allow a portion of its environment to be exposed and vulnerable to attack, does that make that organization 
less secure, more secure, or about the same?  The answer is: "it depends".  Based on the elements given, how can you 
ascertain that that organization is or is not "secure"?  You can't.  An almost similar type of conclusion is being 
drawn from the other analogy that brought about this *whole* debate.

-r

DISCLAIMER:  Just because someone says that something is "secure" doesn't mean that it *is* "secure".

----- Original Message -----
From: Saqib Ali [mailto:docbook.xml () gmail com]
To: "Robinson, Sonja" [mailto:Sonja.Robinson () fticonsulting com]
Cc: Jason Muskat [mailto:Jason () techdude ca], Craig Wright [mailto:cwright () bdosyd com au], Bob Radvanovsky 
[mailto:rsradvan () unixworks net], "Sadler, Connie" [mailto:Connie_Sadler () brown edu], email () securityabsurdity 
com, security-basics () securityfocus com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security."


> "hear, hear!"
>
> "The goal of your security program is to optimize risk, never minimize
> it. This is an extremely important distinction. It also sounds
> counterintuitive to many people" From Ira Winkler's book titles Spies
> Among Us.
>
> The whole book is an excellent read. But I would highly recommend
> reading the pages 35 through 50, for a understanding of the topic of
> security. People write about security without  really understanding
> the nature of the beast.
>
> Or even better, have a 1-one-1 session with Mr. Winkler on how you can
> minimize security related risk at your organization.
>
>
> On 5/22/06, Robinson, Sonja <Sonja.Robinson () fticonsulting com> wrote:
> > I had this debate on a different forum last week. I found the article
> > annoying and misleading in many instances (typos aside).  It just
> > rehashed the same things and didn't provide solutions but just blamed me
> > for the ills of society (like I need more).  I try to beat my users
>
>
> -- 
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------