Re: People on Google Security blog don't understand cyber terrorism

[Curt Purdy <infosysec () gmail com>]

Sometimes when I am full of myself, like when I am the last man
standing after meeting the black-hats at high-noon, at 50 paces on
main street, I think I am 'too advanced' to bother with
security-basics. But then I read comments like these from Mr. Perrin
that points me to his excellent article:
http://blogs.techrepublic.com.com/security/?p=4052&tag=leftCol;post-4052
and I wake up from my nap.

When beyond-national corporations use clueless pawns (with bad grammar
;)  to vilify their supposed enemies like Mr. Ormandy, it makes me
realize that it is our responsibility as white-hats to set the record
straight. I want to thank Mr. Perrin for doing just that.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
infosysec () gmail com
purdy () tecman com



On Wed, Jul 28, 2010 at 7:29 PM, Chad Perrin <perrin () apotheon com> wrote:
> On Wed, Jul 28, 2010 at 09:49:07AM +1000, Murda wrote:
> > The aims of the so called cyber terrorists may well be as illogical and
> > unreasonable as their real life counterparts but they will no doubt find
> > that their goals (ever shifting and nebulous as they are) will not be
> > facilitated by carrying out more and more attacks.
> > Why? Because terrorism never seems to actually work to deliver the goals
> > that the terrorists think that they want.
> > http://maxabrahms.com/pdfs/DC_250-1846.pdf
> > Max Abrahams has a great piece on reasons why.
> > Not strictly related to the terror being waged across the internets by these
> > irresponsible disclosure-driven fiendish fiends but still relevant in some
> > manner.
>
> While Mr. Gillett (who also responded to you) made very good points, and
> I agree with his statements, I feel it incumbent upon me to add one more
> thing:
>
> The term "terrorist" should not be applied to the case of Tavis Ormandy's
> public disclosure of a vulnerability in software distributed by
> Microsoft.  In fact, there is quite obviously no malicious intent
> involved -- obviously, at least, to anyone willing to actually read about
> what happened, and to think about it for more than the half second it
> takes to come up with a completely overblown reaction like calling him a
> "cyber terrorist" for doing what he felt was in the best interests of
> software security and Microsoft's customers.
>
> Even if you disagree with his conclusions, I don't see how one could
> honestly read the available information about what happened and conclude
> his actions could be described as malicious or having evil intent.
>
> "Full disclosure" isn't an attack.  It's a philosophy of vulnerability
> reporting intended to ensure the greatest security for all.  Whether it
> is the most effective means of pursuing that end is not at the moment
> statistically quantifiable, so we really don't know whether it works or
> not, though at first blush the theory seems sound at least in principle.
> By contrast, "responsible disclosure" as practiced and advocated by
> Microsoft flies in the face of principles of information security that
> can be traced back at least as far as Kerckhoffs' Law, formulated in the
> 1800s, and corroborated by more than a century of evidence since.
>
> --
> Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------