Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

That weird dream

From: dave <dave () immunityinc com>
Date: Tue, 01 Sep 2009 07:36:56 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So you know that weird dream you have where you go back to high school
but you know everything you know now? (Note, it will turn out that
teenage girls are even LESS impressed by guys who can do basic algebra
or make small strings of A's into really long strings of A's than you'd
think).[1]

Anyways, this is what doing a security review of any large company's
internals is like. Partially, this is Microsoft's fault, since they
market things like Sharepoint to large companies which are entirely
unsecurable. For a large company, the only available response to a
Sharepoint security review is to put your head between your hands and
chant "NAH NAH NAH!" until it stops. Maybe the next version of
Sharepoint will be better?

I jest of course - by then we will all be using Google Wave, because
nothing says "I don't care about security" more than adopting the latest
new collaboration protocol. :>

It's funny how cryptographic algorithms get a robust approach:
1. Don't use algorithms you can't understand (aka, ideally write proofs
against) (This implies you don't use closed algorithms)
2. Don't use algorithms that haven't stood well for five or ten years of
examination (which also implies that you don't use closed algorithms)
3. Once an algorithm starts to break even a little, completely abandon it.

Five or ten years is about 2 or 3 computer generations. That means that
if you design an algorithm for today's computing environment, you can't
possibly have it reviewed for long enough to make it secure. This is
probably partially why attackers are cleaning your clock left and right.
*cough* Twitter *cough*.

In any case, largely a large company's security is not Sharepoint's
fault. Largely it's because IT is a really hard job that is 90% customer
service. So if you want to grow, you don't buy good IT people, you build
them, and that means they make mistakes on your dime. So if you're good
at your job, and you still have a company ten years from now, you'll
have systems set up and designed by people who were JUST LEARNING ten
years ago.

- -dave
[1] Guys however, are pretty impressed by this, so the joke didn't work
when I made it less gender specific. Sorry !
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkqdB1gACgkQtehAhL0ghergEACcDnytYFabiMPu5bGJaYsCgSxP
p8IAnidnNCFkvkn0/2np0PfdVaviR7Nr
=LZ4I
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: