Full Disclosure mailing list archives
Re: Not telling enough - ethics/shmethics
From: "J. Oquendo" <sil () infiltrated net>
Date: Thu, 18 Aug 2005 14:51:28 -0400 (EDT)
On Thu, 18 Aug 2005, DAN MORRILL wrote:
Good afternoon folks, You know I find this interesting in that we are stating ethics, and this is something that is important to the information security community at large. So who's ethics do we apply, if I was to follow the CISSP code of ethics, in that consorting with non-professionals, would mean that I could not teach information security in college (which I do), nor could I teach what I know to developers or programmers or others who are not information security professionals (which I do) to help them develop better products. One of the reaons why I don't have a CISSP is because of that clause in the code of ethics, I would violate it right and left everytime I got in front of a classroom.
One of the issues I see with certifications nowadays is that, in this industry, once upon a millenium ago it was honor to have a cert in something whereas nowadays you can have any Joe Shmoe memorize a book and get a cert. For that matter sell them in bubble gum machines and call it a day. Many of the "certs" nowadays seemed to have slowly tailored their prereqs towards industry crybabies (Cisco, MS, Oracle, Symantec). Far too many in my opinion have lost site of the fundamentals and have started focusing far too deeply on "Who will be my gold/platinumn sponsor".
So what we need is a universal code of ethics that everyone could agree on (herding cats by the way can be entertaining). So how ethical was it for someone to post anon about msdss.dll this morning and how many people did they put at risk (even if it took someone 6 months to do something, heck Oracle has taken over 2 years to fix a security issue, very few whine about them).
Universal codes are meant to be broken, that is just life. Everything under the sun is made to be broken. What applies in one place might destabilize something some place else. So who is to set standards? Governments? So they can custom tailor things to their own will? Like ECHELON used to snoop and steal contracts?
We need to do that more often, and stop slamming on each other, and start setting real standards that can be directly applied, much like doctors, lawyers, nurses. We have the same ability to ruin other people's lives as any doctor, lawyer or nurse. We need accountablity against those standards, much like any other profession.
Problem with this is, is again, who should you trust? Vendors should be held accountable for not patching their shoddy programs up properly. Look at the now-becoming-boring case of Lynn and Cisco. Lynn was punished. Know what? If Cisco had this information for years now, didn't do squat, how come no one is investigating them and fining them for every day their holes aren't patched.
so what are "we" going to do about it?
Roll over and cry you spilled your milk. Far too many companies are more concerned with appeasing their investors to bother dealing with real issues. Microsoft walks all over governments with their practices, Cisco just joined the "Buy a politician" club obviously, so who do you look to. Obviously mentioning the government (any government) is likely to throw another gov into a panic so in reality there is little to be done. Invest in one of these seedy security companies, make some cash off of others' misery. That's what you can do about it. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy." - Sun Tzu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Not telling enough - ethics/shmethics J. Oquendo (Aug 18)
- Re: Re: Not telling enough - ethics/shmethics James Tucker (Aug 19)