Secure Coding mailing list archives
Re: Yoran on the state of software security
From: "Greenarrow 1" <Greenarrow1 () msn com>
Date: Mon, 26 Apr 2004 14:45:57 +0100
I did not want to go into depth on this subject, but theres been talk of rendering the United Nations control of the Internet and personally I would shudder to think that some countries get any control which impede or control what people can do on the Internet. I will not name them but I feel you know which ones I am talking about. The only reason the US Government went open about their security is because of the amount of breakins and the public learning of them, not because they wanted us to know. To me it is utter nonsense that even the Department of Homeland Security (newly formed since 9-11) cannot even secure their Internet. They are trying to shove security (Cyber Defense) which is so losely bound that a script kiddie could break into it. For one to preach security one must know something about it. I did not iterate in my statement that IT security was better then the governments but I do know from past events government controls do not work on such things. I could babble on the things I seen that just did not work through government controls and not just in the US. Yes security needs to tighten up the ship but where is the answer? Getting home users to place security on their computers is one of the hardest events of the Internet. Patch management in corporations is in a quagmire specially now with MS issuing abundant flaw fixes within one patch. I do agree there has to be some kind of control but by whom and the type of control would be the anwser. Regards, George Greenarrow1 InNetInvestigations-Forensics [Ed. Let's please let this thread drop now, ok? KRvW] ----- Original Message ----- From: "Nick FitzGerald" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, April 22, 2004 3:31 PM Subject: Re: [SC-L] Yoran on the state of software security
"Greenarrow 1" <[EMAIL PROTECTED]> wrote:I feel government should not become involved with the internet and/or its security. For one if people look at the governments security most departments have a grade of C or below. ...Not that I'm trying to suggest that "the government" -- I guess you really mean "the US government" so I'll add "or any other government" -- necessarily should be the driver of such things, but the only reason you know how bad ("C or below" you say) your government departments are at IT security is because they actually care enough to one, try to measure it and two, publish the results.... Would you want someone like that telling you how to secure programming?Well, there is plenty of anecdotal evidence that suggests the rest of the private sector is _worse_ than the government sector, so I strongly doubt that self-policing will work! And worse still, the private sector is _heavily_ motivated to hide that fact. If the (US) private sector really was going to be the saviour of IT security, it would have been rampantly in favour of recent attempts to add IT security compliance statements to federal reporting documents for publicly listed and traded companies (or have been championing even stronger measures!), but what did it do -- that's right, lobbied really hard to get such measures and any suggestion of them removed. If the private sector really was vested in IT security concerns it would be rooting for removal of the liability exempt status that almost exclusively applies to computer software and its developers. What other "responsible" professional business sector has got away with such a scam for so long? And don't try to sell me that "but it will depress innovation" BS -- "we" don't have to beat the stinking pinko commie rat- b*stards to the moon, or anywhere else, any more so why are so many software developers (and their political pointsmen) still saddled with such a short-sighted, Cold War mentality that is clearly a significant anti-quality, and therefore anti-security, driver? Oh, and the "but it will kill open-source" BS'ers can butt out too -- if your code is that bad that you won't take _any_ responsibility for it, don't publish it _regardless_ of the licensing terms and, if it is any good, what possible damage (apart from to your reputation and ongoing business viability) can liability to, say, the cost of the software, do to you? (Of course, such a move may have the effect of "forcing" most large s/w developers to adopt freeware or open source approaches to make their insurance premiums affordable, but that would not necessarily be a bad result.) Why hasn't the private sector been actively in favour (beyond actively mouthing support for the general notion that better IT security is something we all need) of public IT security reporting standards, removing software's "liability exempt" status, or any other concrete measures to get a handle on the scale of the problem, provide means to measure whether we're slipping, holding or improving and so on? It wouldn't be that there are vested financial interests in treating us like mushrooms (keeping us in the dark and feeding us sh*t)? Surely not! How scurrilous a suggestion... ... Above I said your government departments "care enough" to actually try to provide some IT security metrics. In fact, I'm sure they don't care for it at all and would prefer, like their private sector counterparts, to not have to do anything of the sort. The reason they "care enough" to make such measurements is simply because they are required to do so. I would just love to see how the high and mighty, reputedly IT security loving, US private sector stacked up against the same metrics... Regards, Nick FitzGerald
Current thread:
- Re: Missing the point?, (continued)
- Re: Missing the point? Jared W. Robinson (Apr 21)
- Re: Missing the point? Paco Hope (Apr 20)
- Re: Missing the point? Nash (Apr 20)
- RE: Missing the point? Michael A. Davis (Apr 21)
- Re: Missing the point? Pascal Meunier (Apr 20)
- Re: Missing the point? Pascal Meunier (Apr 20)
- RE: Missing the point? Michael S Hines (Apr 23)
- Re: Missing the point? Crispin Cowan (Apr 26)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 22)
- Re: Yoran on the state of software security Nick FitzGerald (Apr 22)
- Re: Yoran on the state of software security Greenarrow 1 (Apr 26)