Re: Yoran on the state of software security

["Greenarrow 1" <Greenarrow1 () msn com>]

I did not want to go into depth on this subject, but theres been talk of 
rendering the United Nations control of the Internet and personally I would 
shudder to think that some countries get any control which impede or control 
what people can do on the Internet.  I will not name them but I feel you 
know which ones I am talking about.

The only reason the US Government went open about their security is because 
of the amount of breakins and the public learning of them, not because they 
wanted us to know.  To me it is utter nonsense that even the Department of 
Homeland Security (newly formed since 9-11) cannot even secure their 
Internet.  They are trying to shove security (Cyber Defense) which is so 
losely bound that a script kiddie could break into it.  For one to preach 
security one must know something about it.

I did not iterate in my statement that IT security was better then the 
governments but I do know from past events government controls do not work 
on such things.  I could babble on the things I seen that just did not work 
through government controls and not just in the US.  Yes security needs to 
tighten up the ship but where is the answer?  Getting home users to place 
security on their computers is one of the hardest events of the Internet. 
Patch management in corporations is in a quagmire specially now with MS 
issuing abundant flaw fixes within one patch.

I do agree there has to be some kind of control but by whom and the type of 
control would be the anwser.

Regards,
George
Greenarrow1
InNetInvestigations-Forensics

[Ed. Let's please let this thread drop now, ok?  KRvW]

----- Original Message ----- 
From: "Nick FitzGerald" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 22, 2004 3:31 PM
Subject: Re: [SC-L] Yoran on the state of software security


> "Greenarrow 1" <[EMAIL PROTECTED]> wrote:
>
> > I feel government should not become involved with the internet and/or 
> > its
> > security.  For one if people look at the governments security most
> > departments have a grade of C or below.  ...
>
> Not that I'm trying to suggest that "the government" -- I guess you
> really mean "the US government" so I'll add "or any other government"
> -- necessarily should be the driver of such things, but the only reason
> you know how bad ("C or below" you say) your government departments are
> at IT security is because they actually care enough to one, try to
> measure it and two, publish the results.
>
> > ...  Would you want someone like that
> > telling you how to secure programming?
>
> Well, there is plenty of anecdotal evidence that suggests the rest of
> the private sector is _worse_ than the government sector, so I strongly
> doubt that self-policing will work!
>
> And worse still, the private sector is _heavily_ motivated to hide that
> fact.  If the (US) private sector really was going to be the saviour of
> IT security, it would have been rampantly in favour of recent attempts
> to add IT security compliance statements to federal reporting documents
> for publicly listed and traded companies (or have been championing even
> stronger measures!), but what did it do -- that's right, lobbied really
> hard to get such measures and any suggestion of them removed.
>
> If the private sector really was vested in IT security concerns it
> would be rooting for removal of the liability exempt status that almost
> exclusively applies to computer software and its developers.  What
> other "responsible" professional business sector has got away with such
> a scam for so long?  And don't try to sell me that "but it will depress
> innovation" BS -- "we" don't have to beat the stinking pinko commie rat-
> b*stards to the moon, or anywhere else, any more so why are so many
> software developers (and their political pointsmen) still saddled with
> such a short-sighted, Cold War mentality that is clearly a significant
> anti-quality, and therefore anti-security, driver?  Oh, and the "but it
> will kill open-source" BS'ers can butt out too -- if your code is that
> bad that you won't take _any_ responsibility for it, don't publish it
> _regardless_ of the licensing terms and, if it is any good, what
> possible damage (apart from to your reputation and ongoing business
> viability) can liability to, say, the cost of the software, do to you?
> (Of course, such a move may have the effect of "forcing" most large s/w
> developers to adopt freeware or open source approaches to make their
> insurance premiums affordable, but that would not necessarily be a bad
> result.)
>
> Why hasn't the private sector been actively in favour (beyond actively
> mouthing support for the general notion that better IT security is
> something we all need) of public IT security reporting standards,
> removing software's "liability exempt" status, or any other concrete
> measures to get a handle on the scale of the problem, provide means to
> measure whether we're slipping, holding or improving and so on?
>
> It wouldn't be that there are vested financial interests in treating us
> like mushrooms (keeping us in the dark and feeding us sh*t)?
>
> Surely not!  How scurrilous a suggestion...
>
> ...
>
> Above I said your government departments "care enough" to actually try
> to provide some IT security metrics.   In fact, I'm sure they don't
> care for it at all and would prefer, like their private sector
> counterparts, to not have to do anything of the sort.  The reason they
> "care enough" to make such measurements is simply because they are
> required to do so.  I would just love to see how the high and mighty,
> reputedly IT security loving, US private sector stacked up against the
> same metrics...
>
>
> Regards,
>
> Nick FitzGerald