Secure Coding mailing list archives
RE: ZDNnet: Securing data from the threat within [by buying products]
From: "Michael S Hines" <mshines () purdue edu>
Date: Tue, 11 Jan 2005 17:08:57 +0000
Nontechnical answer.. A couple of cliché's come to mind. "Consider the source." --Who wrote the article and what was their interest in providing this news. IMHO - all news is biased with some persons particular spin on it. Vendors who write technical articles tend to find solutions in their products. Surprise, surprise, surprise. "Follow the money." (with all due respect to Jerry McGuire/the movie) --Newspapers need money to pay staff, pay for materials and distribution, etc. Some of that comes from subscribers. A large portion comes from advertisers. Those who pay the bills get special considerations*. Again, consider the source and the particular financial interest they have in 'informing' the community on issues. In some cases we may see writings from 'consultants or groups' with a particular vendors message. Again, one should follow the money (if they can) to see what source of funds may have influenced the report. It's as if they start with a particular hypothesis to prove, and set out to find the evidence this is so. I won't mention names but there is one that is really annoying to me. It's highly flaunted. It's so obviously biased that it's nauseating. It's accurate for what it says.. But it's intended to help you not think about what's obviously being said. And there are no disclosures about the sources of funding for the report, that just might have influenced the outcome. They write with that bias. We should also read with the same bias. Is the information provided "marketing media" or really intended to inform? We used to read the news to learn what had happened. Now the news makes things happen (or tries too - I could mention CBS for example, but I'll pass on that one). The issue is wider than one report on one network. Least wise that's my opinion - since you asked. Mike Hines * like large ads that come before the Table of Contents. It gets harder and harder to be able to scan the TOC for articles of interest, when you can't even find the TOC due to all the frontispiece ads. Like all those inserts that litter the floor when your trying to read a trade publication. Like all those 10 page heavy slick stock inserts inside magazines. Well.. You get my drift... ----------------------------------- Michael S Hines [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth R. van Wyk Sent: Tuesday, January 11, 2005 9:33 AM To: Secure Coding Mailing List Subject: [SC-L] ZDNnet: Securing data from the threat within [by buying products] Greetings all, I saw a moderately interesting article this morning on ZDNet (see http://news.zdnet.com/2100-1009_22-5520016.html?tag=zdfd.newsfeed for the full text). The premise of the article is about how companies have been building external perimeters for years and now they need to also protect themselves from insiders, because, "...now discontented, reckless and greedy employees, and disgruntled former workers, can all be bigger threats than the mysterious hacker." The article goes on to list some new products, technologies, and methods for protecting data from the insiders. It says, "a whole new class of products has sprung up aimed at keeping employees and other insiders from sending confidential information outside the company." It describes network-level products as well as the need for client-level products for monitoring and controlling data flow. IMHO, what's missing here is a discussion on writing better enterprise applications that make effective use of concepts like role-based access control, transaction/event logging and monitoring, etc. In fact, the article would lead an IT security manager to think that the only solution to insider problems is to buy more security products. Frustrating... To find a fairly "mainstream" article like this that is (again, IMHO) so thoroughly off base really makes me wonder whether the Software Security community is making progress or not. Opinions? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 11)
- RE: ZDNnet: Securing data from the threat within [by buying products] Michael S Hines (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 11)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Crispin Cowan (Jan 17)
- Re: ZDNnet: Securing data from the threat within [by buying products] Kenneth R. van Wyk (Jan 17)