Re: concerning ~el8 / project mayhem

[Dave Piscitello <dave () corecom com>]

Several points, but brief:

>the notion that a security person's security is an indication of how well 
they can
>secure others. ...

How many of us worry overly much about this? I do, or did until maybe just now.
Anyone's security is a set of interdependencies: the software they run 
without the benefit of having examined every line of source, the 
configurations they set that create whatever compromise an individual 
determines suits his or her needs for connectedness, convenience and 
security, the trust in 3rd parties providing service, etc. If we all spent 
as much time reviewing code we run as those intent on breaking code, we'd 
be running secure systems, save for the fact that we'd be broke and jobless.

>by holding such a high expectation, we're making our
>practitioners vulnerable to this kind of blackmail from the hackers.

The irony here is that practitioners can only try to make the best of a bad 
situation - exploited code isn't the practitioner's product, but he's held 
accountable for not anticipating it?

> (* not trusting the expertise of an expert you just paid a ton
> of money for is stupid by any definition I can think of...)

I've sorted through my many definitions of stupid here. There's an Andersen 
Consulting joke somewhere that probably fits. But no one's laughing over 
this any longer, nor is Andersen the only butt of the joke.


David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards