Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: George Capehart <capegeo () opengroup org>
Date: Thu, 10 Apr 2003 11:16:45 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 10 April 2003 09:07 am, R. DuFresne wrote:
It seems that the real power holder in the whole debate is perhaps that identity having been pointed to and referenced more frequently in recent rants on coding styles and such; the consumer. On that bent, perhaps a holding of breath for change to take place in forcing companies and their coders and such to pay more attention to the details of secureity and bounds checks and all, might well result in a number of purple heads/faces blowing up under-pressure. Afterall, we as a buying public still payout large sums of cash yearly for SUV's that almost need a direct link to a gas pump, roll over wiht slight twists of the steering mechanics to avoind obsticles, and do extremely poorly in crash tests. Even with seatbelts and airbags installed, under federal regulations.
I'm replying to the list 'cause I'm going to include comments from others in this thread rather than reply to them individually. Jeffrey Behm sorta kicked things off when he lamented the absence of (even) basic secure coding practices in most software. Over the course of the thread, mjr has made several points: o "It's an across the board problem. I think there's enough blame to go around, honestly. :)" -- Hard not to agree with this. o "Hence, UCITA, to head off just that eventuality." -- So don't even think about recourse . . . o The point about "Continuing to put your good money down on crap that you know is crap eventually loses you your moral position from which to complain if what you get is crap." This is a valid position. Problem I see here is that in almost all of the cases of which I am aware, the people who make the decision to continue to buy crap either don't know it's crap or don't care. This points to what will become the theme of this message. Adam Shostack made the point: "At the end of the day, its the customers, who need to have a good reason to care about security, and good assurance that their spending has an effect." Mike Frantzen's point: "Lesson learned, just do it right." Then there is Ron DuFresne's jewel: "On that bent, perhaps a holding of breath for change to take place in forcing companies and their coders and such to pay more attention to the details of secureity and bounds checks and all, might well result in a number of purple heads/faces blowing up under-pressure." To me this all ends up as a governance and accountability issue. There certainly is enough blame to go around. This is not an intractable problem. IMHO, the reason it is not being managed is that no one is being held accountable for not "doing it right." Why is that? It is not important. *That* makes it a governance issue. How does one get the attention of a Board of Directors? Good question. Someone/something got Bill Gates' attention . . . Suggestions will be greatly appreciated. :> FWIW - -- George Capehart -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+lYrmYxuy9mPw9kIRAjWlAJ4ol7qFGXxJGIRc1jW9hy4exwKpcACfW4kC MMgyiOJ9pWvxzYUuFoW5w9M= =ng/1 -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
- Re: tunnel vs open a hole Dave Piscitello (Apr 10)
- Re: tunnel vs open a hole Adam Shostack (Apr 09)
- Re: tunnel vs open a hole Mike Frantzen (Apr 10)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 10)
- Re: tunnel vs open a hole Duncan Sharp (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 14)
- Re: tunnel vs open a hole Duncan Sharp (Apr 16)
- Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
- Re: tunnel vs open a hole Gary Flynn (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)
- Re: tunnel vs open a hole Paul Robertson (Apr 10)