Re: Re: Ethics, morality and the industry

["Marcus J. Ranum" <mjr () ranum com>]

Paul Foster wrote:
> My self-deception is that a refresher is always good, especially as I find us practitioners sometimes fall into 
> patterns of thinking.  Using firewall logs as an example, many practitioners fall into the habit of only reviewing 
> what has been dropped/rejected.

That's a great case in point!! People who have been doing log analysis
and understand log analysis have been saying for YEARS that you want
to delete known events and examine the residuals, not search only for
known problems. That's log analysis 101. I can assert that because, well,
I _teach_ log analysis 101! :)  Anton Chuvakin and I are (ahem!) even
writing a book on the topic. :)

So would it be more useful to you if some convicted pedophile or maybe
a mass murderer told you "delete known events and examine the residuals
when examining logs"? Does that carry more weight somehow, when you
get good advice from unapologetic bad guys than from boring old industry
grey-beards(*)??  Bill Murray's definitely a grey-beard and would probably
tell you he'd been saying "delete known events and examine the residuals"
around the time I was born. His advice, coming from a deeper expertise
and long practice in positive problem-solving, is worth diamonds to mud
compared to the advice of all the Mitnicks in the world.

mjr.
(* Now officially a computer security grey-beard; the mustache is
starting to show flecks of white and it ain't cheese from my pizza!)  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards