funsec mailing list archives
Re: Presidential Internet Kill Switch
From: Michael Collins <mcollins () aleae com>
Date: Wed, 23 Sep 2009 14:39:25 -0400
Eh, it's a moot point already. DoD regulation 8570 is probably the inspiration for the senate order --- pretty much, if you are defense contracting, everyone's looking at you to have something like a CISSP. So, in terms of actual dollar figures, it was a done deal 2 years ago. Since I was lecturing on this last night, I'll play devils advocate for certification, or ideal certification in this case. We all know that the golden rule of cryptographic protocol creation is "don't". But developers love to innovate needlessly, and so we see them create their own crypto protocols over and over again, with exciting new vulnerabilities each time. The singles.org/4chan debacle earlier this year is an example of an ignorant developer reinventing the wheel with humiliating results. *if* certification teaches developers the necessary set of skills to prevent them from making the same mistakes everybody does at square zero, then it has some value. Even CISSP,which I will happily crap on usually, at least has the advantage of teaching that security isn't just in the software, and that you have to at least have a nodding familiarity with site security. The major problem, from my POV, is that when we think "certification" as developers, we think stuff like Oracle or A+ or CNDS or stuff that is more for the benefit of the companies issuing the certification than for the client. I think in the long run, we're going to end up looking more at certification in the sense that CivEs or EE's look at it - something like professional engineering certification. That said, the design process is still radically different and there are liability problems that we have to address. Given the state of most software right now, a PE equivalent for secure software is a "please shoot me" ticket. On Sep 23, 2009, at 11:21 AM, phester wrote:
On Wed, 23 Sep 2009, Dan Kaminsky wrote:Bottom line: What if the only people allowed to do security work were CISSPs?Or worse; What if it requires a security clearance? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Presidential Internet Kill Switch, (continued)
- Re: Presidential Internet Kill Switch Larry Seltzer (Sep 23)
- Re: Presidential Internet Kill Switch Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 23)
- Re: Presidential Internet Kill Switch chris (Sep 23)
- Re: Presidential Internet Kill Switch Nick FitzGerald (Sep 24)
- Re: Presidential Internet Kill Switch Paul Ferguson (Sep 22)
- Re: Presidential Internet Kill Switch Dan Kaminsky (Sep 22)
- Re: Presidential Internet Kill Switch chris (Sep 23)
- Re: Presidential Internet Kill Switch Dan Kaminsky (Sep 23)
- Re: Presidential Internet Kill Switch phester (Sep 23)
- Re: Presidential Internet Kill Switch Michael Collins (Sep 23)
- Certs [was Re: Presidential Internet Kill Switch] der Mouse (Sep 27)
- Re: Certs [was Re: Presidential Internet Kill Switch] Jon Kibler (Sep 28)
- Re: Presidential Internet Kill Switch Larry Seltzer (Sep 23)
- Re: Presidential Internet Kill Switch Valdis . Kletnieks (Sep 23)