Re: Symantec: Boom Times For Hackers (Two messages)

[InfoSec News <isn () c4i org>]

Forwarded from: "Jack Whitsitt (jofny)" <xaphan () violating us>

> Am I not sure if I am the only one here that is concerned about this
> fact or not, so here it goes. Isn't it at cross purposes perhaps
> even a ethical question, that a report like this was created by a
> company that sells the stuff to prevent all this bad stuff from
> happening to you? Why has no one ever suggested this before? It
> seems like a logical conclusion.

It is a logical conclusion if that's the last question you ask. The
next thing that needs to be thought about, however, is: How many
groups are there with that many resources in that many places who have
that many sources of information but don't have some sort of vested
interest in the answer? My suspicious is that the answer to that is
"none".

> For me independent sources, even if only in appearances, would help
> to validate this information adding credibility and trust.

> It appears that each and every group from Symantec to PWC, E & Y and
> CSI/FBI has a different story to tell and its difficult to tell
> which one is correct because none of them support each other.

All of them are looking at different data sets with different focuses.  
Global Trends are usually pretty meaningless unless the questions are
asked from a specific viewpoint / vector. Unfortunately, this also
means that with different focuses, you see different trends.

What is unethical about releasing a report based on your interests
(focus and vector) and available data? Nothing unless you're making it
up. The fact of being involved in the data might make it poorly suited
for court, but stating your view of the world is a perfectly
acceptable and - in this case - a probably helpful thing to do.

Jack


> ----- Original Message -----
> From: "InfoSec News" <isn () c4i org>
> To: <isn () attrition org>
> Sent: Tuesday, March 16, 2004 3:44 AM
> Subject: [ISN] Symantec: Boom Times For Hackers
>
>
> > http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171
> >
> > By Gregg Keizer
> > TechWeb News
> > March 15, 2004
> >
> > Symantec Corp.'s twice-annual Internet Security Threat Report
> > paints a menacing picture, one that security professionals know all
> > too well.


-=-


Forwarded from: Julie Ryan <jjchryan () gwu edu>

You are not alone, Mark.  There is an undercurrent of dissatisfaction
with the data available for characterizing the problem space in
security.  At least one article has been written on this issue, the
citation for which follows:

Ryan, Julie J.C.H. and Theresa I. Jefferson. ""The Use, Misuse and
Abuse of Statistics in Information Security Research," Proceedings of
the 2003 ASEM National Conference, St. Louis, MO.

The problems inherent in the data not only include a lack of
similarity and cross-referencing, but also some subtle and some
not-so-subtle problems in some of the research processes.  For
example, the CSI/FBI survey has long included a disclaimer that the
data is not scientifically collected.  There are significant issues
with item and content level validity as well as in responder biases
and conflicts of interest that need to be addressed before any data is
interpreted.  That has not, however, stopped a whole generation of
students, journalists, and government officials from (mis)quoting from
the reports as if it were the truth from on-high.


On Mar 18, 2004, at 3:29 AM, InfoSec News wrote:

> Forwarded from: Mark Bernard <mbernard () nbnet nb ca>
>
> Dear Associates,
>
> Am I not sure if I am the only one here that is concerned about this
> fact or not, so here it goes. Isn't it at cross purposes perhaps
> even a ethical question, that a report like this was created by a
> company that sells the stuff to prevent all this bad stuff from
> happening to you? Why has no one ever suggested this before? It
> seems like a logical conclusion.
>
> For me independent sources, even if only in appearances, would help
> to validate this information adding credibility and trust.
>
> It appears that each and every group from Symantec to PWC, E & Y and
> CSI/FBI has a different story to tell and its difficult to tell
> which one is correct because none of them support each other.
>
> Regards,
> Mark.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.