FC: Two depressing views on the state of information security

[Declan McCullagh <declan () well com>]

---

Date: Tue, 21 May 2002 09:42:58 -0400
Subject: Response to State of Security Comments
From: Richard Forno <rforno () infowarrior org>
Organization: www.infowarrior.org

Jay Dyson is a friend of mine and a fantastic technology security
professional. Recently he posted a note to various security lists expressing
his frustration with the state of internet security affairs, and I've got to
say that I agree completely with his observations.

Jay's original comments will be followed by my response that was sent to
ISN.   We should be mindful of his comments - and seriously consider how
much of a difference we in the security profession are really making in the
'big picture' of technology security.

Cheers from DC,

Rick Forno
infowarrior.org


From: Jay Dyson  05/20/02

>> I see that you signed off the ISN list, and I am VERY curious why?
>
> Look over the last four years.  In all that time on this and every
> other security list, what difference has been made in railing against the
> FUD, waste and general idiocy of the commercial and government sector with
> respect to computer and network [in]security?  The answer: none.
>
> DMCA passed, SSSCA is coming, and it's just going to get worse
> from there.  You think the government or the industry gives a rat's ass
> about what a bunch of open-source advocates think?  Guess again.  We've
> been marginaziled for decades, criminalized for years, and all the days
> that have been used fighting against it have been a waste.  A pure,
> fucking, unadulterated waste.
>
> Given enough time and discouragment, anyone can see when it's time
> to stop fighting the tide and get the fuck off the beach.  I've reached
> just that time.
>
> And you can quote me on that.
>
> - -Jay



From: Richard Forno   05/21/02

I've got to agree with Jay here. This is one reason why I got out of the
'hands-on" product-oriented (or 'operational' side of the) security business
-- I found it to be a stressful, frustrating and ultimately unrewarding
area....we'd go in, effect changes, draft policy, etc, etc, etc. and the
client would still do whatever they wanted. Further, as a former CISO,
trying to get security implemented at the executive levels was like pulling
teeth from a rabid rhinocerous.

The industry and government talks about the need for increased computer
security measures and spending, yet nearly everything implemented is for
future threats and long-term projects (eg, college training in security),
instead of spending on actions that will deal with the known
exploits/problems of the HERE and NOW. When they DO discuss industry-wide
security strategies (such as the just-announced, high-priced membership in
the Secure Software Engineering initiative at CMU, or the equally-priced
Internet Security Alliance) it's only done with the best interests of large
companies in mind - those with deep financial resources - despite what is
said to the public. Little security firms, the open source community, and
those who actually have a clue about security are often left in the dust.
The goal, is to consolidate the knowledge of security issues in the hands of
the controlling minority, and enact a culture of 'security through
obscurity' -- indeed, operating under the Orwellian premise "your ignorance
is our power."

Nobody wants to talk about implementing REAL information systems security,
since doing so would mean someone has to accept responsibility for the
current state of affairs, plus it means rocking the status quo boat to
implement needed change. In Washington - in America, for that matter -
neither of these actions are held in high regard.....it seems that (unlike
in Truman's days) passing the buck and following the collective groupthink
(despite the negative consequences) is the American Way. The People don't
rule, the Sheeple do.

DMCA, SSSCA, CBDTPA, and other looney laws (real and proposed) further
demonstrate that only those with campaign dollars have any influence in
designing effective technology law. In the case of CBDTPA, Hollywood
(averaging about $15B/year or so) wants to rewrite the $500 billion/year
technology business just to save their failing and outdated industrial-age
business models. The result is a legal clusterfsck, which makes the lawyers
happy, and alienates the majority of law-abiding net users, treating us all
as potential criminals (soon to be indentured corporate servants) instead of
valuable customers. Until folks of the "Net Generation" - my contemporaries
of GenX and later who are comfortable with technology and the Information
Age - move into national corporate and elected leadership positions,
enacting technology policy balanced for all sides  will continue to be
biased heavily toward the profiteering interests of special interest groups
and Industrial Age cartels.

Until this collossal demonstration of national and social cognative
dissonance is remedied, Jay's comments are correct - we're in a
"Matrix"-esque world where FUD, illusion, deception, and consolidated
entities (government and commercial) have most of the power in the
technology world. Unfortunately, few in any position of national influence
want to take the "Red Pill" and see exactly how fscked-up things really are
in the technology society, being content to swallow the vendor-provided
"Blue Pills" showing a narrow (but corporate-centric) view of the technology
society and its associated problems.

Anyone who's read my column @ Securityfocus or Infowarrior.org will see I've
been saying this for years.

Thus, I fear we'll continue seeing increased frustration by the security and
IT communities, more goofy laws and lobbying, and an endless series of
worms, virii, trojans, exploits, buffer overflows, snake-oil security
solutions, FUD, and more, particularly since nobody cares about holding
vendors financially, criminally, or civilly accountable for their products
and their many recurring 'features' that plague the wired world.

In the meantime, to kick-off your hiatus, hoist a triple-shot latte for me,
Jay - and have fun!!!!

Rick
infowarrior.org




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------