Re: [fw-wiz] concerning ~el8 / project mayhem

From: Dave Piscitello (dave@corecom.com)
Date: 08/19/02 

From: Dave Piscitello <dave@corecom.com>
To: 'firewall-wizardshonoricsalabscom' <firewall-wizards@honor.icsalabs.com>
Date: Mon Aug 19 13:17:45 2002

Several points, but brief:

>the notion that a security person's security is an indication of how well
they can
>secure others. ...

How many of us worry overly much about this? I do, or did until maybe just now.
Anyone's security is a set of interdependencies: the software they run
without the benefit of having examined every line of source, the
configurations they set that create whatever compromise an individual
determines suits his or her needs for connectedness, convenience and
security, the trust in 3rd parties providing service, etc. If we all spent
as much time reviewing code we run as those intent on breaking code, we'd
be running secure systems, save for the fact that we'd be broke and jobless.

>by holding such a high expectation, we're making our
>practitioners vulnerable to this kind of blackmail from the hackers.

The irony here is that practitioners can only try to make the best of a bad
situation - exploited code isn't the practitioner's product, but he's held
accountable for not anticipating it?

>(* not trusting the expertise of an expert you just paid a ton
>of money for is stupid by any definition I can think of...)

I've sorted through my many definitions of stupid here. There's an Andersen
Consulting joke somewhere that probably fits. But no one's laughing over
this any longer, nor is Andersen the only *** of the joke.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

Quantcast