[fw-wiz] Security dumming down - the king's clothes

From: Roger Marquis (marquis_at_roble.com)
Date: 12/11/03

  • Next message: Northrup, Tyler: "[fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesn't"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 11 Dec 2003 14:09:45 -0800 (PST)
    
    

    Anyone in the news media know why this critical security story was
    de-indexed so quickly?

     Internet worms and critical infrastructure, Bruce Schneier
     <http://news.com.com/2010-7343-5117862.html?tag=nefd_gutspro>

    It's a detailed examination of the correlation between MSBlast and
    the Aug. 14 power blackout. Recommended reading, however, despite
    being published on Dec. 9 it is no longer included in Cnet's front
    page index or their security index which goes back to Nov. 25.

    Would it be paranoid to associate this with @Stake's dismissal of
    Dan Geer after voicing his personal opinion of this same vendor's
    security and the short shrift major news outlets gave that?

    These correlations were further supported a couple of weeks ago at
    Stanford's Cyber Security Conference where all speakers went to
    great lengths to avoid criticizing the vendor in question.

    All of which make me wonder about an article by Fred Avolio in
    September's Information Security Magazine.
    <http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss81_art179,00.html>
    It was, on the surface, an attempt to make a distinction between
    "stateful inspection" and "application intelligence", but anyone
    who knows Fred can see that the story was dumbed down to a such an
    absurd degree that it makes no sense at all, except perhaps to a
    marketing or rhetoric PhD. It should be noted that Information
    Security Magazine rarely covers anything other than products which
    run under operating systems written by the vendor in question and
    that they rarely say anything negative about anything.

    The common thread is the amazing degree to which cyber security is
    being dumbed-down whenever it applies to this one particular vendor.
    Perhaps the most damaging example of this is our own government's
    failure to even identify the vendor as the source of the it's worst
    infrastructure vulnerabilities and the cause of nearly every
    documented security breach.
    <http://govtsecurity.securitysolutions.com/ar/security_think_tank_gives/>.

    The logical outcome of this collective failure to to recognize the
    king has no clothes will, I fear, be as bad for information security
    as it was for the airlines on 9/11/01.

    -- 
    Roger Marquis
    Roble Systems Consulting
    http://www.roble.com/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Northrup, Tyler: "[fw-wiz] Checkpoint to Cisco - Hardware VPN works, software doesn't"

    Relevant Pages

    • Re: Physician who told Cheney to go F*ck Himself Lost his Home in Katrina, Detained, Cuffed by Chene
      ... >> about the VP motorcade and security? ... >> criticizing them for NOT being there. ... >> security go with the territory of having the Pres or VP in the area. ... > Beside's, Clinton had better hair! ...
      (rec.music.classical.guitar)
    • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
      (Securiteam)
    • [Full-Disclosure] Security Industry Under Scrutiny: Part 3
      ... > varying degrees of 'faith' in the security industry. ... site admins and other whitehats. ... > architect would be notifying the software vendor alone... ... Full disclosure isn't so much a tool to get vunerability information ...
      (Full-Disclosure)
    • RE: Vendor wants remote control of our Servers and Workstations
      ... Of course the age-old problem with security is that ... Vendor has significant access to your internal ... this vendor uses the same method to support a number ... customer and makes significant changes ... ...
      (Security-Basics)
    • Security researchers organization
      ... of security researchers, plain and simple. ... better than the vendor itself. ... industry, telecommunications industry and banking industry has ( ... These are all common ideals we can agree and act upon, ...
      (NT-Bugtraq)