Re: [Full-disclosure] Off topic rant to my friends
From: Steve Kudlak (chromazine_at_sbcglobal.net)
Date: 06/09/05
- Previous message: Stan Bubrouski: "Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation"
- In reply to: J.A. Terranson: "Re: [Full-disclosure] Off topic rant to my friends"
- Next in thread: James Tucker: "Re: [Full-disclosure] Off topic rant to my friends"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 09 Jun 2005 01:38:14 -0700 To: "J.A. Terranson" <measl@mfn.org>
I dunno if this is any worse than the many, many replies one sees to
some hot topic about Microsoft and stuff like that.. Overall everytime I
went to a security conference users got insulted. They were stupid, they
fell for things, hook line and sinker etc. etc. etc. Of course sometimes
the "professionals" never mentioned that the poor users are bombarded by
a bunch of directives that are not explained and are hard to follow and
seem like another stupid directive handed down from on-high that ask
them to do something difficult without explaining how, for example how
to pick passwords that are not in the dictionary. The take a phrase and
take the first letter technique is something that does not intuitively
spring to mind to everyone. It took a lecture to explain that "F*CK
SUSAN and BOB" were not good passwords. N.B. I have been around for
awhile and on the old TOPS-20 Systems passwords were not intially
encrypted. So it was easy to find actual passwords and tell people not
to use those. Now things are encrypted and all that but still a
weakpassword doesn't work and other small things that people could do to
be just reasonably careful they don't. Dunno how much verbage to waste
on random issues.
Have Fun,
Sends Steve
I read the article and it was interesting. I don't quite know how much
of it to believe. It is clear some people are up to something
questionable. Whether it fits the model the authors have of well
coordinated effort to deliver services to organized crime maybe a bit
much on the conspiracy side for me tyo swallow. Security experts often
miss that they use FUD without knowing it.
But it is still to be careful because there are people who don't realise
one's machine might be for something important and not just a plaything
for others to mess with and ruin if they had a bad day or wanted to play
weird "process war games".
Have Fun,
Sends Steve
J.A. Terranson wrote:
>You don't have a blogspot account you could have posted this to?
>
>
>On Sun, 5 Jun 2005, Randall M wrote:
>
>
>
>>Date: Sun, 5 Jun 2005 10:32:20 -0500
>>From: Randall M <randallm@fidmail.com>
>>To: full-disclosure@lists.grok.org.uk
>>Subject: [Full-disclosure] Off topic rant to my friends
>>
>>Sorry to rant to this list. This list though has the only people on it who
>>totally understand this ranting.
>>
>>Every morning before heading for work I read all my security alert emails
>>and website collections about possible Trojans, worms and viruses found.
>>Being a faithful worker I do this on the Weekends too.
>>
>>Once at work I check my web appliances, gateway, Exchange boxes and data
>>servers for dat updates and check log files. I spend the first two-three
>>hours of my work day doing this every day.
>>
>>Why do I do this? I do it to protect my company's investment. To ensure that
>>the employee's have a job that day. To make sure that customers will have on
>>time delivery and so new customers can make orders, etc., etc.
>>
>>Today I read this article:
>>http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K0000614
>>
>>For some reason, maybe the coffee, I sat there thinking what the hell am I
>>doing all this for? Am I being paid by my company to set up and protect only
>>for some future use as a botnet for some organized crime boss!!
>>
>>I continually spend time, money and research on ways to protect. All of my
>>mechanisms I use are actually as helpless as I am!! It's the blind leading
>>the blind!!
>>
>>Then, like a message from God, a memory of a phone call from one of our
>>users came to me:
>>
>>"Hey, I received this email about my account being suspended for security
>>reasons, I immediately deleted it but just wanted to let you know".
>>
>>My small employee awareness program was slowly paying off. A year ago that
>>same phone call would have been the "I think I did something bad" type. I
>>now realize that my investments and my time have been spent MORE in the
>>wrong place. I'm turning that around and heading back to the user. They are
>>MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the
>>Anti-Virus dats or the front-end Appliances or the Gateways because a simple
>>"Click" by the user makes them all useless. And it looks as though I can't
>>depend on them to keep that "click" opportunity from the user.
>>
>>Praise be to God for the User! They are powerful! They are trainable! They
>>are my BEST defense!
>>
>>There. I fell better now.
>>
>>
>>thank you
>>Randall M
>>
>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Stan Bubrouski: "Re: [Full-disclosure] Microsoft Windows and *nix Telnet Port Number Argument Obfuscation"
- In reply to: J.A. Terranson: "Re: [Full-disclosure] Off topic rant to my friends"
- Next in thread: James Tucker: "Re: [Full-disclosure] Off topic rant to my friends"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
