lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Apr 27 15:17:48 2006
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Should I Be Worried?

Sol Invictus wrote:

> And THAT my friends is why it IS so hard!  People know that if its 
> only one person that knows about it, sooner or later they will shut up 
> and move on.  If you're gonna watch your stuff anyway, why not contact 
> the credit bureaus and put an alert on your file and then go FD!
>
> In the words of our fore fathers, "United we Stand!  Divided we fall!"
>
> Thank you for being one of the sheep that makes the rest of our jobs 
> harder.
>
>
Not everyone's cut out for that kind of responsibility.  People have 
different considerations and things that drive them. 

The reason it's so hard is not for lack of talking but rather for lack 
of caring.  Having worked in both the educational and corporate world I 
can say, beyond a shadow of a doubt, that what we say here doesn't 
really reach them for the most part.  It reaches software producers, 
yes... and that was my original point.  Appointment jobs are CYA jobs 
and bandaids are better than fixes in those situations.

The best way to affect that kind of change is to change the corporate 
culture -- which is a lot harder than it looks.

Many certified security professionals are taught that risk management is 
all about cost versus loss.  It's like in fight club... it's the 
formula.  a + b + c == x.  If x is less than the cost of combined losses 
then companies don't fix it because it's counterproductive.   It's 
roughly the same in organizations like universities only sometimes worse 
because there are all manner of divisions of labor and decisions made 
and deals appropriated that are there just for internal politics and job 
security for certain individuals. 

What has to be considered is the fact that cost, in this case, is from 
the side of the institution.  My bank account, for instance, means a lot 
more to me than it does to my bank.  To my bank, I'm a very small 
percentage of the funds they hold.  To me, my bank account is my ability 
to pay my rent this month. 

The whole situation won't change until the corporate culture changes to 
stop being selfish and start considering the interests of the customer.  
And we're a long way away from that happening, unfortunately.

             -bkfsec

p.s.  I understand what you're saying, though... that our voices 
increase the combined cost to the organization driving them harder to 
fix things... this is true... but many organizations will just try to 
shift those costs back to you through legal means.  We have to pick and 
choose our battles.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ