| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cerebus at sackheads.org (Timothy J.Miller) Subject: (no subject) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, August 16, 2002, at 10:24 AM, Matthew Murphy wrote: > We must direct our anger towards these losers at these losers. > Anything > else is an attack against our own values. While they claim to be > hackers, > their method of attack shows them to be nothing more than spoiled > children. > You can either fight them or give up, there's not an inch of middle > ground. > Are you up for it? In some ways, I understand their ire. There are, within the "security industry" (whatever that means) people who-- intentionally or unintentionally-- sell their customers short. The people create a false aura of security wherever they pass, and are unwilling or incapable of expanding their capabilities. Scanning a network doesn't make it secure, but we've all run into people who think it does-- including people who should know better. I've long advocated (and tried to design) systems (not just hardware, but software and business practices) that *fail well*. Systems designed not to be unbreakable-- a fool's pursuit, to be sure-- but to contain the inevitable breach. Systems that fail in known modes, so that the consequences of an intrusion are known ahead of time, and steps can be taken based on that knowledge. Systems that don't eliminate risk, but manage risk. Unfortunately, most customers aren't interested because systems like this are expensive. They're hard to design, hard to build, hard to maintain, and require profound knowledge of the components and the activities that use them. It's a hard sell, especially when those less educated self-labeled experts (and vendors) are pushing silver bullets in the form of yet another certification, yet another scanner, yet another training course. I could be wrong, but I see the current upwelling of vitriol directed at these people. They are truly living off the labor of others, and providing little of use to anyone, including their customers. But they're not everyone. - -- Cerebus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (Darwin) Comment: For info see http://www.gnupg.org iD8DBQE9XS6WFdr5Tz1ZWt4RAterAJ0U1ScYsrerPpgpEkskGPB5ke3DAgCfVILc IoFOjnYDglRW3xk8dkYxtzQ= =AoN7 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists