Date: Thu Aug 18 19:51:39 2005
From: sil at infiltrated.net (J. Oquendo)
Subject: Re: Not telling enough - ethics/shmethics


On Thu, 18 Aug 2005, DAN MORRILL wrote:

> Good afternoon folks,
>
> You know I find this interesting in that we are stating ethics, and this is
> something that is important to the information security community at large.
> So who's ethics do we apply, if I was to follow the CISSP code of ethics, in
> that consorting with non-professionals, would mean that I could not teach
> information security in college (which I do), nor could I teach what I know
> to developers or programmers or others who are not information security
> professionals (which I do) to help them develop better products. One of the
> reaons why I don't have a CISSP is because of that clause in the code of
> ethics, I would violate it right and left everytime I got in front of a
> classroom.

One of the issues I see with certifications nowadays is that, in this
industry, once upon a millenium ago it was honor to have a cert in
something whereas nowadays you can have any Joe Shmoe memorize a book and
get a cert. For that matter sell them in bubble gum machines and call it a
day.

Many of the "certs" nowadays seemed to have slowly tailored their prereqs
towards industry crybabies (Cisco, MS, Oracle, Symantec). Far too many in
my opinion have lost site of the fundamentals and have started focusing
far too deeply on "Who will be my gold/platinumn sponsor".


> So what we need is a universal code of ethics that everyone could agree on
> (herding cats by the way can be entertaining). So how ethical was it for
> someone to post anon about msdss.dll this morning and how many people did
> they put at risk (even if it took someone 6 months to do something, heck
> Oracle has taken over 2 years to fix a security issue, very few whine about
> them).

Universal codes are meant to be broken, that is just life. Everything
under the sun is made to be broken. What applies in one place might
destabilize something some place else. So who is to set standards?
Governments? So they can custom tailor things to their own will? Like
ECHELON used to snoop and steal contracts?

> We need to do that more often, and stop slamming on each other, and start
> setting real standards that can be directly applied, much like doctors,
> lawyers, nurses. We have the same ability to ruin other people's lives as
> any doctor, lawyer or nurse. We need accountablity against those standards,
> much like any other profession.

Problem with this is, is again, who should you trust? Vendors should be
held accountable for not patching their shoddy programs up properly. Look
at the now-becoming-boring case of Lynn and Cisco. Lynn was punished. Know
what? If Cisco had this information for years now, didn't do squat, how
come no one is investigating them and fining them for every day their
holes aren't patched.

> so what are "we" going to do about it?

Roll over and cry you spilled your milk.

Far too many companies are more concerned with appeasing their investors
to bother dealing with real issues. Microsoft walks all over governments
with their practices, Cisco just joined the "Buy a politician" club
obviously, so who do you look to. Obviously mentioning the government (any
government) is likely to throw another gov into a panic so in reality
there is little to be done. Invest in one of these seedy security
companies, make some cash off of others' misery. That's what you can do
about it.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

To conquer the enemy without resorting to war is the most
desirable.  The highest form of generalship is to conquer
the enemy by strategy." - Sun Tzu

Powered by blists - more mailing lists