| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 19 13:18:09 2005 From: jftucker at gmail.com (James Tucker) Subject: Re: Not telling enough - ethics/shmethics > One of the issues I see with certifications nowadays is that, in this > industry, once upon a millenium ago it was honor to have a cert in > something whereas nowadays you can have any Joe Shmoe memorize a book and > get a cert. For that matter sell them in bubble gum machines and call it a > day. > > Many of the "certs" nowadays seemed to have slowly tailored their prereqs > towards industry crybabies (Cisco, MS, Oracle, Symantec). Far too many in > my opinion have lost site of the fundamentals and have started focusing > far too deeply on "Who will be my gold/platinumn sponsor". This is common of almost all education systems, and is product of humans rarely wanting to truly understand what's going on. The first learners to pass cert's and other education systems with flying colours are only those who truly understand. Later on, the teaching becomes increasingly sophisticated (with regard to the bell curve, and thus the bottom line too) at generating passing students. These students don't need understanding (or at least, they think so) and as such simple habitual memorisation can be sufficient to pass. As I said, this is common of most eduction systems as we're all lazy cheats. READ: Culture issue. >>So what we need is a universal code of ethics that everyone could agree on >>(herding cats by the way can be entertaining). So how ethical was it for >>someone to post anon about msdss.dll this morning and how many people did >>they put at risk (even if it took someone 6 months to do something, heck >>Oracle has taken over 2 years to fix a security issue, very few whine about >>them). > > > Universal codes are meant to be broken, that is just life. Everything > under the sun is made to be broken. What applies in one place might > destabilize something some place else. So who is to set standards? > Governments? So they can custom tailor things to their own will? Like > ECHELON used to snoop and steal contracts? The standards will always be hard to set, this environment is too dynamic. There is no substitute for experience as always, and the truest test is putting someone on the spot and get them to solve a problem which they have never seen before. >>We need to do that more often, and stop slamming on each other, and start >>setting real standards that can be directly applied, much like doctors, >>lawyers, nurses. We have the same ability to ruin other people's lives as >>any doctor, lawyer or nurse. We need accountablity against those standards, >>much like any other profession. > > > Problem with this is, is again, who should you trust? Vendors should be > held accountable for not patching their shoddy programs up properly. Look > at the now-becoming-boring case of Lynn and Cisco. Lynn was punished. Know > what? If Cisco had this information for years now, didn't do squat, how > come no one is investigating them and fining them for every day their > holes aren't patched. With regard to certifications for individuals, we understand the problems there. With regard to getting vendors to act the way the industry wants (READ: train them), they will need some kind of reward. Set up and non-profit organisation relating to information handling with regard to infosec and if you like other business factors. Certifications can be granted to businesses, and an organisation of this manner will gain weight in the industry if it is built properly and is allowed to grow. >>so what are "we" going to do about it? find some people who will be listened to to start the above. > Roll over and cry you spilled your milk. > > Far too many companies are more concerned with appeasing their investors > to bother dealing with real issues. Microsoft walks all over governments > with their practices, Cisco just joined the "Buy a politician" club > obviously, so who do you look to. Obviously mentioning the government (any > government) is likely to throw another gov into a panic so in reality > there is little to be done. Invest in one of these seedy security > companies, make some cash off of others' misery. That's what you can do > about it. The right people.
Powered by blists - more mailing lists