lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 20 Dec 2006 10:41:38 +0100
From: Albert <caruabertu@...il.com>
To: coderman@...il.com
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: comparing information security to other
	industries -

my mileage differs.

Far east competition using quality engineering and giving >2 years
guarantees around the 1980s made the crucial difference, not the
intervening >120  years since the invention of the modern car engines
OTTO DIESEL and WANKEL.

cf.: http://en.wikipedia.org/wiki/Timeline_of_motor_and_engine_technology

In 1973 most cars sold were as buggy as software is today.
New models suffered from design faults, poor choice of materials and
mass recalls were the order of the day.

20 years is thus more like the time needed for the complex machinery
to be made reliable, given the right legal penalties and consumer
pressures.


p.s. Nowadays, cars have not one but several processors and computers
inside these days - and are still reliable and resilient, easy to use
etc...

regards
Albert

|-----Original Message-----
|From: coderman [mailto:coderman@...il.com]
|Sent: 19 December 2006 23:10
|To: Valdis.Kletnieks@...edu
|Cc: KT; full-disclosure@...ts.grok.org.uk; websecurity@...appsec.org
|Subject: [WEB SECURITY] comparing information security to other industries -
|
|On 12/19/06, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
|> On Tue, 19 Dec 2006 12:16:29 PST, KT said:
|> > So we have been dealing with information security from
|last 20 years
|
|i'd argue this is closer to 40 years than 20. [0]
|
|
|> 20 years after the first automobile, we'd gotten as far as a Model A
|> or T or so.
|
|1885 [1] to 1965 [2] for decent auto security.  80 years?  add
|10 years if you consider air bags the requisite threshold.
|
|
|> (Incidentally, the fact that we still have a lot of security issues
|> isn't actually a software problem, so much as an innate lack
|of tools
|> to help humans understand *any* complex system, be it
|software, or the
|> economy, or global climate, or....)
|
|i argue that the vast majority of insecure computing problems
|are indeed software problems, in the sense that proper
|software design and development would fix them.  consider the
|automobile theme, where a wheel, some pedals, and a few
|signalling levers allow you to operate a vehicle with more
|computers and technology than space faring vehicles from a
|mere 30 years past.  these machines are usable and secure,
|despite their mind boggling technological complexity brought
|about over a hundred years of evolutionary and radical improvement.
|
|let's side step the economics and inertia of existing software
|/ IT practice and look at a future utopia for sake of argument:
|
|A: usability is requirement #1 for security [3].  is
|configuring that IPsec IKE/ISAKMP key distribution and re-key
|policy iPod (tm) simple?
|how about generating PKI infrastructure for those OpenVPN connections?
| "security" products are so ridiculously complicated it's a
|wonder anyone is able to use them.  for a good laugh, write
|down the steps required to configure full disk encryption and
|a strong VPN from your laptop to a server. LOL, ROFFLE, etc.
|
|B: capability based computing is the norm, as identity based
|access control is fundamentally flawed [4].  if you've only
|heard of capability based security in passing, consider this
|an underscore of the systemic and pervasive nature of our
|willful ignorance of good practice.
|
|C: consumers can recognize and compare the merits of security
|built into systems they use, with producers willing and able
|to emphasize security considerations during design,
|implementation, testing, and support/integration phases of
|production and life cycle [5].
|
|99.5% of existing problems disappear in such a world, leaving
|mostly insider fraud to be addressed via process and policy.
|we can get there, but it ain't gonna happen soon...
|
|
|0. "Capability-Based Computer Systems - Chap. 3 Early
|Capability Architectures"
|    http://www.cs.washington.edu/homes/levy/capabook/
|    [ref: Dennis and Van Horn @ MIT using Capabilities to
|describe secure composition in 1966]
|
|1. "History of the Automobile"
|    http://en.wikipedia.org/wiki/History_of_the_automobile
|
|2. "Unsafe at Any Speed"
|    http://en.wikipedia.org/wiki/Unsafe_at_Any_Speed
|
|3. "Secure Interaction Design"
|    http://www.ischool.berkeley.edu/~ping/sid/
|
|4. "Capability Security Model"
|    http://c2.com/cgi/wiki?CapabilitySecurityModel
|
|5. "Build Security In"
|    https://buildsecurityin.us-cert.gov/
|
|---------------------------------------------------------------
|-------------
|The Web Security Mailing List:
|http://www.webappsec.org/lists/websecurity/
|
|The Web Security Mailing List Archives:
|http://www.webappsec.org/lists/websecurity/archive/
|http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
|
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists