lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 24 Dec 2006 13:54:47 +0100
From: Michael Zimmermann <zim@...aa.de>
To: KT <ktriv3di@....com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: comparing information security to
	other	industries

Am Dienstag, den 19.12.2006, 12:16 -0800 schrieb KT:
> How do we compare to other industries like construction, engineering,
> finance? What I am trying to figure out is how mature we are and how
> long will it take for to get stable?


Mature? Are you kidding? Computer security ist still mainly only
changing pampers after each incident.

That's because the common systems (software/hardware/social) are not
built for security but for money or fame.


All other industries you have mentioned are having established
procedures, rules and laws how to build their products and verify
the quality. Computer industry hasn't.

Just imagine a construction company who sells their houses only 
to people who sign a legally binding contract, that they accept
the house "as it it", without any guaranty that it is possible to
live in it. If the house breaks down over you and your family
you are elegible to get the money back - and no more. If burglars
celebrate parties in the house while you are at the office,
because it is well known that the backdoor-keys are identical
in all houses of that construction company and key-duplicates 
can be found wherever you find two homeless people doing a chat,
you are told to buy a separate product called "SecuyKeys"
(which costs at least 20% of the original price for the house).

You are not allowed to take the wallpapers from the wall and 
look behind to see how the house is constructed and get sued 
when you publish these so called "vulnerabilities" (which are 
in effect only the results of incomplete, greedy and careless
construction-work)


Just because companies are making money with computer 
security doesn't make it into an "industry".

Why not answer two questions for yourself: 

a)
are the computer systems at large nowadays more secure than 
- say - ten years ago?
b)
how much more money is spent for computer security since then?


The answers point directly to the net effect of what you call
an "industry".


And we - the IT-people - are responseable.


Greetings
Michael


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists