lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Dec 2006 13:54:47 +0100 From: Michael Zimmermann <zim@...aa.de> To: KT <ktriv3di@....com> Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org Subject: Re: comparing information security to other industries Am Dienstag, den 19.12.2006, 12:16 -0800 schrieb KT: > How do we compare to other industries like construction, engineering, > finance? What I am trying to figure out is how mature we are and how > long will it take for to get stable? Mature? Are you kidding? Computer security ist still mainly only changing pampers after each incident. That's because the common systems (software/hardware/social) are not built for security but for money or fame. All other industries you have mentioned are having established procedures, rules and laws how to build their products and verify the quality. Computer industry hasn't. Just imagine a construction company who sells their houses only to people who sign a legally binding contract, that they accept the house "as it it", without any guaranty that it is possible to live in it. If the house breaks down over you and your family you are elegible to get the money back - and no more. If burglars celebrate parties in the house while you are at the office, because it is well known that the backdoor-keys are identical in all houses of that construction company and key-duplicates can be found wherever you find two homeless people doing a chat, you are told to buy a separate product called "SecuyKeys" (which costs at least 20% of the original price for the house). You are not allowed to take the wallpapers from the wall and look behind to see how the house is constructed and get sued when you publish these so called "vulnerabilities" (which are in effect only the results of incomplete, greedy and careless construction-work) Just because companies are making money with computer security doesn't make it into an "industry". Why not answer two questions for yourself: a) are the computer systems at large nowadays more secure than - say - ten years ago? b) how much more money is spent for computer security since then? The answers point directly to the net effect of what you call an "industry". And we - the IT-people - are responseable. Greetings Michael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists