>> The most disgusting thing about these SF articles is the get reprinted without the feedback or readers all over the place. So many readers will come to the conclusion that opinions expressed in the articles are representative of the security community. <<

Then again, why wouldn't it be representative?

Meaning, a good 99% of what passes for a "security community" is a bunch of con artists who go around trying to scare businesses with boogymen so the businesses will dump cash on them.

As in the last big DDOS attacks. Numbers in the billions were being tossed around for "damages." Whose butt were those pulled from?

And if it's that damaging to have your website down for X number of hours because some 13 year old downloaded a root kit, why don't we see damage estimates like that in lawsuits against MS? I've lost count of the number of times I've had an attempt to place an online order fail because some MS error pops up on the screen (I've seen tons of 'ODBE' something or others lately... MS errors interrupt more of my online ordering than *any* script kiddie ever has).

Must be great to go to a business, screech "you'll lose 100 BILLION DOLLARS... unless you buy my product!" then have them dump cash on you. What a great job!

I'm not surprised at the "security community" being hostile to the idea that software is being commoditized. Nor that they're hostile to the FS/OSS world where you can actually see the code, fix it yourself, verify whether something really *is* secure (rather than relying on the word of a marketing dweeb), or obtain patches for *gasp* free!

(The HORROR!)

What will the "security" people do all day? They can't actually do *security* since 99.999% of the *real* issues are caused by management. Most security problems are internal. Most of the really damaging attacks come from the inside. Most real "hacks" are done via social engineering.

Meaning a *real* security "consultant" would have to tell the CEO that the biggest problem with security is *him.*

As in, don't pee in the faces of your employees. They won't have any stake in protecting your assets.

Don't destroy morale. Disgruntled, angry employees are more likely to cause you damage than anybody.

Don't lay off the people who have the most experience to boost your "bottom line" and give yourself a bonus the size of Detroit. You'll end up with 12 year olds running your IT department.

Don't promote your brother-in-law to run the security department. He only figured out last week that you have to pick up the mouse and move it back the other way on the pad if you want to go further across the screen.

Don't think that putting a password on everything is "security." You've got so many passwords now, your employees can't remember all the ones they need to get their work done so every password in your system is on a sticky note where anybody who gets a janitor job can see them.

And so on.

(By the way, that latter one is from a case I *know of personally which, for obvious reasons, I can't talk specifics about. But the attack was done by some folks getting jobs with the out-sourced janitorial staff. No "technology" other than a few mops were involved and no "techology" would have stopped the intrusion.)

I mean, who's going to pay the "security consultant" to say things like that?

So, yeah, they have to attack the FS/OSS world. If the cost of doing security is reduced to no more than buying a few O'Reilly books, the "security" folk won't be able to afford that new BMW...

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23950#23950