That's a really good point and I didn't consider it. :( In fact, I wish you'd been a reviewer on the early draft of the interview because I'd have loved to address that issue. :(

Blame does not mean you have the power to fix things. :(

In other contexts I've pointed out that CTOs have (for the last 10 years or so) ignored their responsibilities to build secure robust networks. What about that is NOT under the purview of a competent CTO? CTOs need to be held accountable by senior management (CEO/board of directors) and terminated if they aren't competent. In my opinion a CTO that fields a wireless deployment because they read a bunch of press releases about how keeewl it is and never looked at security - is incompetent. A lot of IT managers in the federal sector are (again, myo opinion) professionally negligent in how they have ignored security. All of these clowns need to be given pink slips.

Vendors need to be held accountable to standards of excellence but it's the customer who can do the most to change the current situation. They control the money. Don't buy crap - defer your payments until the vendors give you satisfactory answers. The free market will help correct the situation that way.

Vendors also need to be held liable if they make inaccurate claims. There are already legal constructs in place for doing so but they are not being employed. For example, I think it's ludicrous that Microsoft has flash-screens during the Windows XP install that claim "now you can access the internet fast and securely..." What? The FTC should fine them for making such a ridiculous claim. Again, this is an area where the customers hold (but aren't exercising) the power. Customers could make a huge difference very quickly if they stopped buying products that had EULAs that absolve the vendor of all responsibility for poor quality.

So - if the hackers are the least likely to fix the problem, then the people who are the most likely to be able to fix it are the customers. They have the money, after all, and the vendors are fundamentally answerable to their wishes. That's the only place where a revolution could start that might make an improvement - but I've seen zero trace of clue emerging in the customer community - they're still busy sucking down the marketing and buying based on hype.

mjr.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32034#32034