I'm not paid as well as you might think, but I do security consulting. Unlike your statement, I -do- care about the real vulnerabilities, but unfortunately, those making purchasing and policy decisions for our companies and government are still inside-the-box, conventional thinkers, no matter how much objective advice and hard evidence we provide them. The truth about the REAL vulnerabilities means rocking the boat - and these folks rarely want their boats rocked!

You're right - the majority of people think alike, and inside the box. They also use inferior operating systems and applications, coupled with webmin-type interfaces to make it easier for them to have the untrained monkeys do webserver admin work. Coupled with bad security practices, it's a disaster waiting to happen no doubt. But that doesn't give someone carte blanche to go banging around/against a company's networks to try and find a way in for kicks and grins, either.

Script kiddies are not a major security THREAT in my opinion, and I certainly don't go around proclaiming 'billions of dollars' in damage from some lamer's attempt to cause electronic annoyances on the network be it Code Red, Nimda, or Iloveyou..... nor do I put much danger on them in my approach to security. Those figures, from Computer Economics or whoever, IMO, are sensational, first-rate FUD and should be taken with a BIIIIG grain of salt.

Oh, yes.....I'm glad that you're not me either. I'm fine just the way I am. :)


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/70/11645#11645