From: Robert Redelmeier on
In c.s.i.p.h.c Robert Myers <rbmyersusa(a)gmail.com> wrote in part:
> You can find the claim in the subject line as the top-rated risk at
> http://www.csl.sri.com/users/neumann/insiderisks08.html#220
> I found that link from the useful (moderated) newsgroup comp.risks.

Are you having us on? Have a look at the context: the author (a Homeland
Security civil servant) is arguing for National Security Research and says:


While progress in any of the areas identified in previous
reports noted above would be valuable, I believe the `top ten'
list consists of the following (with short rationale included):

1.Software Assurance - poorly written software is at the root
of all of our security problems

2.Metrics - we can't measure our systems, thus we cannot manage them

3.Usable Security - information security technologies have not
been deployed because they are not easily usable

4.Identity Management - the ability to know who you're
communicating with will help eliminate many of today'
online problems, including attribution

5.Malware - today's problems continue because of a lack of
dealing with malicious software and its perpetrators

6.Insider Threat - one of the biggest threats to all sectors
that has not been adequately addressed

7.Hardware Security - today's computing systems can be improved
with new thinking about the next generation of hardware
built from the start with security in mind

8.Data Provenance - data has the most value, yet we have no
mechanisms to know what has happened to data from its inception

9.Trustworthy Systems - current systems are unable to provide
assurances of correct operation to include resiliency

10.Cyber Economics - we do not understand the economics behind
cybersecurity for either the good guy or the bad guy.


The claim you quote with such authority is nothing but an off-hand
comment -- perhaps true, perhaps not, but definitely not supported.
And not worth quoting outside a Leno-esque setting.


> If you live in the gunslinger mentality of so much of the former
> Warsaw pact, the solution to any security problem might well be
> another round of vodka shots.

Oh dear. How do you know? Have you been there? There are huge
differences between the countries there were coerced into that
organization. Or do you claim Estonia is the same as Croatia?

As for the gunslinger mentality, it build much of the United States
from which you derive great benefit whether you like it or not.

And even if vodka were sometimes, someplace a solution, does not mean
that is it always and everywhere the solution. Statistics cannot be
applied backwards. Statistics are descriptive, not prescriptive.


> Russia, for example, is ranked 117 on the world corruption audit
> http://www.worldaudit.org/corruption.htm

So what? However well-intentioned, these sorts of things are flawed:
1) It is difficult to measure relevant factors
2) The weighting of these measurements reflects only one set of values
3) The ordinal presentation hides the sizes of differences

You are also missing a link -- even if corrupt, why does that make
the software poorly written? Why do you believe corruption is
greater than imcompetence? "Never attribute to malice that which
can reasonbly be explained by simple incompetence" [Napoleon]

> In any case, software integrity is a *very* big problem.
> If you are trying to argue otherwise, my guess is that you
> don't think integrity is all that important.

It may well be a big problem. Unfortunately, your case is full
of holes. With friends like you, security does not need enemies.


-- Robert R

>
>
From: Robert Myers on
On Jan 30, 1:13 pm, Robert Redelmeier <red...(a)ev1.net.invalid> wrote:
> In c.s.i.p.h.c  Robert Myers <rbmyers...(a)gmail.com> wrote in part:
>
> > You can find the claim in the subject line as the top-rated risk at
> >http://www.csl.sri.com/users/neumann/insiderisks08.html#220
> > I found that link from the useful (moderated) newsgroup comp.risks.
>
> Are you having us on?  Have a look at the context:  the author (a Homeland
> Security civil servant) is arguing for National Security Research and says:
>
>    While progress in any of the areas identified in previous
>    reports noted above would be valuable, I believe the `top ten'
>    list consists of the following (with short rationale included):
>
>    1.Software Assurance - poorly written software is at the root
>        of all of our security problems
>
<snip>

> The claim you quote with such authority is nothing but an off-hand
> comment -- perhaps true, perhaps not, but definitely not supported.
> And not worth quoting outside a Leno-esque setting.
>
The purpose of my post was to point others toward more reliable
sources of information than wild claims by people who like things just
the way they are, not to offer authoritative assessments. Whatever
you may think of my opinion about software, it is an opinion that is
widely-shared.

> > If you live in the gunslinger mentality of so much of the former
> > Warsaw pact, the solution to any security problem might well be
> > another round of vodka shots.
>
> Oh dear.  How do you know?  Have you been there?  There are huge
> differences between the countries there were coerced into that
> organization.  Or do you claim Estonia is the same as Croatia?
>
It is a widely-recognized reality that some of the most clever
programming, and also some of the most malicious, is coming from the
former Warsaw pact.

<snip>

> > Russia, for example, is ranked 117 on the world corruption audit
> >http://www.worldaudit.org/corruption.htm
>
> So what?  However well-intentioned, these sorts of things are flawed:
> 1)  It is difficult to measure relevant factors
> 2)  The weighting of these measurements reflects only one set of values
> 3)  The ordinal presentation hides the sizes of differences
>
> You are also missing a link -- even if corrupt, why does that make
> the software poorly written?  Why do you believe corruption is
> greater than imcompetence?  "Never attribute to malice that which
> can reasonbly be explained by simple incompetence" [Napoleon]
>
If you are in a culture where high-risk behavior is the norm, you will
have a different conception of what is reasonable behavior. Sebastian
has already informed us that it is not worth his while to be careful
and presented a rationale for his calculated carelessness. I can't
imagine any of my correspondents from Scandinavia talking in a similar
fashion. Even a Wall Street jockey would not be likely to be so
incautious. In the litigation-happy US, such off-hand commends could
backfire in a serious way.

> > In any case, software integrity is a *very* big problem.
> > If you are trying to argue otherwise, my guess is that you
> > don't think integrity is all that important.
>
> It may well be a big problem.  Unfortunately, your case is full
> of holes.  With friends like you, security does not need enemies.
>
It comes as little surprise that you have a low opinion of me and want
to make that known. I can't imagine that anyone else who follows
these forums would be more surprised than I am.

Robert.