From: Robert Redelmeier on 30 Jan 2010 13:13 In c.s.i.p.h.c Robert Myers <rbmyersusa(a)gmail.com> wrote in part: > You can find the claim in the subject line as the top-rated risk at > http://www.csl.sri.com/users/neumann/insiderisks08.html#220 > I found that link from the useful (moderated) newsgroup comp.risks. Are you having us on? Have a look at the context: the author (a Homeland Security civil servant) is arguing for National Security Research and says: While progress in any of the areas identified in previous reports noted above would be valuable, I believe the `top ten' list consists of the following (with short rationale included): 1.Software Assurance - poorly written software is at the root of all of our security problems 2.Metrics - we can't measure our systems, thus we cannot manage them 3.Usable Security - information security technologies have not been deployed because they are not easily usable 4.Identity Management - the ability to know who you're communicating with will help eliminate many of today' online problems, including attribution 5.Malware - today's problems continue because of a lack of dealing with malicious software and its perpetrators 6.Insider Threat - one of the biggest threats to all sectors that has not been adequately addressed 7.Hardware Security - today's computing systems can be improved with new thinking about the next generation of hardware built from the start with security in mind 8.Data Provenance - data has the most value, yet we have no mechanisms to know what has happened to data from its inception 9.Trustworthy Systems - current systems are unable to provide assurances of correct operation to include resiliency 10.Cyber Economics - we do not understand the economics behind cybersecurity for either the good guy or the bad guy. The claim you quote with such authority is nothing but an off-hand comment -- perhaps true, perhaps not, but definitely not supported. And not worth quoting outside a Leno-esque setting. > If you live in the gunslinger mentality of so much of the former > Warsaw pact, the solution to any security problem might well be > another round of vodka shots. Oh dear. How do you know? Have you been there? There are huge differences between the countries there were coerced into that organization. Or do you claim Estonia is the same as Croatia? As for the gunslinger mentality, it build much of the United States from which you derive great benefit whether you like it or not. And even if vodka were sometimes, someplace a solution, does not mean that is it always and everywhere the solution. Statistics cannot be applied backwards. Statistics are descriptive, not prescriptive. > Russia, for example, is ranked 117 on the world corruption audit > http://www.worldaudit.org/corruption.htm So what? However well-intentioned, these sorts of things are flawed: 1) It is difficult to measure relevant factors 2) The weighting of these measurements reflects only one set of values 3) The ordinal presentation hides the sizes of differences You are also missing a link -- even if corrupt, why does that make the software poorly written? Why do you believe corruption is greater than imcompetence? "Never attribute to malice that which can reasonbly be explained by simple incompetence" [Napoleon] > In any case, software integrity is a *very* big problem. > If you are trying to argue otherwise, my guess is that you > don't think integrity is all that important. It may well be a big problem. Unfortunately, your case is full of holes. With friends like you, security does not need enemies. -- Robert R > >
From: Robert Myers on 30 Jan 2010 14:39 On Jan 30, 1:13 pm, Robert Redelmeier <red...(a)ev1.net.invalid> wrote: > In c.s.i.p.h.c Robert Myers <rbmyers...(a)gmail.com> wrote in part: > > > You can find the claim in the subject line as the top-rated risk at > >http://www.csl.sri.com/users/neumann/insiderisks08.html#220 > > I found that link from the useful (moderated) newsgroup comp.risks. > > Are you having us on? Have a look at the context: the author (a Homeland > Security civil servant) is arguing for National Security Research and says: > > While progress in any of the areas identified in previous > reports noted above would be valuable, I believe the `top ten' > list consists of the following (with short rationale included): > > 1.Software Assurance - poorly written software is at the root > of all of our security problems > <snip> > The claim you quote with such authority is nothing but an off-hand > comment -- perhaps true, perhaps not, but definitely not supported. > And not worth quoting outside a Leno-esque setting. > The purpose of my post was to point others toward more reliable sources of information than wild claims by people who like things just the way they are, not to offer authoritative assessments. Whatever you may think of my opinion about software, it is an opinion that is widely-shared. > > If you live in the gunslinger mentality of so much of the former > > Warsaw pact, the solution to any security problem might well be > > another round of vodka shots. > > Oh dear. How do you know? Have you been there? There are huge > differences between the countries there were coerced into that > organization. Or do you claim Estonia is the same as Croatia? > It is a widely-recognized reality that some of the most clever programming, and also some of the most malicious, is coming from the former Warsaw pact. <snip> > > Russia, for example, is ranked 117 on the world corruption audit > >http://www.worldaudit.org/corruption.htm > > So what? However well-intentioned, these sorts of things are flawed: > 1) It is difficult to measure relevant factors > 2) The weighting of these measurements reflects only one set of values > 3) The ordinal presentation hides the sizes of differences > > You are also missing a link -- even if corrupt, why does that make > the software poorly written? Why do you believe corruption is > greater than imcompetence? "Never attribute to malice that which > can reasonbly be explained by simple incompetence" [Napoleon] > If you are in a culture where high-risk behavior is the norm, you will have a different conception of what is reasonable behavior. Sebastian has already informed us that it is not worth his while to be careful and presented a rationale for his calculated carelessness. I can't imagine any of my correspondents from Scandinavia talking in a similar fashion. Even a Wall Street jockey would not be likely to be so incautious. In the litigation-happy US, such off-hand commends could backfire in a serious way. > > In any case, software integrity is a *very* big problem. > > If you are trying to argue otherwise, my guess is that you > > don't think integrity is all that important. > > It may well be a big problem. Unfortunately, your case is full > of holes. With friends like you, security does not need enemies. > It comes as little surprise that you have a low opinion of me and want to make that known. I can't imagine that anyone else who follows these forums would be more surprised than I am. Robert.
|
Pages: 1 Prev: Is there such a thing as safe DownLoading? Next: Speed up p.c. slow run? |