[clue-talk] hrmmm

[Matt Poletiek]

Agreed. However, that mentality has created the security industry.

Its a lot easier to sign an agreement than to audit your own code
(Microsoft & Symantec).

It is also a lot easier to buy a product or solution that makes you
"feel" better than it is to hire a security professional to audit your
IT systems.

Since the dawn of capitalism people no longer care about the
technicalities of a solution to a problem. They see a problem and they
throw money at it.

This lack of motivation to fix one's own product has created the
security firms who will do it for you.

This goes beyond the average computer user though. With all the
corporate scandals as of late, 911, and the war on terrorism with the
threat of "cyber terrorism", corporate america is scared shitless.

Not to say I believe in cyber terrorism or any of that bullshit.

I do believe in the evolution of code and the evolution of code tells
me there will always be room for logic that refutes a developers
product. Code to break code.

Therefore the mentality it takes to look at a finished product and be
able to make it do something it wasn't supposed to will be around
forever.

Human nature.

Instead of outlawing it, calling it a sin, and punishing the curious.
We need to harbor it and make it work for us.

>Wouldn't you be afraid with words like "viruses" and "trojans" used
>to describe what are actually "complete self-operating programs doing
>bad things on your computer, like removing files or capturing your
>keystrokes, that the designers of your chosen OS and user software
>weren't careful enough or thorough enough to protect you from"?

Those who really care about the solution will learn how it works.
Those who just want to throw money at the problem will be sold by
Microsoft and the Security industry. People think that by adding
layers of protection to their code they are making it more secure,
when in reality they are adding more layers of logic that could be
broken while not ever hardening the lower layers.

Its human nature to not care as long as it works. It has been this way
with automobiles and mechanics since their day.

Again, human nature. Those who care, will seek the answer. Those who
don't, are possible victims.

Having insecure machines isn't necessarily a bad thing. It teaches us
a lesson and without them there would be no security industry. There
would be no computer industry as we know it today.

What most people don't understand is 90% of the exploited code out
there is for nothing more than marketing purposes.

When I say the Security Industry is slowly growing ligit. I mean there
are people within corporate america with massive networks to protect.
They are throwing money at their solutions and are still getting
compromised. Then they run around like chickens with their heads cut
off screaming cyber terrorism and all, finally realizing they should
hire a security professional. Didn't the city of Denver just recently
obtain CSO? After how long?

The next problem is the relationship between the hired security
professional and the users is trust. That is one can of worms I hope I
never have to deal with.

Sorry, this is kinda a ramble.

On 7/26/07, Nate Duehr <nate at natetech.com> wrote:
>
> On Jul 26, 2007, at 2:13 AM, Matt Poletiek wrote:
>
> > Computer Security is slowly becoming a ligit industry. I blame the
> > fear amongst the masses currently, but hey. Whatever one will do for
> > money is their own choice.
>
> Wouldn't you be afraid with words like "viruses" and "trojans" used
> to describe what are actually "complete self-operating programs doing
> bad things on your computer, like removing files or capturing your
> keystrokes, that the designers of your chosen OS and user software
> weren't careful enough or thorough enough to protect you from"?
>
> I know that's a mouthful, but most people (who barely understand how
> to drive their mice) would be a lot more pissed off at the root-cause
> instead of the "hackers" if we techies stop using pity catch phrases
> to describe things and tell them like they really are.
>
> Would you buy a computer if your friends had ALL heard this line from
> their techies that Microsoft did not bother to write something well
> enough to keep bad people from getting a simple website to do
> severely malicious things to them, and that their continuing problems
> mean that they have to re-release new patches to fend off all their
> bugs they created every month or so?
>
> Seriously -- the computer industry overall is a bunch of flim-flam
> artists, even the places I've worked for... everyone believes that
> it's okay to release software with known bugs (discounting that for
> every known bug there's usually X more...) and state-of-the-art still
> means that everything makes it through the day without major security
> holes eating you alive.  Home computer users don't have Corporate IT
> departments to protect and supposedly train them (seen any computer
> training classes for anyone where you work lately) and their machines
> end up cesspools of spyware, malware, and whatever else the press
> likes to call it.  "Virus" sounds so much sexier than "software any
> 14 year old could write that will attack your files on your machine
> because the professional adults at your Operating System company
> can't get their **** together.
>
> Macs are slightly better than PC's in the security regard, but
> honestly for more than 30 years of doing "computers" in the world,
> the standards, nay... "building codes" aren't there yet.  I can
> imagine that if the last 30 years of houses built had as many holes,
> leaks, and problems as OS's and application software do -- most
> builders would be bankrupt, and the homeowners would have demanded
> inspectors by now.  Do you see that coming in software?  I don't.
> Especially not in OS's.
>
> We're too busy changing the OS's to audit them.
>
> --
> Nate Duehr
> nate at natetech.com
>
>
>
> _______________________________________________
> clue-talk mailing list
> clue-talk at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-talk
>


-- 
Matthew Poletiek
www.chill-fu.net