[clue-talk] hrmmm

Matt Poletiek chill550 at gmail.com
Mon Jul 30 22:35:20 MDT 2007 

>Those who really care about the solution need lots of time and money
>to figure it out, thus sell out and become "the security industry".

Time yes, money for an internet connection maybe. Computers are available for
free to the resourceful.

>Do you really think SANS wants to fix the problems permanently now
>that they're making a wicked living off of them?

No, and thats the problem of the profit motive. However, most software companies
outsource their security audits and solutions.

>Patches are forever, really fixing the software puts you out of a
>job.

This is true. However I see patches is consistent no matter what your motive,
commercial or open source. This is the evolution of code. Just like breaking
into a house, the level of security technology forever increases.

>They're just using horribly insecure products at the core level.

Yes, and the problem with the industry is the lack of this understanding.
Instead of bothering with the 'core' levels, the OS levels in my opinion,
they add layers of security on top. Multiple layers of authentication come
to mind.

I personally believe security is possible. You will never defeat the determined
however you can prevent yourself from being prey from those looking for a quick
and automated hack. There will always be scavangers amongst the pack.


On 7/30/07, Nate Duehr <nate at natetech.com> wrote:
>
> On Jul 26, 2007, at 11:07 AM, Matt Poletiek wrote:
>
> > Instead of outlawing it, calling it a sin, and punishing the curious.
> > We need to harbor it and make it work for us.
>
> I agreed with you right up until that point.  Then you lost me.
>
> I suppose we shouldn't outlaw burglars, and not punish the curious
> who would like to find out what it's like to break into a house, and
> harbor them and make them work for us too?
>
> LOL!  Whatever.
>
> People breaking and entering on a computer are no better than people
> breaking and entering into a home or business.  Throw 'em in jail.
> If they were only "curious" they could break into their OWN computers
> loaded with whatever they want to load... all day long, with no harm
> or potential harm done to others.
>
> > Those who really care about the solution will learn how it works.
>
> Those who really care about the solution need lots of time and money
> to figure it out, thus sell out and become "the security industry".
> Now their motivation is suddenly different.  A good example would be
> SANS.  Started out as a mostly research site, good book or two from
> papers their students wrote (not a bad way to get money out of work
> you never did yourself, there Northcutt) and nowadays, in bed with
> all sorts of government agencies, putting on all sorts of "security
> certification" courses, and "intro" courses for lots of completely
> clueless people... and charging $3500 a head for it.
>
> Nice work if you can get it.
>
> Do you really think SANS wants to fix the problems permanently now
> that they're making a wicked living off of them?
>
> Patches are forever, really fixing the software puts you out of a
> job.  Look at the work of even the best software developers... the
> smartest folks on the planet still can't release anywhere close to
> bug-free code after 30 years of commercial computer software
> writing.  Pitiful, or just smart enough not to work so hard they make
> something great -- you decide.
>
> > When I say the Security Industry is slowly growing ligit. I mean there
> > are people within corporate america with massive networks to protect.
> > They are throwing money at their solutions and are still getting
> > compromised. Then they run around like chickens with their heads cut
> > off screaming cyber terrorism and all, finally realizing they should
> > hire a security professional. Didn't the city of Denver just recently
> > obtain CSO? After how long?
>
> Don't know what CSO is, but ... I also haven't seen anyone in Denver
> government make such as a peep about "cyberterrorism", and I doubt
> they were not trying to secure things?
>
> They're just using horribly insecure products at the core level.
>
> The operating system(s) themselves (all of them) continue to be
> riddled with holes like swiss cheese...  and If the OS folks can't
> ever "get it together" there's never any long-term hope for the
> applications riding on the OS's...
>
> --
> Nate Duehr
> nate at natetech.com
>
>
>
> _______________________________________________
> clue-talk mailing list
> clue-talk at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-talk
>


-- 
Matthew Poletiek
www.chill-fu.net

More information about the clue-talk mailing list