Re: Re: Not telling enough - ethics/shmethics

[James Tucker <jftucker () gmail com>]

> One of the issues I see with certifications nowadays is that, in this
> industry, once upon a millenium ago it was honor to have a cert in
> something whereas nowadays you can have any Joe Shmoe memorize a book and
> get a cert. For that matter sell them in bubble gum machines and call it a
> day.
>
> Many of the "certs" nowadays seemed to have slowly tailored their prereqs
> towards industry crybabies (Cisco, MS, Oracle, Symantec). Far too many in
> my opinion have lost site of the fundamentals and have started focusing
> far too deeply on "Who will be my gold/platinumn sponsor".

This is common of almost all education systems, and is product of humans 
rarely wanting to truly understand what's going on. The first learners 
to pass cert's and other education systems with flying colours are only 
those who truly understand. Later on, the teaching becomes increasingly 
sophisticated (with regard to the bell curve, and thus the bottom line 
too) at generating passing students. These students don't need 
understanding (or at least, they think so) and as such simple habitual 
memorisation can be sufficient to pass. As I said, this is common of 
most eduction systems as we're all lazy cheats. READ: Culture issue.

> > So what we need is a universal code of ethics that everyone could agree on
> > (herding cats by the way can be entertaining). So how ethical was it for
> > someone to post anon about msdss.dll this morning and how many people did
> > they put at risk (even if it took someone 6 months to do something, heck
> > Oracle has taken over 2 years to fix a security issue, very few whine about
> > them).
>
>
> Universal codes are meant to be broken, that is just life. Everything
> under the sun is made to be broken. What applies in one place might
> destabilize something some place else. So who is to set standards?
> Governments? So they can custom tailor things to their own will? Like
> ECHELON used to snoop and steal contracts?

The standards will always be hard to set, this environment is too 
dynamic. There is no substitute for experience as always, and the truest 
test is putting someone on the spot and get them to solve a problem 
which they have never seen before.

> > We need to do that more often, and stop slamming on each other, and start
> > setting real standards that can be directly applied, much like doctors,
> > lawyers, nurses. We have the same ability to ruin other people's lives as
> > any doctor, lawyer or nurse. We need accountablity against those standards,
> > much like any other profession.
>
>
> Problem with this is, is again, who should you trust? Vendors should be
> held accountable for not patching their shoddy programs up properly. Look
> at the now-becoming-boring case of Lynn and Cisco. Lynn was punished. Know
> what? If Cisco had this information for years now, didn't do squat, how
> come no one is investigating them and fining them for every day their
> holes aren't patched.

With regard to certifications for individuals, we understand the 
problems there. With regard to getting vendors to act the way the 
industry wants (READ: train them), they will need some kind of reward. 
Set up and non-profit organisation relating to information handling with 
regard to infosec and if you like other business factors. Certifications 
can be granted to businesses, and an organisation of this manner will 
gain weight in the industry if it is built properly and is allowed to grow.

> > so what are "we" going to do about it?

find some people who will be listened to to start the above.


> Roll over and cry you spilled your milk.
>
> Far too many companies are more concerned with appeasing their investors
> to bother dealing with real issues. Microsoft walks all over governments
> with their practices, Cisco just joined the "Buy a politician" club
> obviously, so who do you look to. Obviously mentioning the government (any
> government) is likely to throw another gov into a panic so in reality
> there is little to be done. Invest in one of these seedy security
> companies, make some cash off of others' misery. That's what you can do
> about it.

The right people.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/