Full Disclosure mailing list archives
Re: Off topic rant to my friends
From: Steve Kudlak <chromazine () sbcglobal net>
Date: Thu, 09 Jun 2005 01:38:14 -0700
I dunno if this is any worse than the many, many replies one sees to some hot topic about Microsoft and stuff like that.. Overall everytime I went to a security conference users got insulted. They were stupid, they fell for things, hook line and sinker etc. etc. etc. Of course sometimes the "professionals" never mentioned that the poor users are bombarded by a bunch of directives that are not explained and are hard to follow and seem like another stupid directive handed down from on-high that ask them to do something difficult without explaining how, for example how to pick passwords that are not in the dictionary. The take a phrase and take the first letter technique is something that does not intuitively spring to mind to everyone. It took a lecture to explain that "F*CK SUSAN and BOB" were not good passwords. N.B. I have been around for awhile and on the old TOPS-20 Systems passwords were not intially encrypted. So it was easy to find actual passwords and tell people not to use those. Now things are encrypted and all that but still a weakpassword doesn't work and other small things that people could do to be just reasonably careful they don't. Dunno how much verbage to waste on random issues.
Have Fun, Sends SteveI read the article and it was interesting. I don't quite know how much of it to believe. It is clear some people are up to something questionable. Whether it fits the model the authors have of well coordinated effort to deliver services to organized crime maybe a bit much on the conspiracy side for me tyo swallow. Security experts often miss that they use FUD without knowing it.
But it is still to be careful because there are people who don't realise one's machine might be for something important and not just a plaything for others to mess with and ruin if they had a bad day or wanted to play weird "process war games".
Have Fun, Sends Steve J.A. Terranson wrote:
You don't have a blogspot account you could have posted this to? On Sun, 5 Jun 2005, Randall M wrote:Date: Sun, 5 Jun 2005 10:32:20 -0500 From: Randall M <randallm () fidmail com> To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Off topic rant to my friends Sorry to rant to this list. This list though has the only people on it who totally understand this ranting. Every morning before heading for work I read all my security alert emails and website collections about possible Trojans, worms and viruses found. Being a faithful worker I do this on the Weekends too. Once at work I check my web appliances, gateway, Exchange boxes and data servers for dat updates and check log files. I spend the first two-three hours of my work day doing this every day. Why do I do this? I do it to protect my company's investment. To ensure that the employee's have a job that day. To make sure that customers will have on time delivery and so new customers can make orders, etc., etc. Today I read this article: http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K0000614 For some reason, maybe the coffee, I sat there thinking what the hell am I doing all this for? Am I being paid by my company to set up and protect only for some future use as a botnet for some organized crime boss!! I continually spend time, money and research on ways to protect. All of my mechanisms I use are actually as helpless as I am!! It's the blind leading the blind!! Then, like a message from God, a memory of a phone call from one of our users came to me: "Hey, I received this email about my account being suspended for security reasons, I immediately deleted it but just wanted to let you know". My small employee awareness program was slowly paying off. A year ago that same phone call would have been the "I think I did something bad" type. I now realize that my investments and my time have been spent MORE in the wrong place. I'm turning that around and heading back to the user. They are MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the Anti-Virus dats or the front-end Appliances or the Gateways because a simple "Click" by the user makes them all useless. And it looks as though I can't depend on them to keep that "click" opportunity from the user. Praise be to God for the User! They are powerful! They are trainable! They are my BEST defense! There. I fell better now. thank you Randall M _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Off topic rant to my friends Randall M (Jun 05)
- Re: Off topic rant to my friends J.A. Terranson (Jun 05)
- Re: Off topic rant to my friends John Goh (Jun 05)
- Re: Off topic rant to my friends Steve Kudlak (Jun 09)
- Re: Off topic rant to my friends James Tucker (Jun 09)
- <Possible follow-ups>
- RE: Off topic rant to my friends Cassidy Macfarlane (Jun 10)
- Re: Off topic rant to my friends J.A. Terranson (Jun 05)