Re: Presidential Internet Kill Switch

[chris () blask org]

--- On Wed, 9/23/09, Dan Kaminsky <dan () doxpara com> wrote:

> Be that as it may, the data rather clearly suggests
> certification in the security realm is (very) badly 
> correlated with qualification.

Well, be *that* as it may (and I agree, it certainly may be), we live in a world where plumbers and lawyers (I'll leave 
the correlation to the reader) require certifications, so the general concept of certifying is something that is 
well-worn in most of the world.
 
> Bottom line:  What if the only people allowed to do
> security work were CISSPs?

The mistake you may be making is assuming that the only possible future is a linear transposition of aspects of the 
present.  I'm not arguing that there is not a real risk of lame certifications being the standard in some future 
regime, but I would suggest that there is no certainty that this has to be the case.

> (Yes, this applies to government systems and critical
> infrastructure, for now.  But you know, that latter part isn't well
> defined either. Is Linux critical infrastructure?)

Ah!  It truly *isn't* defined well, which is another pertinent point.  It very much should be better defined, and the 
more you peel that grape the harder it is to not include things like critical economic and communication 
infrastructure.  If there is an argument for special treatment of the networks that deliver, say, energy across the 
nation, it is possible that the same argument could apply to networks that deliver information and economic stability 
as well.

At the very least, this is a discussion that needs to be had with an eye to the needs of the nation (and not just us) 
and in the context of what is pragmatically necessary as opposed to ideally desired.

-chris


      

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.