funsec mailing list archives
Re: truth is for Admins
From: chris () blask org
Date: Mon, 26 Oct 2009 05:10:53 -0700 (PDT)
--- On Mon, 10/26/09, Rich Kulawiec <rsk () gsp org> wrote:
And this in turn is why any security strategy that depends on user education/cooperation has already failed. Completely. It's prudent to presume that one's users are at best utterly incompetent, at worst actively malicious, and design accordingly.
While I don't (think I) agree with the spirit I completely agree with the summation. Assuming that your user population is a breath away from going barking mad at any given moment is only prudent. And, since we have not yet delivered the full set of tools necessary to design and implement accordingly, it should not surprise anyone that we still have the results we do. So far, while we have managed to make an incredibly functional global communications system, many of the parts are still only partially engineered. It is equally possible to make a functional transportation system that is only partially engineered but still "works" by general definitions. In either case, each desperately needs more advancement than is going to come in any short period of time. Cars can be built with little more than a drive train and steering (and brakes, if you feel generous), but when Gramma slams one into a building it shouldn't come as a tremendous surprise. Seat belts and airbags are no replacement for embedded radar, video interpretation software, accelerometers and predictive pseudo-cognizant vehicle management combined with a driver-override (or better yet, replacement) system, but until we can develop and deliver all that affordably for a billion cars belts and bags will simply have to do. The only downside is that this freedom of movement will cost a few tens of thousands of lives a year (in the US alone) until we get the full system developed and deployed sometime around the middle to the end of this century. Also in the meantime, traffic engineers will have to work with the tools at hand and send their own grandmothers and children out on the half-baked highways they design. So, all in all it isn't anything new that is expected of us, whatever our roles are in the infosec industry. If you work for a vendor, you need to improve your cars so fewer (but, sorry, still 'some') of your customers slam them into trees. If you are a network admin, you have to design and operate systems where only some of your users will die in fiery wrecks some of the time. Except, of course, that generally we don't lose any actual lives in the course of dealing with our own compromises so the tenor of our self-pitying whining should be notably less than our automotive peers. -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- truth is for Admins RandallM (Oct 23)
- Re: truth is for Admins Valdis . Kletnieks (Oct 25)
- Message not available
- Re: truth is for Admins Valdis . Kletnieks (Oct 25)
- Re: truth is for Admins John Bambenek (Oct 25)
- Message not available
- Re: truth is for Admins RandallM (Oct 25)
- Re: truth is for Admins Valdis . Kletnieks (Oct 25)
- Re: truth is for Admins Valdis . Kletnieks (Oct 25)
- <Possible follow-ups>
- Re: truth is for Admins Les Bell (Oct 25)
- Re: truth is for Admins Rich Kulawiec (Oct 26)
- Re: truth is for Admins chris (Oct 26)
- Re: truth is for Admins Nick FitzGerald (Oct 26)
- Re: truth is for Admins chris (Oct 26)
- Re: truth is for Admins Rich Kulawiec (Oct 26)