Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

The Failure of Information Security

Posted by ScuttleMonkey on Wed May 10, 2006 04:38 AM
from the everyone-is-happy-until-something-breaks dept.
Security Editorial
Noam Eppel writes to share a recent editorial regarding the current state of information security. From the article: "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
+ -
story

Related Stories

[+] Community Comments To Security Absurdity Article 190 comments
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

The Failure of Information Security 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • "It is time to admit what many security professional already know: We as security professional are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect."
    Bollocks - this implies that there's more security professionals could do, but they choose not to, to drum up business.

    The sad reality of the matter is the vast majority of the threats they mention - Spyware, phishing, Trojans, viruses, worms, rootkits, spam, web app vulnerabilities & ddos attacks - are enabled by the existence of botnets (to stage attacks from, send spam, provide anonymity, host phishing webservers, etc)

    The source of (the vast majority of) botnets is Microsoft's security failures in the late 90's/early 00s. How are security professionals supposed to combat something that happened in the past in another company?

    Furhtermore, the list of data losses
    Credit Card Breach Exposes 40 Million Accounts [com.com]
    Bank Of America Loses A Million Customer Records [com.com]
    Pentagon Hacker Compromises Personal Data [military.com]
    Online Attack Puts 1.4 Million Records At Risk [com.com]
    Hacker Faces Extradition Over 'Biggest Military Computer Hack Of All Time' [spamdailynews.com]
    Laptop Theft Puts Data Of 98,000 At Risk [com.com]
    Medical Group: Data On 185,000 People Stolen [com.com]
    Hackers Grab LexisNexis Info on 32000 People [pcworld.com]
    ChoicePoint Data Theft Widens To 145,000 People [com.com]
    PIN Scandal 'Worst Hack Ever'; Citibank Only The Start [csoonline.com]
    ID Theft Hit 3.6 Million In U.S.
    Georgia Technology Authority Hack Exposes Confidential Information of 570,000 Members [itworldcanada.com]
    Scammers Access Data On 35,000 Californians [com.com]
    Payroll Firm Pulls Web Services Citing Data Leak [com.com]
    Hacker Steals Air Force Officers' Personal Information [washingtonpost.com]
    Undisclosed Number of Verizon Employees at Risk of Identity Theft [com.com]
    can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.

    The story makes some good points, but blames the wrong people.

    • Re:Failure of security professionals? (Score:5, Insightful)

      by BorgDrone (64343) on Wednesday May 10 2006, @05:10AM (#15299674) Homepage
      Furhtermore, the list of data losses (...) can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.
      Not entirely correct. Yes, users are morons, and yes they often fail to follow the advice of the security team. However, it's the security team's responsibility to get proper behaviour into the users stupid little heads.

      Security is not just the technical part, educating your users is huge part of it and if users fail to follow advice the security team has failed in this part of their job. You can whine how stupid users are, but that doesn't change reality, it's the security team's responsibility to make them less stupid.

      • Re:Failure of security professionals? (Score:5, Insightful)

        by Bacon Bits (926911) on Wednesday May 10 2006, @05:38AM (#15299734)
        I don't think that's what he saying. That is, users are not to blame. The decision makers are.

        Let's say, as an IS professional, you explain to managment the need to restrict user accounts with Administrator rights, the need to implement an intrusion detection device, the need to eliminate spam, the need to make the network infrastructure fault tolerant, the need to update the antivirus client to something that can detect modern threats, and the need to educate users on how to operate their systems securely. Management denies budgeting these things on the basis that they are not necessary, and would you please increase maximum mailbox size again?

        If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.

        • If the company is unwilling to do what is necessary to secure the environment, then as an IS professional you are largely helpless.

          Measures against security just like safety are directly proportional to the level of perceived threat.

          So in other words it will take a massive breach in their world or to someone they know before the proper measures are taken.

          Nobody protects a piggy bank with an armored tank. Fort Knox has an Army base beside it.

        • What many computer professionals don't realize is that a certain amount of loss due to crime is inevitable at any medium to large business. Stores like Walmart and Target have huge "shrinkage" problems, many times due to the employees themselves. Banks are constantly the victim of their own people all the way up to the VP level. Because of this, businesses are forced to make the calculation about how much security will save, vs. how much will be lost due to crime. If you want Military level security, yo

      • Re:Failure of security professionals? (Score:5, Insightful)

        by symbolic (11752) on Wednesday May 10 2006, @05:42AM (#15299744)
        That all depends...many organizations have positions that are characterized by "all of the responsibility but none of the authority". This means that as a security professional, you may be able to recommend certain practices, but unless one has the authority to see to it that these recommendations are implemented, there really isn't a whole lot more that can be done.

        • That all depends...many organizations have positions that are characterized by "all of the responsibility but none of the authority". This means that as a security professional, you may be able to recommend certain practices, but unless one has the authority to see to it that these recommendations are implemented, there really isn't a whole lot more that can be done.

          This is one of the reasons I refuse to ever work as anything less thant Chief Information Security Officer - I have seen SO many directors, ad

      • Furhtermore, the list of data losses (...) can be blamed on companies who have failed to follow their security team's advice. Not on the security team itself.

        Not entirely correct. Yes, users are morons, and yes they often fail to follow the advice of the security team. However, it's the security team's responsibility to get proper behaviour into the users stupid little heads.

        Agreed - but what I was talking about is not failures of the end users, but failure of the company's management to implement secur

      • Bad perspective.

        If you consider the users to be morons and know that they will fail to follow security advice than you plan for this. You can implement training to 'un-moron' them to a degree, but it is not wise to consider that the post-training person will do what they have been told all of the time.

        *ANYONE* in any support or consultancy role that starts to say to themselves (about the users) "You'd think that they would/wouldn't...." (eg: You'd think that they would know not to login as someone else") is
      • Especially when they're senior management types? You can bitch all you want to anybody you can find who'll listen to you but at the end of the day most companies place senior management and they're desires ahead of those of the IT department: if Company Director X declines to follow IT dept guidlines on security procedures, there is nothing IT can do to him and his activities which won't result in the IT guys being fired.

        So some Top Dog asshat opens a gaping hole into the company's system and there's not a
    • The story makes some good points, but blames the wrong people.

      Exactly. Senior management (aka the "C level positions" like CFO, COO, CEO) just refuse to integrate information assurance, integrity and control into their practices. It is no different than rejecting GAAP and instead using creative accounting ala Worldcom and Enron. Yea, this stuff is hard and complex. But so is the world of finance, and yet we are required to figure it out there.

      I work for a firm that consults to smaller financial institutions

  • Sounds a bit harsh to me (Score:5, Interesting)

    by giorgiofr (887762) on Wednesday May 10 2006, @04:48AM (#15299635)
    We as security professional are drastically failing ourselves, our community and the people we are meant to protect.

    This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be. Yeah, Norton and McAfee are doing their best to scare consumers into buying software that provides ridiculous security. But this is not what we mean by "professionals".
    Also, I am not a "security professional" but I have done my fair share of configuring and securing other people's computers; sometimes thay might have been compromised anyway, but if I had done nothing, many more systems would have been at danger.
    The article lists a long series of threats that endanger our systems everyday - but I fail to see how they are related to security professionals not doing their job. I'd rather blame the criminals.
    • This is quite harsh. While it is true that more could be done, it also true that it is thanks to security professionals that things are not as bad as they could be.

      As opposed to what?! Bad is bad, especially in security, where one breach is all you need. I don't think there's any such thing as "secure to a degree". You're either secure or you're not.

      Perhaps you meant that "the consequences are not as bad as they could be". But how much worse do you want it to get? So far the bad guys have been using victims
    • I'd rather blame the criminals.

      Well. It's an extreemely good point.. however, I think the police / criminals analogy works on another level too; at first glance, you'd think it's the criminals that's making the streets unsafe, and not the police. Start looking around a little in the real world though, and you'll find plenty of countries where it's more or less debatable wether the police are solving more problems than they create (Russia, most parts of Africa and some parts of South America)..

      Likewise,

  • A real failure! (Score:5, Insightful)

    by VincenzoRomano (881055) on Wednesday May 10 2006, @04:48AM (#15299638) Homepage Journal
    Information security is failing also because information needs to be managed and addressed by non technical people! Also known as "normal people".
    Techniques like phishing or social engineering, as well as a good dose of stupidity [slashdot.org] and ignorance, can make security technologies useless!
    Like writing down on leaflets PINs and passwords or communicating them via email.

    • I wish I could mod you up!!!

      You can build the environment as safe as it gets... but if you can't enforce a secure behavior to your user, you can't be 100% secure.

      Also, management end doing poor decisions based on the average user skills, like using Windows desktops ... or won't bother doing some sort of training to ensure that the users knows the security policy.

      The average user must understand their role within the security plan, understand that good security has much more to do with good pratices and habi

  • Interesting but... (Score:5, Interesting)

    by datafr0g (831498) * <datafrog AT gmail DOT com> on Wednesday May 10 2006, @04:56AM (#15299650) Homepage
    I've read the article and while it's a very informative collection of statistics, I don't believe that Security Professionals are responsible for many of the "Security Failures" listed, nor can they fix the problems. Security Consultants already know most of this stuff and can say what they like to a business, but they do not make the final decision. The holes are in the OS's and the platforms businesses choose and generally the priority isn't security - it's usability, ROI, cost, etc.

    Another point: What are we comparing this to anyway. What I mean is, "bad security" compared to what? How many millions of attempts at compromising security are foiled vs those that get through? The times when businesses actually follow what a security consultant recommends, I guarantee they become a hell of a lot more secure than those that don't.

  • The Human Factor (Score:5, Insightful)

    by CortoMaltese (828267) on Wednesday May 10 2006, @04:57AM (#15299654)
    I think TFA pretty much ignores the fact that for the average user, security is just a warm fuzzy feeling they get after they've installed a virus scanner, a firewall, and checked that there's an image of a closed yellow lock somewhere. For security professionals and the like (including myself) it's usually much easier to tackle the technical threats, while it's all too easy ignore the user, which is typically the weakest link in any security critical system.

    I know I am stating the obvious here, but I still think the human factor is almost always greatly underestimated.

    • Bold Text = Me
      Italic Text = Boss

      In relation to giving access to a share for large files. [> 200GB]

      Ok, give me the names you want to have write access to this share..
      "I can't be bothered to give u all the names, just give them all access" - [Hundreds of Users]
      You realise that defeats the purpose of having home folders & quota's & that they can delete anything on the drive, and that we have no backup policy or the facilities to back up that drive [> 200 GB]
      So...Just Do It
      Sound fami

        • A response to that sort of ignorant mentality is Yes, Sure, No problem, I just need you to send me a memo resolving me of an internal and external legal action and contractual reasonability I have when corporate information IS lost or maliciously changed.

          You may need to first draft a memo, spelling out the potential security consequences you anticipate, and insist that the boss provide a responding memo that specifically lists them, states that he has considered them, and that you are completely absolved

      • While I agree with you, your comment is too superficial to be of real value.

        Yes, I know my comment was superficial and downright obvious, but yet it was something totally missing in TFA. It was just something I wanted to point out, and I wasn't really disagreeing with the article.

        I also agree with you that the software industry should take (or be forced to take) more responsibility for the products. Security is not something the consultants or security professionals can patch later as an add-on.

        But

  • It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they a

    • It seems to me that if the computer networks and computer industry enjoyed real regulation, any yahoo who passes a CompTIA test wouldn't be able to claim to be a computer consultant, or a security expert, and be allowed to set up crap that allegedly puts our nation at risk via cyberterrorism. as the trumpeters keep blaring. Imagine if anyone could just say he was a lineman and start modifying the power grid, or a police officer and start arresting people. If data is as important as power and control (they

  • PEBKAC (Score:5, Funny)

    by Opportunist (166417) on Wednesday May 10 2006, @05:11AM (#15299676)
    I live and thrive on the inability of people. It's my job to find and eliminate trojans, worms and other malware.

    Time and again I see proof that people, smart people, people with a masters degree and Ph.D., lawyers and bankers, managers with a six to seven figure annual income, become mumbling fools in the presence of a computer. I don't know what it is that those magical boxes emit, but it must be akin to the stupidity ray used in Zak McCracken. Lucas got it wrong there, it's not transmitted through the phone line, it comes out of your computer screen.

    Now the argument comes "Then don't allow them to f... up the system, lock them down and take away their permissions". Anyone who ever said that statement never worked with managers that have egos that require their own offices. Don't you, grunt, DARE to take away any options from him! He is the master of the world, he is the chieftain of chieftains, and YOU dare to tell HIM what he may and what he may not do?

    Security is nice on paper, but it is very hard to do in reality. Not so much because its technicalities. The human factor is by far underrated in IT sec.

  • My House isn't 100% secure! (Score:4, Insightful)

    by rolfwind (528248) on Wednesday May 10 2006, @05:13AM (#15299680)
    It must be someone's fault it's not perfect. Okay, I don't want a tomb but be able to interact with the outside world, so I still want doors and windows. But I think the contractors are secretly conspiring together and failing us security wise, because there should be completely unbreakable windows & non-pickable locks on the marketplace. WAAAAH!

  • Corporate mentality (Score:5, Interesting)

    by Aceticon (140883) on Wednesday May 10 2006, @05:20AM (#15299689)
    The management level corporate posture towards IT security goes like this:
    - We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.

    In other words, forget about big hardware changes, forget about changing the OS/E-mail client/Word editor/Web browser on the desktops of the staff, forget about getting all laptop users in their own sub-network and forget about retraining our staff to use computers in a way that helps improve our IT security. Oh, and by the way, if the CEO or some other VIP has some funky new program on his laptop that can't connect to the Net, just open those ports in the firewall.

    And now IT Security professionals are to blame?

    What's next? Maybe the cleaning lady at Enron was the one responsible for defrauding the investors????

    • The management level corporate posture towards IT security goes like this:
      - We want to have our machines and network secure as long as it doesn't cause too much hassle to people and we don't pay a lot for it.

      Spot on. Corporations who are legally mandated to secure their information systems will spend the mimimum to achieve compliance. Absent this, they'll spend nothing unless it effects the bottom line and shareholder value.

      Information security professionals are no more responsible for the consequences of
    • Around here, we're standardising on Windows XP, with Outlook/Exchange for email and Internet Explorer for browsing. A fair proportion of internal web pages are broken in any other browser, even going as far as to redirect you to a page with a link to download the approved version of IE. Oh, and everyone is slowly being upgraded to laptops when their desktop systems become old enough to warrant it....

      And yet there's annual, mandatory, Security Awareness training. One year I was able to get a perfect score

  • Failing (Score:2, Insightful)

    by mulhall (301406)
    "We as security professional are drastically failing ourselves, our community and the people we are meant to protect"

    BS

    You cannot solve cultural problems with technology:

    http://news.bbc.co.uk/2/hi/technology/3639679.stm [bbc.co.uk]

  • Hmmm... (Score:3, Insightful)

    by Mostly a lurker (634878) on Wednesday May 10 2006, @05:25AM (#15299698)
    Microsoft has had over two billion downloads of its malicious software removal tool in the last year, which tells us something about the overall size of the malicious software problem.
    Yep: it tells us exactly nothing about the overall size of the malicious software problem. It does, however, indicate that users are using Windows Update (either automatically or manually). [The malicious software removal tool is a critical update.] It is good news that Microsoft has persuaded users to keep up to date on critical updates, I guess.

  • An Important Note (Score:3, Insightful)

    by Effugas (2378) * on Wednesday May 10 2006, @05:31AM (#15299715) Homepage
    In the Summer of 2003, the Internet suffered three major worms: Blaster, Nachi, and SoBig.

    We haven't had a worm since. There have been no systemic outbreaks in over three years. Sure, we've had mild rashes, but Zotob vs. Nachi isn't even a comparison, nor is Blaster vs. WMF.

    IE attacks are deeply problematic -- they're wonderfully targetable, among other things. But there's really no replacement for zero-interaction, receive-a-packet-and-you're-owned style vulnerabilities. SP2 put a firewall on every desktop that cared. Since then, no worms.

    That's not to say we're not fighting a painful battle. Really, every day we get to still bank online is another day I'm surprised. But the fact that SP2 was written, was free, and was actually deployed enough to matter is one hell of a win.
    • Gack... That's because those worms were simply malicious. The newer cybercriminal is getting paid for his work, so he's more likely to lie low. Once he's compromised a machine, he doesn't want to get caught by interfering with the owner. Formatting the hard drive, or deleting files is sure to get you noticed. Most of the time these days, users don't know anything is wrong until they have multiple bots on their machine whose combined impact makes their machine impossibly slow.
  • How many people bother to protect their house UNTIL they been burgled? How much inconvenience are we willing to accept to avoid being mugged. (Camera surveillance, random searches, etc)

    In the real world a society has only got to deal with a limited set of criminals. The criminals in that society. Not that many nigerian cat burglars who hop over to europe for a quick breakin (I am not going to touch immigration problems today thank you, it is to hot for a flamewar).

    But on the net the society is 6 billion a

  • A ridiculous article (Score:4, Interesting)

    by rann (533322) <rubin@xs4all.nl> on Wednesday May 10 2006, @05:35AM (#15299726) Homepage
    I usually don't post but this article is really too much.

    In other news, firefighters KEEP fighting fires worldwide! Despite their work, fires seem to keep burning stuff all over the world! Shock!

    News at 11! Ambulance personnel and hospital staff are fighting an uphill battle! patients keep coming in! Where does it end?

    Seriously, as long as you have people using any mechanism (computer/car/whatever) there will be people who break it, people who benefit from breaking it and people who try their utmost to KEEP it from breaking.

    I'm *really* looking forward to the followup article which will tell us all how to "fix" this. Mayhaps a rant on buffer overflows? the virtues of "safe" languages? sane input validation? sigh.

  • This makes no sense (Score:5, Insightful)

    by Mr_Tulip (639140) on Wednesday May 10 2006, @05:47AM (#15299756) Homepage
    As someone who is responsible in part for network security where I work, I would disagree that we are not doing 'enough'.

    The sad reality is that information security is rather hard to achieve in an imperfect environment and without unlimited resources.

    To make a bad analogy, it is hard to physically protect your client/employer if they insist on partaking in high-risk pursuits, and the environmaent is harsh and dangerous. Email-header spoofing, bot-nets, vulnerabilities in 3rd part software - these are not under the control of the admin, at least not if you are committed to the Microsoft platform.

    The same could be said that a doctor cannot be held responsible for their patients health, if their patient is a chain-smoking, alcoholic base-jumper who rides his a monocycle down the freeway at 100 km/h.

  • Is it really that hard? (Score:4, Interesting)

    by Phemur (448472) on Wednesday May 10 2006, @06:05AM (#15299802)
    I'm honestly not trying to flame or be sarcastic; I truly don't understand the issue from a user's point of view. My computers have been infected once by spyware in the last 10 years. No viruses, no rootkits, no malware nothing. Since I'm not an information security expert, I don't have l33t skills to help me stay secure, so why have I not been affected?

    Seriously, I'm asking. :-)

    Here's what my wife and have been doing. We both have computers, and we use it for very different things. Mine is games, programming, internet, and my wife's is for CAD, photoshop, internet.

    They're both pretty much setup the same, other than the OS. My wife's runs Windows 2000 and mine runs XP. Both are connected to the Internet via a Linksys wired router. Both run Firefox only as the web browser. The Windows 2000 box runs ZoneAlarm as the firewall, and mine runs Windows firewall. We both use GMail as our email tool.

    Other than that, there isn't much security software installed. I don't even have an anti-virus.

    I am pretty diligent at applying patches however. Firefox and ZoneAlarm both notify me when a patch is available, so I apply them when they popup. I run Windows update weekly. I also have Adaware and Spybot Search and Destroy that I run weekly as well. Other than the usual ad cookie (Double-Click, etc), they've yet to discover something.

    The only problem I've had with machines is with a bit of spyware that got installed. It was one of my wife's first online experiences, and she clicked on something she shouldn't have, AND she was running IE. I ended up reinstalling the OS, and after a very short Firefox tutorial, it was the end of spyware on her computer.

    (As an amusing side effect, she's now become quite the advocate for secure online habits and for Firefox. Most of her family and friends are all Firefox users now. Can we get a free T-Shirt :-) ).

    So what's the problem? Is it bad habits, or is it really that bad out there?

    Phemur

    • I do a lot of side work helping people with computer both in a home and office arena....

      You and your wife spent some time preparing and getting some type of defense up AND maintaining it. The great majority of people I deal with think that they can install Windows update once and they will be good. Or my favorite, "I have XP (windows) so I don't know what could have gone wrong." People click where they shouldn't click, go where they shouldn't go and do things without thinking.

      The only good analogy t

    • Re:Is it really that hard? (Score:2, Insightful)

      by Anonymous Coward
      Don't have kids, do you?

      Most security problems do not enter the company through the company firewall/mail gateway. They are *carried* into the building on employees (surprisingly often: managers) laptops. Laptops that are used at home for the kids to play with, browse the web or whatever. Or for the own employees entertainment.

      I don't have kids but a while ago I had a friend visit me, together with her 12-year old daughter. We kinda lost track of her whereabouts and found her behind my company laptop (in my

    • Ignorance Is Bliss? (Score:5, Insightful)

      by LanMan04 (790429) on Wednesday May 10 2006, @07:16AM (#15299979) Homepage
      If you don't have any anti-virus software installed, or at least a scanner, how would you know whether your computer is infected or not? If your machine belongs to a bot net, you probably don't know about it.

      To put it another way: Just because you have no symptoms doesn't mean you don't have cancer.

      Is this little traffic light on your router blinking 24/7? :)
  • Also other security. Things are getting stolen Learn to live with it. That does not mean nothing must be done. We must do things, but also realize that things will get stolen, no matter what.

    The thing I see is that almost nobody deals with what to do IF things get stolen. I had a talk with somebody and asked him what he would do if he knew that his database was stolen and competistion got hold of it. His answer was: nothing.

    Perhaps there lies the problem. People are not being punisched if they do something
  • The worst thing you can do when you find yourself in a hole is to keep digging. If you are unhappy with your security infrastructure, then change it. Don't just 'accept' it as 'dismal' because your software vendor pimps that out as your only option. For all I know the person reading this right now has my personal information on their network somewhere, and the only thing between my information and some cracker is a piss poor security decision they've 'accepted'.
  • Your security is only as good as how thorough your actions are in combating the problem.

    Unfortunately, you must protect your data constantly and train your staff accordingly. One weak link can ruin everything.

  • because I.T. Security Pro = scapegoat (Score:3, Insightful)

    by ManyLostPackets (646646) on Wednesday May 10 2006, @06:42AM (#15299890)
    I've specifically decided not to go for any security certs because of hoo-haw attitudes demonstrated in articles like this. As a regular sys-admin, no one listens to my recommendations in the first place, why ratchet up the accountability by being a certified scapegoat?

    This article is a riot act equivalent to calling out doctors to take accountability for people who run with scissors.
  • There is no way security can really improve while MS Windows is on the majority of the desktops out there. I'm sure everyone of these security professionals must know this but why kill the golden goose?
  • It's not the failure of the security professionals, it's the failure of management to not respect the wishes of the system security. I can't tell you how many times I've seen a perfectly good security solution just get circumvented by management, or else the security people are fired. If management people took security seriously, rules would not be broken that way.

  • The elephant in the room (Score:5, Insightful)

    by stinky wizzleteats (552063) on Wednesday May 10 2006, @07:53AM (#15300163) Homepage Journal
    If you ask a building design engineer to tell you the most important part of a building, they'll say the foundation. If you ask a historian to tell you the most important part of the U.S. government, they'll say the Constitution. Aircraft - airframe. Car - chassis. And so on.

    When you build anything, you make certain fundamental underlying decisions that affect how the rest of the system works - forever. If something is fundamentally broken about any of these core decisions, the structure will be irreparably and irrecoverably broken. It is universally understood that you can't really fix a building with a flawed foundation or a ship with a broken keel. If those parts aren't right, nothing else matters.

    In the 1990s, the world decided to base virtually all computer systems upon an operating system designed by Microsoft. Systems were changing radically over the span of months. Millions of dollars in computer investment could be rendered completely useless if the computer world changed direction. The panic led to sort of a terrified groupthink - we had to make sure we were on the garden path to computer goodness as soon as possible. We didn't choose Microsoft because it was better, or because it was secure, but because in 1992, it looked like the only thing that would work. Now, in 2006, we know (as will be attested by the numerous Microsoft astroturfers who will undoubtedly respond to this posting) that you really can use any operating system to get the job done. The fear of total obsolescence has turned out to be unfounded. We had more of a choice in 1992 than we really thought.

    The question is not whether or not we made the right choice. It is rather how far the fragments of the ship have to sink before we decide to abandon it. How much of the building has to collapse before we evacuate it? How many wheels have to fall off of the car before we pull over and call for a tow truck? The thing we most feared back in the 90s - total system failure for making the wrong crucial underlying choices, is happening every single day. When will we wake up and respond accordingly?

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.