Apparently passions about the story are still hot around the nonprofit
in question.  Anyway, I duly notice the diversion (change of topic) in
the discussion - from discussion of wheel reinvention vs. NIH to
management of security.

I am cross-posting this also to, because the
altered topic is more appropriate to Hamakor discussions than to the
general philosophical atmosphere of Hackers-IL.

On Fri, 2006-09-22 at 02:06 +0300, Nadav Har'El wrote:
> On Thu, Sep 21, 2006, Omer Zak wrote about "[hackers-il] The wheel 
> reinvention mystery":
> > A recent argument in Hamakor prompted me to consider the general
> > question why would people sometimes prefer not to reinvent the wheel,
> > and why would they be enthusiastic about reinventing the wheel.
> > 
> >
> I posted my opinion on your post in your blog (under the heading "you're
> a bit confused" :-) ).
> Unlike you, the same Hamakor thread prompted me to ponder on a different
> topic - one that I raised on this list a few months ago. This is the question
> of how come every time that somebody uses "security" as a reason for some
> action (or inaction), people immediately take this as an acceptable
> explanation, even if it completely unfounded.

While I agree that the "S" word is frequently abused.  We have been
experiencing it a lot in Israel, where political censorship, corruption
and environmental damage (TAASH in Hod Hasharon area, for example) were
hidden behind the veil of "Security".

However, in this specific case, I believe that nonstandard configuration
by knowledgeable people does promote security.  The problem seems to be
the failure to take the complementary step of documenting the changes in
the system and ensuring that it is easy for someone else to pick up the
reins.  (Think of what would happen if the first sysadmin were hit by a

> Also, people also tend about security as a binary thing, either there is
> "security" or there is "no security", and obviously "security" is better
> than "no security". In reality security is a broad spectrum, and there is
> *always* a tradeoff betwen more security at the cost of more money / less
> functionality / less convenience.

Yes.  Please tell us what is your threat model and how (in your opinion)
should Hamakor deal with each threat.
A quick and dirty threat model is as follows:

1. Membership information - should be guarded (even if a single person's
ID can be easily obtained by other means, we do not want to release the
IDs of 100 people, about 50% of them are successful).
2. Financial accounting - can be viewed, must not be tampered with.
3. Web site - not to be defaced.
4. Wiki - occassional defacing is acceptable (everyone knows that wikis
are not as protected) but must be easy to detect and recover from
5. Mailing lists - must not be a vector for spam.
6. Worms and trojan horses - must at least be easy to detect and
                             --- The Captions Troll
In civilized societies, captions are as important in movies as
soundtracks, professional photography and expert editing.
My own blog is at

My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]