I must say that this was extremely well thought out, and excellently
stated. I, for one, do not think that Derek is a doomsdayer. Everything
is a risk, especially in the computer world. That is why every choice
needs to be carefully weighed in terms of risk analysis. However, it's
my belief that it is better to err on the side of security. There are
always unknown risks, and it is the unknown that can be the most
damaging to a company/person/computer.
This is why I personally think that it is important for people in
technical roles to learn as much about the business side of a company as
well as the technical side. That way, you can make a more well informed
analysis based on tangibles of what you are protecting. The intangibles
like employee productivity, reputation, and consumer confidence cannot
be calculated exactly, but they should always be weighed in.
While I agree with Derek that the problem stems from people not
considering the ramifications of their developments, I cannot say that
it is their fault (not that there really is any fault). Generally
speaking, people develop a technology out of an immediate need, and the
usage spreads outward from there. I think that a larger part of the
problem is the decision to implement a piece of technology without the
proper consideration or research. Like Derek said, just because it is
out there does not mean that it has to be used. To expound on that a
little, because something exists in one form does not mean that that is
the only form that it should be used in. A lot of the problems could be
cut off early if technologists had the resources and time to do a better
risk analysis and if managers were banned from reading PC Weekly ;-)
Unfortunately, like Derek, I've had a long day, and I don't have the
energy to keep typing tonight ;-)
Kenny
"Derek D. Martin" wrote:
>
> On Fri, Mar 23, 2001 at 08:31:49PM -0500, Derek D. Martin wrote:
> > On Fri, Mar 23, 2001 at 06:31:12PM -0500, Kenneth E. Lussier wrote:
> > > Schneier said it best when he said " Anyone who believes that
> > > reactionary security measures are sufficient is either ignorant, blind,
> > > or management".
> >
> > This is both humerous and well-said, but belies the real problem.
>
> Since I made this comment, and the rest of what I said had basically
> nothing to do with it, I ought to expound upon that... I didn't
> initially for somewhat of a lack of an explanation for what the
> problem *IS*. I'm having trouble putting the idea into words... But
> I'll give it a shot.
>
> The problem is not that management is stupid; they are NOT stupid.
> The problem is not that management is ignorant, or that users are
> ignorant, of the security issues involved with running a network, even
> though that may be true. This does, however, begin to touch upon the
> heart of the matter.
>
> The PROBLEM, as much as I can get my brain around it, and convey to
> you, is that technology is cool. No, seriously. We are all so
> impressed with ourselves, and our ability to create new and exciting
> stuff that didn't exist before we created it, that we're in WAY too
> much of a hurry to USE our cool new technology, before any real
> consideration is given to what the RAMIFICATIONS of using it are.
>
> This, I think, can be seen in lots of areas, especially in computer
> science and electrical engineering fields. But another example that
> comes to mind is the biotech industry. How long is that super-cool
> new flu vaccine tested before it's given out en masse? Do you, as the
> consumer of that flu vaccine, really have any idea that 5 years down
> the road, it won't cause you to become seriously ill and die? Is the
> risk worth avoiding a little cold?
>
> Similarly, is the risk of having every computer on the planet
> connected worth the benefits? How can you make an informed judgement
> about the answer to that question, if you do not fully understand what
> those risks are? Or if you don't even know that there are risks? And
> yet, millions of people have connected themselves to the Internet,
> oblivious to the possibilities of such evils as credit card fraud,
> personal record falsification, and identity theft, which are the most
> serious (and quite real) threats to average computer users that I can
> think of at the moment.
>
> Just because you CAN do something, doesn't mean you should. The
> TCP/IP protocols were not really designed with security in mind. Even
> if you practice "safe e-commerce" and only use sites that have strong
> SSL, you are still very much at risk. Were you one of the millions of
> credit card numbers stolen by Russian hackers? How would you even
> know?
>
> Now, before you label me a doomsdayer (if you haven't already), I'm
> not saying that we should never use all this cool technology that
> we're developing. I do think, however, that we need to be a little
> more conscious of how we use new technology, and what the likely
> outcomes of using that technology are. I think we need to question
> what the benefits and risks of using new technologies are, rather than
> simply accept on blind faith that those developing these new
> technologies have your well-being in mind, and wouldn't hurt a fly, as
> seems to be the prevailing attitude.
>
> I also think that those responsible for bringing us this new
> technology need to be more concientious about informing their
> customers what the risks are, and that we need to hold those
> technology companies responsible when their new baby goes horribly
> wrong.
>
> There's a lot more to this too, like the effects that this would have
> on the economy, etc... but it's too late to trouble my head with all
> that right now.
>
> :)
>
> --
> Somebody set up us the bomb.
> All your base are belong to us.
> Take off every zig for great justice.
> ---------------------------------------------------
> Derek Martin | Unix/Linux geek
> [EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
> Retrieve my public key at http://pgp.mit.edu
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
