Horst Herb wrote: > On Thu, 6 Apr 2006 21:51, Tim Churches wrote: >> No, I didn't miss it, as I took pains to explain at some length in my >> last post, if you care to read it. What I did miss is the logic I have >> come to expect from Horst, sadly absent in this instance. I will repeat: >> NSW Police revealing Internet mailing list passwords: stupid mistake. >> HeSA's policies on key generation (and just about everything else): >> stupid mistake. Are the two even vaguely related: nope. >> >> Horst, I don't care if you bag HeSA: they deserve it. I don't care if >> you bag NSW Police, or any other government organisation: they probably >> deserve it too. I do care however, if you of all people, suggest that a > > What you don't seem to understand: > - no level of our government or it's institutions has got any demonstrable > expertise in IT security > - various levels of government have -even repeatedly- embarrassed themselves > with security blunders > - despite these observations they expect us to depend entirely on their > "security" models > - most people don't understand this because they are clueless themselves; but > showing them examples like this one helps them to get the drift
The foregoing are all generalisations, backed by anecdotal evidence. I don't disagree that there are plenty of anecdotes to back your assertions. However, it is possible to substitute other categories and these statements still seem reasonable - for example: What you don't seem to understand: - no part of the private sector has got any demonstrable expertise in IT security - various private sector organisations have -even repeatedly- embarrassed themselves with security blunders - despite these observations they expect us to depend entirely on their "security" models - most people don't understand this because they are clueless themselves; but showing them examples like this one helps them to get the drift Or, taking an informed patient's point-of-view: What you don't seem to understand: - no general practices have got any demonstrable expertise in IT security - various general practices have -even repeatedly- embarrassed themselves with security blunders - despite these observations they expect patients to depend entirely on their "security" models - most people don't understand this because they are clueless themselves; but showing them examples like this one helps them to get the drift > If our government had a clue, it would have a policy that would make such > blunders a rare exception rather than the rule. Two problems with this. There is no such thing as "our government". Australia has a three tier system, and in the top two tiers there are legislative and executive arms, with an often uncomfortable (and often too comfortable) relationship, and within each of those arms there are hundreds of departments and agencies with overlapping powers, responsibilities and goals, all fighting for slices of the same budget pie. To view such a system as a monolithic entity with some form of collective consciousness is a bit naive. If the aim is to try to influence things, it helps to adopt a slightly more sophisticated approach to "the guvmint". > It would actually listen to expertise and take advice on board instead of > just > hiring consultants who diligently repeat what they are told to tell, or who > diligently just report what they are expected to report. > I see the government as a whole - if one part of it blunders, I wouldn't > expect other parts to perform any better. Yup, you are entitled to that world view and perhaps can be forgiven for holding it - a large proportion of people in liberal democracies share it - but my take is that that is much too simplistic to be of much use if the aim is constructive engagement. Tim C _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
