On Wed, Sep 14, 2005 at 06:27:36PM -0700, Mike Marion wrote: ... > http://www.ranum.com/security/computer_security/editorials/dumb/ > > Should be required reading for anyone that wants to ... > work in any level of IT ... Most of it is excellent, but I disagree strongly with two of his ideas.
He claims that security experts should not learn to hack into systems, because it's a waste of time to keep up with the latest developments and because the secure systems he advocates oftentimes can't be cracked in an instructive way. This is all true, but he is omitting important ideas. I believe that security experts can sometimes gain valuable general background by learning to break some security measures. The targets need not be modern or complete systems. They could be historically or theoretically important security measures. They could be single layers of modern security systems where a real system would have multiple layers of security. It also introduces a valuable element of realism to study real criminals. None of this implies that you are obligated to admire the criminals or defend only against specific attacks that have already occurred in the real world. I also feel that the idea that you can't obtain security by educating users is presented in a particularly bad way. I admit that security by educating users is usually a futile attempt to prevent mistakes that are human nature. My objection is that the users are portrayed as having no use for powerful tools rather than being portrayed as unable to reliably recognize or safely use gratuitously dangerous ones. Sometimes only the person who actually does repetitious work knows what needs to be automated. In such cases they may be the right person to program a little bit to solve the problem. I have seen people who were regarded as ordinary clerical workers do this successfully. Stewart Strait -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
