A friend taught me that con men exploit smart people more easily than dumb people, because there are fewer ways to be smart than dumb, making smart people (and their blind spots) more predictable.
I am helping a friend set up security procedures for a business in a highly regulated industry, with acres of forms and checklists and standards that are supposed to result in secure systems. Many look like brainfarts from academics working from unproven hypotheses, who haven't collected the histories of real exploits, much less fought an exploit themselves. Standarized security systems probably have standardized holes, suitable for automated exploitation. Instead, should we construct vivid and instructive stories, and count on the creativity of end users to develop and elaborate a varied (and difficult to exploit) set of solutions? Or do semi-informed people tend to make the same predictable mistakes more often than standard security procedures result in widespread identical holes? Build a kludge, or buy a black box? Keith -- Keith Lofstrom [email protected] Voice (503)-520-1993 _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
