Apparently passions about the story are still hot around the nonprofit in question. Anyway, I duly notice the diversion (change of topic) in the discussion - from discussion of wheel reinvention vs. NIH to management of security.
I am cross-posting this also to discussions@hamakor.org.il, because the altered topic is more appropriate to Hamakor discussions than to the general philosophical atmosphere of Hackers-IL. On Fri, 2006-09-22 at 02:06 +0300, Nadav Har'El wrote: > On Thu, Sep 21, 2006, Omer Zak wrote about "[hackers-il] The wheel > reinvention mystery": > > A recent argument in Hamakor prompted me to consider the general > > question why would people sometimes prefer not to reinvent the wheel, > > and why would they be enthusiastic about reinventing the wheel. > > > > http://tddpirate.livejournal.com/63135.html > > I posted my opinion on your post in your blog (under the heading "you're > a bit confused" :-) ). > > Unlike you, the same Hamakor thread prompted me to ponder on a different > topic - one that I raised on this list a few months ago. This is the question > of how come every time that somebody uses "security" as a reason for some > action (or inaction), people immediately take this as an acceptable > explanation, even if it completely unfounded. While I agree that the "S" word is frequently abused. We have been experiencing it a lot in Israel, where political censorship, corruption and environmental damage (TAASH in Hod Hasharon area, for example) were hidden behind the veil of "Security". However, in this specific case, I believe that nonstandard configuration by knowledgeable people does promote security. The problem seems to be the failure to take the complementary step of documenting the changes in the system and ensuring that it is easy for someone else to pick up the reins. (Think of what would happen if the first sysadmin were hit by a bus.) > Also, people also tend about security as a binary thing, either there is > "security" or there is "no security", and obviously "security" is better > than "no security". In reality security is a broad spectrum, and there is > *always* a tradeoff betwen more security at the cost of more money / less > functionality / less convenience. Yes. Please tell us what is your threat model and how (in your opinion) should Hamakor deal with each threat. A quick and dirty threat model is as follows: 1. Membership information - should be guarded (even if a single person's ID can be easily obtained by other means, we do not want to release the IDs of 100 people, about 50% of them are successful). 2. Financial accounting - can be viewed, must not be tampered with. 3. Web site - not to be defaced. 4. Wiki - occassional defacing is acceptable (everyone knows that wikis are not as protected) but must be easy to detect and recover from defacing. 5. Mailing lists - must not be a vector for spam. 6. Worms and trojan horses - must at least be easy to detect and disinfect. --- The Captions Troll -- In civilized societies, captions are as important in movies as soundtracks, professional photography and expert editing. My own blog is at http://tddpirate.livejournal.com/ My opinions, as expressed in this E-mail message, are mine alone. They do not represent the official policy of any organization with which I may be affiliated in any way. WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
