Apparently passions about the story are still hot around the nonprofit
in question. Anyway, I duly notice the diversion (change of topic) in
the discussion - from discussion of wheel reinvention vs. NIH to
management of security.
I am cross-posting this also to discussions@hamakor.org.il, because the
altered topic is more appropriate to Hamakor discussions than to the
general philosophical atmosphere of Hackers-IL.
On Fri, 2006-09-22 at 02:06 +0300, Nadav Har'El wrote:
On Thu, Sep 21, 2006, Omer Zak wrote about [hackers-il] The wheel
reinvention mystery:
A recent argument in Hamakor prompted me to consider the general
question why would people sometimes prefer not to reinvent the wheel,
and why would they be enthusiastic about reinventing the wheel.
http://tddpirate.livejournal.com/63135.html
I posted my opinion on your post in your blog (under the heading you're
a bit confused :-) ).
Unlike you, the same Hamakor thread prompted me to ponder on a different
topic - one that I raised on this list a few months ago. This is the question
of how come every time that somebody uses security as a reason for some
action (or inaction), people immediately take this as an acceptable
explanation, even if it completely unfounded.
While I agree that the S word is frequently abused. We have been
experiencing it a lot in Israel, where political censorship, corruption
and environmental damage (TAASH in Hod Hasharon area, for example) were
hidden behind the veil of Security.
However, in this specific case, I believe that nonstandard configuration
by knowledgeable people does promote security. The problem seems to be
the failure to take the complementary step of documenting the changes in
the system and ensuring that it is easy for someone else to pick up the
reins. (Think of what would happen if the first sysadmin were hit by a
bus.)
Also, people also tend about security as a binary thing, either there is
security or there is no security, and obviously security is better
than no security. In reality security is a broad spectrum, and there is
*always* a tradeoff betwen more security at the cost of more money / less
functionality / less convenience.
Yes. Please tell us what is your threat model and how (in your opinion)
should Hamakor deal with each threat.
A quick and dirty threat model is as follows:
1. Membership information - should be guarded (even if a single person's
ID can be easily obtained by other means, we do not want to release the
IDs of 100 people, about 50% of them are successful).
2. Financial accounting - can be viewed, must not be tampered with.
3. Web site - not to be defaced.
4. Wiki - occassional defacing is acceptable (everyone knows that wikis
are not as protected) but must be easy to detect and recover from
defacing.
5. Mailing lists - must not be a vector for spam.
6. Worms and trojan horses - must at least be easy to detect and
disinfect.
--- The Captions Troll
--
In civilized societies, captions are as important in movies as
soundtracks, professional photography and expert editing.
My own blog is at http://tddpirate.livejournal.com/
My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
