-{ Quote: "There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers. So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems?" }-

Full article:
http://www.ranum.com/security/computer_security/editorials/dumb/

Regards,

Pieter

Pieter_Arntz

I would like to thank you for bringing this, and his website to my attention. Some good stuff on there !

early adopter

A very informative and good read, presented in a humourous but at the same time serious fashion. I think the "early adopter" approach is food for thought. Not just for Apps etc, as i myself don't rush to install MS updates, but prefer to wait till the dust has settled. This has proved to pay dividends on several occasions, when errors have been found in the patches, And/Or they have broken something on the process.

To get credit for not doing anything?

Also his suggestions "To get credit for not doing anything?" makes perfect sense. It's a pity a lot of management types prefer to see (Results) for your paycheck, as some would just not totally appreciate or understand your (inactivity) in their eyes !

. . .

Goodbye and Good Luck

"I've tried to keep this light-hearted, but my message is serious. Computer security is a field that has fallen far too deeply in love with the whizzbang-of-the-week and has forsaken common sense. Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?"

My book "The myth of homeland security" has not sold very well!! Why don't you buy a copy?

http://www.ranum.com/

. . .



StevieO

Decent article with a lot of good points. However perhaps a few discrepancies in the arguements...

-{ Quote: " #3) Penetrate and Patch
..."Penetrate and Patch" is not that it makes your code/implementation/system better by design, rather it merely makes it toughened by trial and error." }-
-{ Quote: ""Operating systems have security problems because they are complex and system administration is not a solved problem in computing." }-I understand the concept of why P&P is a bad idea, but on the one hand he's saying that if they designed programs properly they wouldn't need to P&P; and on the other hand he seems to be saying that OS's are too complex to design entirely securely.