|
|
Posted by Gary L. Burnore on 10/22/07 00:02
On Sun, 21 Oct 2007 19:36:18 -0400, Jerry Stuckle
<jstucklex@attglobal.net> wrote:
>Gary L. Burnore wrote:
>> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
>> <jstucklex@attglobal.net> wrote:
>>
>>> Gary L. Burnore wrote:
>>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>>>> <jstucklex@attglobal.net> wrote:
>>>>
>>>>
>>>>> Security is not about prevention,
>>>> WHAT? What a complete and totally moronic thing to say, Jerry.
>>>>
>>>> Security is about many things of which prevention is one.
>>>>
>>> No responsible person in the security field will ever claim that.
>>
>> I'm a responsible person in the security field and I claim that. I've
>> been taught that and I teach that. That being that many things make
>> up good security. Prevention is one part of security.
>>
>
>If you claim obscurity is security, then that's debatable.
When the hell did I ever claim that?
>
>I've got some friends who are in the security business. These are guys
>with clearances higher than Top Secret.
Yawn.
>They are responsible for security of some very sensitive government systems.
> They can't tell me a lot of details because I don't have a sufficient security clearance.
Yeah, then they have to kill you.
>But one thing they agree upon - is that obscurity only gives a false
>sense of security.
I've said that several times. Please plug your brain back in.
>
>>
>>> There is no such thing as "prevention". That would indicate that
>>> something can't happen, which is impossible to do.
>>>
>>> For instance, banks have been trying to prevent robberies for hundreds
>>> of years.
>>
>>
>> Banks prevent you, as an employee, from seeing all the things
>> necessary to get your hand on the data of a user. Does it work all
>> the time, no. That's where forensics come in. But if you don't
>> prevent it at all, you open yourself (yourself being the bank) to
>> lawsuits from customers, fines from FICA and harassment from auditors
>> for SOX.
>>
>
>They make it harder encrypting data, for instance. But they can't
>prevent it. If it's possible ANYONE to get into something, it's
>possible for the WRONG person to get in there, also.
Yep. Harder. Not easy like leaving the door open and hoping someone
doesn't notice it's there.
>And forensics is after the fact.
Forensics help discover how someone is TRYING to get in and yes, how
they did if it already happen. If you watch how someone's trying to
pick a lock, you know how to better enforce the lock.
> It has nothing to do with either security
Sure it does. You learn from it and get better at defending against
it.
> - other than a good system will audit access for later analysis.
>
>
>>> At no time will a responsible security professional claim anything about
>>> preventing break-ins.
>>
>> Right. That's why banks don't use firewalls, don't use encryption,
>> don't use secure keys, etc.
>>
>> Stick with coding, J. You obviously know little about security.
>>
>
>And none of this prevents a break in. It just makes it harder.
Yeah, but a lot harder than obscurity does. <- pay attention, dip. I
agree with you on this one thing.
--
gburnore at DataBasix dot Com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
Official .sig, Accept no substitutes. | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ 0 1 7 2 3 / Ý³Þ 3 7 4 9 3 0 Û³
Black Helicopter Repair Services, Ltd.| Official Proof of Purchase
===========================================================================
[Back to original message]
|