[ASLE] Las seis ideas pendejas en seguridad informatica
José Miguel Parrella Romero
jparrella en onuva.com
Sab Feb 20 10:33:05 ECT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andres Genovez escribió:
> The Six Dumbest Ideas in Computer Security
De acuerdo con todas excepto con #4. Es casi una falta de respeto del
autor dar una visión tan superficial sobre el hacking. Y al final es
solo un tema de terminología: 'enterprise hackers' vs. 'good engineers'
> #4) Hacking is Cool
>
> One of the best ways to get rid of cockroaches in your kitchen is to
> scatter bread-crumbs under the stove, right? Wrong! That's a dumb
> idea. One of the best ways to discourage hacking on the Internet is
> to give the hackers stock options, buy the books they write about
> their exploits, take classes on "extreme hacking kung fu" and pay
> them tens of thousands of dollars to do "penetration tests" against
> your systems, right? Wrong! "Hacking is Cool" is a really dumb idea.
>
> Around the time I was learning to walk, Donn Parker was researching
> the behavioral aspects of hacking and computer security. He says it
> better than I ever could:
> /"Remote computing freed criminals from the historic requirement of
> proximity to their crimes. Anonymity and freedom from personal
> victim confrontation increased the emotional ease of crime, i.e.,
> the victim was only an inanimate computer, not a real person or
> enterprise. Timid people could become criminals. The proliferation
> of identical systems and means of use and the automation of business
> made possible and improved the economics of automating crimes and
> constructing powerful criminal tools and scripts with great leverage."/
>
> Hidden in Parker's observation is the awareness that */hacking is a
> social problem/*. It's not a technology problem, at all. "/Timid
> people could become criminals./" The Internet has given a whole new
> form of elbow-room to the badly socialized borderline personality.
> The #4th dumbest thing information security practitioners can do is
> implicitly encourage hackers by lionizing them. The media plays
> directly into this, by portraying hackers, variously, as "whiz kids"
> and "brilliant technologists" - of course if you're a reporter for
> CNN, anyone who can install Linux probably /does/ qualify as a
> "brilliant technologist" to you. I find it interesting to compare
> societal reactions to hackers as "whiz kids" versus spammers as
> "sleazy con artists." I'm actually heartened to see that the
> spammers, phishers, and other scammers are adopting the hackers and
> the techniques of the hackers - this will do more to reverse
> society's view of hacking than any other thing we could do.
>
> If you're a security practitioner, teaching yourself how to hack is
> also part of the "Hacking is Cool" dumb idea. Think about it for a
> couple of minutes: teaching yourself a bunch of exploits and how to
> use them means you're investing your time in learning a bunch of
> tools and techniques that are going to go stale as soon as everyone
> has patched that particular hole. It means you've made part of your
> professional skill-set dependent on "Penetrate and Patch" and you're
> going to have to be part of the arms-race if you want that skill-set
> to remain relevant and up-to-date. Wouldn't it be more sensible to
> learn how to design security systems that are hack-proof than to
> learn how to identify security systems that are dumb?
>
> My prediction is that the "Hacking is Cool" dumb idea will be a dead
> idea in the next 10 years. I'd like to fantasize that it will be
> replaced with its opposite idea, "Good Engineering is Cool" but so
> far there is no sign that's likely to happen.
- --
José Miguel Parrella Romero (bureado.com.ve) PGP: 0×88D4B7DF
Debian Developer Caracas, VE/Quito, EC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuAALEACgkQYa7O2IA0rXL9dgCfY2ioIN4TNfPPApys68KNlVua
yoIAoLD3tvs+MO8JXJ4L5prM9yjfMkEq
=CfV1
-----END PGP SIGNATURE-----
More information about the Asociacion
mailing list