[ASLE] Las seis ideas pendejas en seguridad informatica

José Miguel Parrella Romero jparrella en onuva.com
Sab Feb 20 10:33:05 ECT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andres Genovez escribió:
>   The Six Dumbest Ideas in Computer Security

De acuerdo con todas excepto con #4. Es casi una falta de respeto del
autor dar una visión tan superficial sobre el hacking. Y al final es
solo un tema de terminología: 'enterprise hackers' vs. 'good engineers'

>     #4) Hacking is Cool
> 
>     One of the best ways to get rid of cockroaches in your kitchen is to
>     scatter bread-crumbs under the stove, right? Wrong! That's a dumb
>     idea. One of the best ways to discourage hacking on the Internet is
>     to give the hackers stock options, buy the books they write about
>     their exploits, take classes on "extreme hacking kung fu" and pay
>     them tens of thousands of dollars to do "penetration tests" against
>     your systems, right? Wrong! "Hacking is Cool" is a really dumb idea.
> 
>     Around the time I was learning to walk, Donn Parker was researching
>     the behavioral aspects of hacking and computer security. He says it
>     better than I ever could:
>     /"Remote computing freed criminals from the historic requirement of
>     proximity to their crimes. Anonymity and freedom from personal
>     victim confrontation increased the emotional ease of crime, i.e.,
>     the victim was only an inanimate computer, not a real person or
>     enterprise. Timid people could become criminals. The proliferation
>     of identical systems and means of use and the automation of business
>     made possible and improved the economics of automating crimes and
>     constructing powerful criminal tools and scripts with great leverage."/
> 
>     Hidden in Parker's observation is the awareness that */hacking is a
>     social problem/*. It's not a technology problem, at all. "/Timid
>     people could become criminals./" The Internet has given a whole new
>     form of elbow-room to the badly socialized borderline personality.
>     The #4th dumbest thing information security practitioners can do is
>     implicitly encourage hackers by lionizing them. The media plays
>     directly into this, by portraying hackers, variously, as "whiz kids"
>     and "brilliant technologists" - of course if you're a reporter for
>     CNN, anyone who can install Linux probably /does/ qualify as a
>     "brilliant technologist" to you. I find it interesting to compare
>     societal reactions to hackers as "whiz kids" versus spammers as
>     "sleazy con artists." I'm actually heartened to see that the
>     spammers, phishers, and other scammers are adopting the hackers and
>     the techniques of the hackers - this will do more to reverse
>     society's view of hacking than any other thing we could do.
> 
>     If you're a security practitioner, teaching yourself how to hack is
>     also part of the "Hacking is Cool" dumb idea. Think about it for a
>     couple of minutes: teaching yourself a bunch of exploits and how to
>     use them means you're investing your time in learning a bunch of
>     tools and techniques that are going to go stale as soon as everyone
>     has patched that particular hole. It means you've made part of your
>     professional skill-set dependent on "Penetrate and Patch" and you're
>     going to have to be part of the arms-race if you want that skill-set
>     to remain relevant and up-to-date. Wouldn't it be more sensible to
>     learn how to design security systems that are hack-proof than to
>     learn how to identify security systems that are dumb?
> 
>     My prediction is that the "Hacking is Cool" dumb idea will be a dead
>     idea in the next 10 years. I'd like to fantasize that it will be
>     replaced with its opposite idea, "Good Engineering is Cool" but so
>     far there is no sign that's likely to happen.

- --
José Miguel Parrella Romero (bureado.com.ve)          PGP: 0×88D4B7DF
Debian Developer                                Caracas, VE/Quito, EC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuAALEACgkQYa7O2IA0rXL9dgCfY2ioIN4TNfPPApys68KNlVua
yoIAoLD3tvs+MO8JXJ4L5prM9yjfMkEq
=CfV1
-----END PGP SIGNATURE-----

More information about the Asociacion mailing list