Hello,
Security can never be correct 100% of the time. This is not true even in
high level military establishments. I am not stating that you should not
do the best you can given a set of circumstances, but security is based
on risk.
100% secure systems for one do not exist nor can they. This is a
computationally intractable issue.
Users are also an issue. They will not put up with the costs, both
fiduciary and to freedom that 100% security requires. Even enforcing MAC
(mandatory access control) in an organisation is difficult.
The old wire cutter firewall example fails to provide security as an
example. CIA - the triumberant foundation of information security
requires availability of information. Cutting the cable cuts the legs
out of security. Nothing is ever 100% secure. Welcome to life.
Regards,
Craig
-----Original Message-----
From: Jason Muskat [mailto:Jason@TechDude.Ca]
Sent: Wednesday, 17 May 2006 12:14 PM
To: Saqib Ali; Bob Radvanovsky
Cc: Sadler, Connie; email@securityabsurdity.com;
security-basics@securityfocus.com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security."
Hello,
Security has to be correct 100% of the time. One omission can lead to an
exposure. Count yourself lucky that your vulnerabilities haven't been
exposed (that you know of -- Think Ohio State's exposure
<http://www.ohio.edu/datatheft/alumni/index.cfm>). Many organizations
cover
up (do not report to governmental authorizes) every exposure that
occurs.
This is the norm.
Consider the following; 10 persons information were known to be stolen.
Everything from address, SSN, account numbers, credit cards, driver
lic.,
health ins. forms, employment data, etc.. It goes unreported. Years
later
you receive letters for failing to pay your mortgage, credit cards,
taxes,
car lease, speeding tickets, you didn't show up for sentencing, and have
a
warrant for your arrest.
Things like the above happen. I read how a case of mistaken identity had
some fellow jailed for a few months before it was resolved. Imagine how
it
could have went if the perpetrator had stolen his ID.
Once your information is exposed you soon realize that there is nothing
you
can do to protect yourself, it's too late. For evermore you, not the
organization, has to check your credit reports, accounts, put flags up
in
your accounts over and over again until you die and all at your, not the
organization's, expense. Most organizations don't even offer help to the
people they adversely effected. At the very least an organization should
set
up a department to help the customers that have harmed.
Regards,
--
Jason Muskat | GCUX - de VE3TSJ
____________________________
TechDude
e. Jason@TechDude.Ca
m. 416 .414 .9934
http://TechDude.Ca/
From: Saqib Ali <docbook.xml@gmail.com>
Date: Fri, 12 May 2006 21:22:03 -0700
To: Bob Radvanovsky <rsradvan@unixworks.net>
Cc: Jason Muskat <Jason@techdude.ca>, "Sadler, Connie"
<Connie_Sadler@brown.edu>, <email@securityabsurdity.com>,
<security-basics@securityfocus.com>
Subject: Re: Article: "Security Absurdity: The Complete,
Unquestionable, And
Total Failure of Information Security."
"Security" is a matter of perception. If the companies don't see it
as an
issue, it (quite simply) is *not* an issue.
That is fine for the company in question. But NOT fine for the
customers / other companies interfacing with the company that does not
see INsecurity is an issue. I wouldn't wanna have my credit card info
stolen from an online merchant, neither would you.
One option is that I do not deal with compannies that do take security
seriously. But how do I know which companies do NOT take security
seriously? Maybe they should put a disclaimer on their website????
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
