But you've left out *one* very important factor: Mr. Winkler is a former intel
operative from the U.S. federal government. For him, he *is* "Mr. Security",
and would understand its intricacies; however, don't discount other people's
judgements or decisions who are simply discussing alternative possibilities,
but aren't considered "resident experts", like as yourself. You are
implicating (again) that security is an "absolute" instead of a "resolute"
(that being "relative" to any given environment). If this helps people
understand its philosophy, "security" can be expressed as an entity -- if you
will -- an organism, one that evolves just like a living, breathing organism.
What you have to understand is that people like Mr. Winkler are in the business
fortifying an environment or system -- by first destroying it. By being an
intel operative, and breaking into a system or environment, they are
(effectively) destroying it by demonstrating its ineffectiveness in stopping
(or preventing) them from gaining access. How does making a comparison to that
mean that something is or is not secure? Another question might be, if an
organization were to allow a portion of its environment to be exposed and
vulnerable to attack, does that make that organization less secure, more
secure, or about the same? The answer is: "it depends". Based on the elements
given, how can you ascertain that that organization is or is not "secure"? You
can't. An almost similar type of conclusion is being drawn from the other
analogy that brought about this *whole* debate.
-r
DISCLAIMER: Just because someone says that something is "secure" doesn't mean
that it *is* "secure".
----- Original Message -----
From: Saqib Ali [mailto:docbook.xml@gmail.com]
To: "Robinson, Sonja" [mailto:Sonja.Robinson@fticonsulting.com]
Cc: Jason Muskat [mailto:Jason@techdude.ca], Craig Wright
[mailto:cwright@bdosyd.com.au], Bob Radvanovsky
[mailto:rsradvan@unixworks.net], "Sadler, Connie"
[mailto:Connie_Sadler@brown.edu], email@securityabsurdity.com,
security-basics@securityfocus.com
Subject: Re: Article: "Security Absurdity: The Complete, Unquestionable, And
Total Failure of Information Security."
"hear, hear!"
"The goal of your security program is to optimize risk, never minimize
it. This is an extremely important distinction. It also sounds
counterintuitive to many people" From Ira Winkler's book titles Spies
Among Us.
The whole book is an excellent read. But I would highly recommend
reading the pages 35 through 50, for a understanding of the topic of
security. People write about security without really understanding
the nature of the beast.
Or even better, have a 1-one-1 session with Mr. Winkler on how you can
minimize security related risk at your organization.
On 5/22/06, Robinson, Sonja <Sonja.Robinson@fticonsulting.com> wrote:
I had this debate on a different forum last week. I found the article
annoying and misleading in many instances (typos aside). It just
rehashed the same things and didn't provide solutions but just blamed me
for the ills of society (like I need more). I try to beat my users
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
