Amrit Williams has posted his “11 worst ideas in security.” Excellent list and I’ve pulled a few out for my own reactions.
#11 – Security Industry and Market Analysts – Yeah, they say more to the marketing teams of the players in the markets than to anyone actually using or looking to use the products.
#8 – Scan and Patch – I think this one is a challengable position, and could make for nice discussions. He’s right though, it can come down to incessant nagging.
#7 – PKI – It’s a love-hate thing. I love reading articles that talk about implementing PKI to support this-or-that, because I hate so much about how misled such people are. A drink to anyone who has implemented real PKI successfully!
#3 – The Vulnerability Disclosure Debate – Amrit is right, who the crap really cares? In the end, the attackers certainly don’t.
#1 – Security Vendors and the VC’s that love them – It sucks to keep this in mind: “The goal of the security industry is not to secure, the goal of the security industry is to make money.” I think many people create or work in such organizations because they do want to promote security, but yes, in the end the industry and organizational entities themselves are just there to make money (as are some of the hierarchy in such orgs).
“Amrit is right, who the crap really cares? In the end, the attackers certainly don’t.”
actually they do if they’re smart, and for good reason… guess who says to “forage on the enemy”… it works just as much for intelligence as it does for material supplies, that’s why secrecy is so important to the militaries of the world…
it only stops mattering if you assume the attackers are omniscient, if there is literally nothing they can learn from you… that’s not a particularly reasonable assumption, even if it does fit perfectly with shannon’s maxim…