If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Poorly written software is at the root of all of our securityproblems
You can find the claim in the subject line as the top-rated risk at
http://www.csl.sri.com/users/neumann...sks08.html#220 I found that link from the useful (moderated) newsgroup comp.risks. I found my way to that newsgroup at the suggestion of a former government official who probably got tired of my repeated comments about US incompetence and laziness with regard to information security. How important you think the integrity of the Internet (and the financial system) should be may be culturally-dependent. If you live in the gunslinger mentality of so much of the former Warsaw pact, the solution to any security problem might well be another round of vodka shots. Russia, for example, is ranked 117 on the world corruption audit http://www.worldaudit.org/corruption.htm The country I have repeatedly slighted by implication is well up the list, not so very far below, say, Costa Rica. The United States has nothing to brag about in that department, as it is almost at the end of the list of First World countries, just two slots below the UK. In any case, software integrity is a *very* big problem. If you are trying to argue otherwise, my guess is that you don't think integrity is all that important. Robert. |
#2
|
|||
|
|||
Poorly written software is at the root of all of our ...
In c.s.i.p.h.c Robert Myers wrote in part:
You can find the claim in the subject line as the top-rated risk at http://www.csl.sri.com/users/neumann...sks08.html#220 I found that link from the useful (moderated) newsgroup comp.risks. Are you having us on? Have a look at the context: the author (a Homeland Security civil servant) is arguing for National Security Research and says: While progress in any of the areas identified in previous reports noted above would be valuable, I believe the `top ten' list consists of the following (with short rationale included): 1.Software Assurance - poorly written software is at the root of all of our security problems 2.Metrics - we can't measure our systems, thus we cannot manage them 3.Usable Security - information security technologies have not been deployed because they are not easily usable 4.Identity Management - the ability to know who you're communicating with will help eliminate many of today' online problems, including attribution 5.Malware - today's problems continue because of a lack of dealing with malicious software and its perpetrators 6.Insider Threat - one of the biggest threats to all sectors that has not been adequately addressed 7.Hardware Security - today's computing systems can be improved with new thinking about the next generation of hardware built from the start with security in mind 8.Data Provenance - data has the most value, yet we have no mechanisms to know what has happened to data from its inception 9.Trustworthy Systems - current systems are unable to provide assurances of correct operation to include resiliency 10.Cyber Economics - we do not understand the economics behind cybersecurity for either the good guy or the bad guy. The claim you quote with such authority is nothing but an off-hand comment -- perhaps true, perhaps not, but definitely not supported. And not worth quoting outside a Leno-esque setting. If you live in the gunslinger mentality of so much of the former Warsaw pact, the solution to any security problem might well be another round of vodka shots. Oh dear. How do you know? Have you been there? There are huge differences between the countries there were coerced into that organization. Or do you claim Estonia is the same as Croatia? As for the gunslinger mentality, it build much of the United States from which you derive great benefit whether you like it or not. And even if vodka were sometimes, someplace a solution, does not mean that is it always and everywhere the solution. Statistics cannot be applied backwards. Statistics are descriptive, not prescriptive. Russia, for example, is ranked 117 on the world corruption audit http://www.worldaudit.org/corruption.htm So what? However well-intentioned, these sorts of things are flawed: 1) It is difficult to measure relevant factors 2) The weighting of these measurements reflects only one set of values 3) The ordinal presentation hides the sizes of differences You are also missing a link -- even if corrupt, why does that make the software poorly written? Why do you believe corruption is greater than imcompetence? "Never attribute to malice that which can reasonbly be explained by simple incompetence" [Napoleon] In any case, software integrity is a *very* big problem. If you are trying to argue otherwise, my guess is that you don't think integrity is all that important. It may well be a big problem. Unfortunately, your case is full of holes. With friends like you, security does not need enemies. -- Robert R |
#3
|
|||
|
|||
Poorly written software is at the root of all of our ...
On Jan 30, 1:13*pm, Robert Redelmeier wrote:
In c.s.i.p.h.c *Robert Myers wrote in part: You can find the claim in the subject line as the top-rated risk at http://www.csl.sri.com/users/neumann...sks08.html#220 I found that link from the useful (moderated) newsgroup comp.risks. Are you having us on? *Have a look at the context: *the author (a Homeland Security civil servant) is arguing for National Security Research and says: * *While progress in any of the areas identified in previous * *reports noted above would be valuable, I believe the `top ten' * *list consists of the following (with short rationale included): * *1.Software Assurance - poorly written software is at the root * * * *of all of our security problems snip The claim you quote with such authority is nothing but an off-hand comment -- perhaps true, perhaps not, but definitely not supported. And not worth quoting outside a Leno-esque setting. The purpose of my post was to point others toward more reliable sources of information than wild claims by people who like things just the way they are, not to offer authoritative assessments. Whatever you may think of my opinion about software, it is an opinion that is widely-shared. If you live in the gunslinger mentality of so much of the former Warsaw pact, the solution to any security problem might well be another round of vodka shots. Oh dear. *How do you know? *Have you been there? *There are huge differences between the countries there were coerced into that organization. *Or do you claim Estonia is the same as Croatia? It is a widely-recognized reality that some of the most clever programming, and also some of the most malicious, is coming from the former Warsaw pact. snip Russia, for example, is ranked 117 on the world corruption audit http://www.worldaudit.org/corruption.htm So what? *However well-intentioned, these sorts of things are flawed: 1) *It is difficult to measure relevant factors 2) *The weighting of these measurements reflects only one set of values 3) *The ordinal presentation hides the sizes of differences You are also missing a link -- even if corrupt, why does that make the software poorly written? *Why do you believe corruption is greater than imcompetence? *"Never attribute to malice that which can reasonbly be explained by simple incompetence" [Napoleon] If you are in a culture where high-risk behavior is the norm, you will have a different conception of what is reasonable behavior. Sebastian has already informed us that it is not worth his while to be careful and presented a rationale for his calculated carelessness. I can't imagine any of my correspondents from Scandinavia talking in a similar fashion. Even a Wall Street jockey would not be likely to be so incautious. In the litigation-happy US, such off-hand commends could backfire in a serious way. In any case, software integrity is a *very* big problem. If you are trying to argue otherwise, my guess is that you don't think integrity is all that important. It may well be a big problem. *Unfortunately, your case is full of holes. *With friends like you, security does not need enemies. It comes as little surprise that you have a low opinion of me and want to make that known. I can't imagine that anyone else who follows these forums would be more surprised than I am. Robert. |
#4
|
|||
|
|||
Poorly written software is at the root of all of our securityproblems
[Robert Myers written nonsense snipped]
Yet another off-topic post by RM (off-topic on both groups he crossposted). Yet, He just wrote, he will not continue the discussion, yet he continues it. How predictable... Then the post is filled with rambling about buch of unrelated things, peppered with some poor attempts at ad hominem, all intermixed with demonstration with very poor understanding of the matter he tries to discuss. Whether he tries to discuss realities of former Warsaw Pact countries, software security, software integrity, risk estimation, his jedgement shows similar level of cluelessness. (Besides, sorry Mr. Myers, i'm not Russian, so wrong shot, troll) \SK -- "Never underestimate the power of human stupidity" -- L. Lang -- http://www.tajga.org -- (some photos from my travels) |
#5
|
|||
|
|||
Poorly written software is at the root of all of our securityproblems
On Feb 1, 7:23*am, Sebastian Kaliszewski
wrote: * [Robert Myers written nonsense snipped] Yet another off-topic post by RM (off-topic on both groups he crossposted). Yet, He just wrote, he will not continue the discussion, yet he continues it. How predictable... Then the post is filled with rambling about buch of unrelated things, peppered with some poor attempts at ad hominem, all intermixed with demonstration with very poor understanding of the matter he tries to discuss. Whether he tries to discuss realities of former Warsaw Pact countries, software security, software integrity, risk estimation, his jedgement shows similar level of cluelessness. (Besides, sorry Mr. Myers, i'm not Russian, so wrong shot, troll) First of all, cowboy, you decided to resurrect this topic in a completely unrelated thread about Intel's compiler. So long as the discussion began in these groups, that's where the discussion should end. Secondly, it is clear from the logic of my post that I did not believe you to be Russian, only from a former Warsaw Pact country whose position on the corruption list I located a bit below Costa Rica (which I am sure must produce *some* of its foreign exchange through legal means with unlaundered cash). Thirdly, I care no more what you think of me than what Prof. Redelmeier thinks of me. The fact that many misuse statistics and draw false conclusions from them the way you do is no defense for you. You don't understand what you are doing and you defend it by heaping up misinformation and abuse. Fourthly, the proper manner of formal address is Dr. Myers. Robert. |
#6
|
|||
|
|||
Poorly written software is at the root of all of our security ?problems
In cshipc Robert Myers wrote in part:
Fourthly, the proper manner of formal address is Dr. Myers. Touchy, touchy. I'm presuming PhD 'cuz MDs have little knowledge of fluid dynamics. Although there are some interesting problems around shear minimization for heart valves and arterial grafts. -- Robert R |
#7
|
|||
|
|||
Poorly written software is at the root of all of our securityproblems
Robert Myers wrote:
On Feb 1, 7:23 am, Sebastian Kaliszewski wrote: [Robert Myers written nonsense snipped] Yet another off-topic post by RM (off-topic on both groups he crossposted). Yet, He just wrote, he will not continue the discussion, yet he continues it. How predictable... Then the post is filled with rambling about buch of unrelated things, peppered with some poor attempts at ad hominem, all intermixed with demonstration with very poor understanding of the matter he tries to discuss. Whether he tries to discuss realities of former Warsaw Pact countries, software security, software integrity, risk estimation, his jedgement shows similar level of cluelessness. (Besides, sorry Mr. Myers, i'm not Russian, so wrong shot, troll) First of all, cowboy, you decided to resurrect this topic in a completely unrelated thread about Intel's compiler. So long as the discussion began in these groups, that's where the discussion should end. Actually, this is far enough off any relation to Intel that moving the discussion with a "Followups-To" somewhere else would be appropriate. Don't take that as an endorsement of (or disagreement with) Mr Kaliszewski's other points, but on the suggestion that this is no longer relevant to Intel, I believe he is right. |
#8
|
|||
|
|||
Poorly written software is at the root of all of our security?problems
On Feb 2, 1:38*pm, Robert Redelmeier wrote:
In cshipc Robert Myers wrote in part: Fourthly, the proper manner of formal address is Dr. Myers. Touchy, touchy. *I'm presuming PhD 'cuz MDs have little knowledge of fluid dynamics. *Although there are some interesting problems around shear minimization for heart valves and arterial grafts. Formal address where informal address is commonly used is hostile. That being the case, I'm going to insist on the socially-correct honorific. Had you been paying attention, you'd know a lot about my educational background. Robert. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Symptoms of poorly cooled processor | [email protected] | Homebuilt PC's | 1 | July 8th 06 04:24 AM |
Pet peave - poorly written manuals (especially mb manuals) | [email protected] | Homebuilt PC's | 12 | January 10th 06 09:27 PM |
Canon i250 prints poorly | [email protected] | Printers | 3 | July 29th 05 09:38 PM |
OK what games run poorly with ATI cards? | Andrew | Ati Videocards | 17 | February 27th 04 05:50 PM |
9600se running poorly... | s | Ati Videocards | 18 | December 18th 03 09:06 AM |