Become a fan of Slashdot on Facebook


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Comment Re:The hilarity it keeps growing. (Score 5, Insightful) 259

NPR had a great piece on this yesterday where they openly stated that if strong encryption was backdoored, some kid would just write an app in his basement implementing strong encryption without a backdoor. The algorithms are public, and honestly not that complicated. The iPhone encryption that has everyone in such a lather is a Federal standard, after all.

Some of the media gets it.

Comment Re:Nobody Cares (Score 2) 116

I worked in hospital IT for over a decade. Your speculation is entirely wrong.

the only way to avoid those is to strip down the computer until it is to all intents a single purpose old analog device. The security issues which plague, aand will forever hobble personal computers will simply not apply to near bare-metal single purpose, constantly reflashable devices.

Good idea. Nobody does that.

Comment Re:As a security professional... (Score 1) 291

Fixing security problems isn't a "nuanced" process of weighing tradeoffs: it's about educating coders to write god code, rather than just "crap that works."

Let me give you an example. Your security problem is that you just hired a guy who plans to steal documents on your Super Secret Widget. He has no criminal record (yet), or other reason for you not to hire him. He has legitimate access to the system containing the plans, copies them, and goes home. Security problems are often nothing to do with software.

Software security is certainly important, but it's only a small part of security as a profession. The default assumption is that all software has vulnerabilities, and that the truth of that has been proven time and time again.

Comment Re:As a security professional... (Score 1) 291

What if that user is an executive?

What about the time between them creating the workaround and you identifying it and closing it?

What if lots of people do it? You can't fire them all.

This is my point: If the thing the user is doing is actually important for the business, the business should be HELPING them do it in a secure way. The security role's job is to support the business so that the decision makers understand the risks of different approaches and can make a reasonable choice of which of those risks to accept.

Comment As a security professional... (Score 5, Informative) 291

I have to say that if this is his position:

His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a process, Torvalds suggested, poorly understood by his critics. 'The people who care most about this stuff are completely crazy. They are very black and white,' he said ... 'Security in itself is useless. The upside is always somewhere else. The security is never the thing that you really care about.'"

He's absolutely dead right and more people in the security profession need to understand what their job is really about. Security is a support role. Our job is to make someone else's stuff work better. Even if you're secret service protecting the president, the core value in your job isn't security for it's own sake, it's making sure the guy in the suit is able to do his job tomorrow.

Comment Re:wow (Score 1) 220

I don't think it's different at all. Corporations are made of people, and I don't care how big you are, the work is going to be done by a person who really can't possibly have more than a couple decades of experience, and the old experience is largely irrelevant anyway.

A cloud vendors expertise isn't necessarily better than mine or yours. If my next job happens to be at a cloud vendor, I'm not magically better at it than before because I work there, not here. If you're going to claim $CLOUDVENDOR has policies/procedures/practices that are distilled from many people's worth of experience, then you're right back to making an argument based on scale.

Comment Re:In other news.... (Score 1) 500

And this:

Of course, the other part that needs to be acknowledged is that the business is profitable while paying that much.

doesn't mean anything because he's paying his staff exactly what he was paying before. It's just distributed differently. It's just to be expected that his company, which was profitable before, is still profitable after not changing his expenses.

Comment Re:In other news.... (Score 1) 500

I don't think that's it. On the emotional side, I love the idea of everybody getting the standard of living that $70,000/year buys today. My rational side just can't look past the "will it really work?"

In this case, he got a ton of resumes and customer inquiries. That's directly because he did something unusual. That's where I'd caution people not to assume this is a thing that would work as a general policy. You don't get a ton of resumes and customer inquiries when you're doing the same thing everyone else is doing.

Comment Re:"Open == Secure"? (Score 1) 214

Of course it's hogwash. You missed my point that it, like vyvepe's argument, is arbitrary speculation and not based in actual fact.

Closed source doesn't make software secure. Open source doesn't make software secure. Securing software makes it secure. Assuming that someone else always bothered to do that for any given piece of open source software is foolish.

Comment Re:"Open == Secure"? (Score 1) 214

Closed source, commercial software is written by people who are paid to do it. Software that people are paid to written more often includes the boring, not-fun parts like testing, documentation, and auditing. Therefore closed source software has a higher chance of being audited.

We're both just constructing arguments that may or may not be true. My point is that those arguments are irrelevant. A given piece of software either has or has not been audited. It doesn't matter if it's closed or open, it matters if it's been audited by someone who is technically proficient enough to do the job to the satisfaction of the user.

Stellar rays prove fibbing never pays. Embezzlement is another matter.