Do bad guys actually follow the whitehat security industry or is that just something we hypothesis to justify things? Is Dan’s DNS attack actually being used, and does anyone care. Was the security circus around it just fun to watch or was there something more to it? (ramble, ramble, ramble)
Why are big companies trying so hard to make infosec as boring as possible?
and with all the auditors running around now, it’s almost impossible to be creative for new solutions. If it’s not an approved (already understood by auditors) solution you’re just wasting your time.
Dominic, you raise a good question. I always figured that the bad guys would never follow the good guys. I wouldn’t.
How can I make myself such a public nuisance that vulnerability researchers confidentially tell me their secrets to shut me up, so instead of going through all the work of redoing their research I can just cut-and-paste the stuff they told me and get myself in the spotlight?
Why did I wake up at 2:30am and why am I not tired?
Is anybody hiring web app pentesters/researchers? I’m not being taken seriously… I get the impression that I’m only here because having an ‘Information Security Officer’ is recommended by our PCI compliance certifiers.
But I also get the impression that this is normal.
Since overall operational hygiene is a direct contributing factor to infosec, what does it take to turn the ship and get a company to change it’s culture to be more operationally mature. Especially when an organization is so operationally and cognitively “poor it that it can’t get rich” ?
I like the New School idea! I like data, a lot. I prefer arguments over data to arguments over ideology. At the same time I’m concerned that we may hit the problems seen by our colleagues in political science, social science, and economics: cases where careful choice of data or uncareful choice of statistics end up giving contradictory conclusions. (even just sophisticatedly wrong conclusions).
(and yes, sorry Adam, I know I still need to talk to Deirdre…)
For example, here’s a crooked timber post on the issues economists have had in answering the question “does raising the minimum wage in practice raise unemployment?” The models say raising the minimum wage should raise unemployment, of course. The post is about how it’s turned out to be easier to publish studies showing one direction than the other: http://crookedtimber.org/2008/05/11/economic-fundamentalism-and-the-minimum-wage/
Here’s a funny-because-it’s-true paper by Ed Glaeser on how empirical economists respond to publication incentives by consciously or unconsciously shifting their studies towards “statistically significant” results: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=934557
Of course neither of these cautionary tales means we should abandon data-driven approaches to security. Far from it – but they mean we have to be up front and clear about its limits, even as we extol its virtues and develop a narrative of how data can get us out of the pit. Otherwise we could end up like those medical studies where this week red wine is good for you, and next week it’s not.
David,
I look forward to arguing over methodologies and struggling with hard-to-disambiguate factors, rather than arguing over perception and struggling with hard-to-disprove assertions.
I think we covered some of this in chapter 7, talking about a variety of limits.
I don’t know if I should be happy or sad that so many people think about the things I do. I am disappointed that neither beer nor pizza has been mentioned, however.
Adam,
Thanks for the response. I’ll re-read that chapter. Once I get it back from my colleague who jumped on the book as soon as he saw it, anyway. 🙂
I also agree that it’d be a good set of problems to have. I just hope we can avoid the same learning-the-hard-way which seems to have passed through these other fields.
-David Molnar
Do bad guys actually follow the whitehat security industry or is that just something we hypothesis to justify things? Is Dan’s DNS attack actually being used, and does anyone care. Was the security circus around it just fun to watch or was there something more to it? (ramble, ramble, ramble)
Can John Reilly stand on his own as a comedian or is he riding Will Ferrell’s coat tails?
Georgia, Georgia, Georgia’s on my mind.
Who will watch my cat when I am in vegas in two weeks?
Pure Energy…
http://www.youtube.com/watch?v=ijAYN9zVnwg
Why are big companies trying so hard to make infosec as boring as possible?
and with all the auditors running around now, it’s almost impossible to be creative for new solutions. If it’s not an approved (already understood by auditors) solution you’re just wasting your time.
Dominic, you raise a good question. I always figured that the bad guys would never follow the good guys. I wouldn’t.
How can I make myself such a public nuisance that vulnerability researchers confidentially tell me their secrets to shut me up, so instead of going through all the work of redoing their research I can just cut-and-paste the stuff they told me and get myself in the spotlight?
Why did I wake up at 2:30am and why am I not tired?
Is anybody hiring web app pentesters/researchers? I’m not being taken seriously… I get the impression that I’m only here because having an ‘Information Security Officer’ is recommended by our PCI compliance certifiers.
But I also get the impression that this is normal.
Hot lesbian sex. What else would be?
Since overall operational hygiene is a direct contributing factor to infosec, what does it take to turn the ship and get a company to change it’s culture to be more operationally mature. Especially when an organization is so operationally and cognitively “poor it that it can’t get rich” ?
Tim, I’m having that same issue. On top of that, I have two fish.
My money.
@planetheidi:
Politics and defensible, concise, risk metrics 🙂
Exactly how did that systems administrator in San Francisco go wrong? What should he have done to be a more effective blackmailer?
I like the New School idea! I like data, a lot. I prefer arguments over data to arguments over ideology. At the same time I’m concerned that we may hit the problems seen by our colleagues in political science, social science, and economics: cases where careful choice of data or uncareful choice of statistics end up giving contradictory conclusions. (even just sophisticatedly wrong conclusions).
(and yes, sorry Adam, I know I still need to talk to Deirdre…)
For example, here’s a crooked timber post on the issues economists have had in answering the question “does raising the minimum wage in practice raise unemployment?” The models say raising the minimum wage should raise unemployment, of course. The post is about how it’s turned out to be easier to publish studies showing one direction than the other:
http://crookedtimber.org/2008/05/11/economic-fundamentalism-and-the-minimum-wage/
Here’s a funny-because-it’s-true paper by Ed Glaeser on how empirical economists respond to publication incentives by consciously or unconsciously shifting their studies towards “statistically significant” results:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=934557
Of course neither of these cautionary tales means we should abandon data-driven approaches to security. Far from it – but they mean we have to be up front and clear about its limits, even as we extol its virtues and develop a narrative of how data can get us out of the pit. Otherwise we could end up like those medical studies where this week red wine is good for you, and next week it’s not.
David,
I look forward to arguing over methodologies and struggling with hard-to-disambiguate factors, rather than arguing over perception and struggling with hard-to-disprove assertions.
I think we covered some of this in chapter 7, talking about a variety of limits.
I don’t know if I should be happy or sad that so many people think about the things I do. I am disappointed that neither beer nor pizza has been mentioned, however.
Adam,
Thanks for the response. I’ll re-read that chapter. Once I get it back from my colleague who jumped on the book as soon as he saw it, anyway. 🙂
I also agree that it’d be a good set of problems to have. I just hope we can avoid the same learning-the-hard-way which seems to have passed through these other fields.
-David Molnar