To be clear, all the coverage I read (including my own) was focused on calling bunk on this guy. Maybe we should have just buried it and let it pass, but that's not my style. If someone says something stupid, I need to call that out.
I'm not sure whether this guy was trying to drive business his way or what, but let's see what he says the solution is - if his next post ever materializes. That will be very interesting.
Thomas Ptacek
· 3 years ago
Presumably, his solution will eliminate spyware, end viruses, turn SSL on for bank logins, kill bugs, repair vandalized websites, substantially reduce the number of Agobot variants, do whatever it was he was talking about regarding passwords, WPA-enable my Airport, and send me a check for 1-300MM'th of $400Bn, apparently by replacing MD5 with a new encryption standard.
I can't wait!
Stiennon
· 3 years ago
While I love your critique of Noam's security failure diatribe, I still think we should cut him some slack. I much prefer his message to the message that "it's over, security is solved, time to move on" that seems to be getting coverage in some circles.
My way of thinking goes like this:
Yes, the trheats are real and growing. While if you do nothing to protect yourself you are toast, there are many things you can do to actually be "secure enough".
Dave G.
· 3 years ago
Steinnon:
I agree with thinking about security in practical terms, which is exactly why I think Noam shouldn't be cut any slack. His message is the other extreme of the 'security is solved' camp. I think alarmist messages being driven by an incomplete understanding on both security and associated statistics is only harmful. Some of his points are valid, unfortunately, they are poorly backed up. Other points aren' t so valid and are made by showing a single bad example, and saying extrapolating that to an entire industry.
Finally, he falls into the biggest trap of security professionals: Can find problems easily, solutions... not so much.
Noam
· 3 years ago
Hi, my name is Noam - yes, *that* Noam. :-)
I do appreciate your feedback and comments - even though I don't obviously agree with all of it. If you are going to write a strongly worded article saying that the security industry is failing, you are obviously going to get some strong feedback. I completely expected that. Thankfully, the vast majority of it has been positive.
While you take issue with many of the statistics in the article, I am not the one making those claims - I link directly to the source or original study where appropriate. For example, you say that I, "state that internal breaches alone cost $400Bn". I do not make this claim. The article states that this figure is, "according to a national fraud survey conducted by The Association of Certified Fraud Examiners". I even provide a link with details on the original survey. If you have an issue with the figure, you need to take up those issues with The Association of Certified Fraud Examiners, not blame me for mentioning their survey and results!
You also misrepresent what I say. You say I, "believes Anti-Spyware is a total failure because a report from 2004 said Giant missed 34 registry settings." What I actually say is, "Eric Howes, a renowned security researcher at the University of Illinois at Urbana-Champaign, found that many of the best-performing anti-spyware scanner 'fail miserably' when it comes to removing spyware from infected computers, with some missing up to 25% percent of the critical files and registry entries installed by the malicious programs."
The article is a response to the attitude that these daily threats and massive security breaches are, "normal" and "business as usual" and "just the way things are".
Basically what I am saying is that things are very bad at the moment. I don't think anyone can disagree with that. And I am saying that there needs to be more discussion on solving these issues. And I don't think that is such a terrible thing to say.
Thomas Ptacek
· 3 years ago
I'm glad you can handle blunt criticism.
I have two questions.
1. Without the statistics, does your essay say anything?
2. Is it possible that the only difference between what you said about the Howes Spyware report and what I said is that I actually read the report?
Dr. Strangelove
· 3 years ago
"The article is a response to the attitude that these daily threats and massive security breaches are, “normal” and “business as usual” and “just the way things are”."
If this were the case:
1. Why are Technology Executives still spending millions annually on security solutions? 2. Why are Managed Security Solutions companies still in business? 3. Why are firewalls, and anti-virus software, still being deployed (at a cost of millions annually, see item 1) 4. Why are Security Conferences still generating fairly decent profit margins? 5. Why haven't I been a victim of identity theft yet? 6. Why do I still have a job?
You could argue that enterprises spend the minimum required to avoid formal and informal liability, but are either unwilling or unable to invest in real solutions (which may or may not be available --- I'm waiting for Noam's MD6).
Chris Walsh
· 3 years ago
"I didn't say it, the National Council of Fraud Examiners did"
Sure, but you don't need to unquestioningly swallow everything you read. Part of the practitioner's job is to weigh the evidence and arrive at a considered judgment. The AFCE Report to the Nation (in 1996) said that insider losses amounted to 6% of corporate revenue (http://www.acfe.com/fraud/view.asp?ArticleID=9), but unless your post has been changed, or I missed a link in it, you do not link to that (or any) AFCE data.
Note, BTW, that the report I referenced isn't limited at to insider thefts that infosec can do much about (it included inventory shrink, stealing paper clips, bid-rigging, and the like). In short, this data source drastically overestimates the size of the "infosec problem"; and your reliance on it (if indeed, this is your source)is unwarranted.
Diago Mare
· 2 years ago
The author has posted a follow-up:
"Community Comments & Feedback to Security Absurdity Article - the Good, the Bad and the Ugly."
All Comments
I'm not sure whether this guy was trying to drive business his way or what, but let's see what he says the solution is - if his next post ever materializes. That will be very interesting.
I can't wait!
My way of thinking goes like this:
Yes, the trheats are real and growing. While if you do nothing to protect yourself you are toast, there are many things you can do to actually be "secure enough".
I agree with thinking about security in practical terms, which is exactly why I think Noam shouldn't be cut any slack. His message is the other extreme of the 'security is solved' camp. I think alarmist messages being driven by an incomplete understanding on both security and associated statistics is only harmful. Some of his points are valid, unfortunately, they are poorly backed up. Other points aren' t so valid and are made by showing a single bad example, and saying extrapolating that to an entire industry.
Finally, he falls into the biggest trap of security professionals: Can find problems easily, solutions... not so much.
I do appreciate your feedback and comments - even though I don't obviously agree with all of it. If you are going to write a strongly worded article saying that the security industry is failing, you are obviously going to get some strong feedback. I completely expected that. Thankfully, the vast majority of it has been positive.
While you take issue with many of the statistics in the article, I am not the one making those claims - I link directly to the source or original study where appropriate. For example, you say that I, "state that internal breaches alone cost $400Bn". I do not make this claim. The article states that this figure is, "according to a national fraud survey conducted by The Association of Certified Fraud Examiners". I even provide a link with details on the original survey. If you have an issue with the figure, you need to take up those issues with The Association of Certified Fraud Examiners, not blame me for mentioning their survey and results!
You also misrepresent what I say. You say I, "believes Anti-Spyware is a total failure because a report from 2004 said Giant missed 34 registry settings." What I actually say is, "Eric Howes, a renowned security researcher at the University of Illinois at Urbana-Champaign, found that many of the best-performing anti-spyware scanner 'fail miserably' when it comes to removing spyware from infected computers, with some missing up to 25% percent of the critical files and registry entries installed by the malicious programs."
The article is a response to the attitude that these daily threats and massive security breaches are, "normal" and "business as usual" and "just the way things are".
Basically what I am saying is that things are very bad at the moment. I don't think anyone can disagree with that. And I am saying that there needs to be more discussion on solving these issues. And I don't think that is such a terrible thing to say.
I have two questions.
1. Without the statistics, does your essay say anything?
2. Is it possible that the only difference between what you said about the Howes Spyware report and what I said is that I actually read the report?
If this were the case:
1. Why are Technology Executives still spending millions annually on security solutions?
2. Why are Managed Security Solutions companies still in business?
3. Why are firewalls, and anti-virus software, still being deployed (at a cost of millions annually, see item 1)
4. Why are Security Conferences still generating fairly decent profit margins?
5. Why haven't I been a victim of identity theft yet?
6. Why do I still have a job?
makes it all better
Sure, but you don't need to unquestioningly swallow everything you read. Part of the practitioner's job is to weigh the evidence and arrive at a considered judgment. The AFCE Report to the Nation (in 1996) said that insider losses amounted to 6% of corporate revenue (http://www.acfe.com/fraud/view.asp?ArticleID=9), but unless your post has been changed, or I missed a link in it, you do not link to that (or any) AFCE data.
Note, BTW, that the report I referenced isn't limited at to insider thefts that infosec can do much about (it included inventory shrink, stealing paper clips, bid-rigging, and the like). In short, this data source drastically overestimates the size of the "infosec problem"; and your reliance on it (if indeed, this is your source)is unwarranted.
"Community Comments & Feedback to Security Absurdity Article - the Good, the Bad and the Ugly."
http://www.securityabsurdity.com/comments.php