Tuesday, August 19, 2008

Security is not about self-pleasing simians

The comments by Linus about OpenBSD people being self-pleasing monkeys is immature at the least. Sometimes I feel that he does not realise that he is a leader of (in many cases the face of) the GNU/Linux and FOSS worlds.

Young people and many others do look up to him, the fact that he did not like someone accusing him (who does really like to be criticised or accused?) of something does not give him the right to insult.

Security is never over-rated, perhaps many may not share my paranoid views but can you imagine if your banking, credit card information are compromised? What then?

The attitude of many so called IT professionals towards security is basically shameful. Security vendors will always push their wares as a one-stop solution. So what? Plunk a fancy, expensive appliance in your network and everything will be ok?

For any platform there will be always a set of best practices to properly secure the system. Apache HTTPD has theirs, IIS has theirs. But how many actually follow them? How many times we have heard people sacrificing best practices (apply security patches, do not share passwords, use complex passwords, clear separation of privileges, encrypt when possible etc) because it is inconvenient?

Or the lame excuse, nobody will hack us because we are small fish. Well, if I am a cracker in training I will go for smaller outfits, precisely because I know they will not have the resources to track or prosecute me. Smaller outfits are attractive because they can't fight back.

Will we ever compromise our homes' or cars' security? Why have so many locks? Why don't we just don't use any locks? Saves us the trouble of carrying keys right?

Sorry for the rant. I am just so very upset that whenever I speak of the need for security and hardening many would just roll their eyes, and say I am going overboard. That is until things get hacked and they start trembling and scrambling for an answer.

No comments: