Copyright © 2009 What The Hell? Security
“I never did give anybody hell. I just told the truth and they thought it was hell.” –Harry S. Truman, 33rd President of the United States.
So what the hell is this blog about?
Well, it’s about security. Web security. Internet security. Information security. Ecommerce security. Computer security. And all that those entail.
The similarity with other security blogs stops right there. On the whole they do a good enough job of holding the tech industry’s hands to the fire. I’m content to let them do it.
What I’m not content to do however, is pretend the security industry has its act together. By and large, it does not. We security professionals are just as fallible as everybody else. Truth be told we’re our own worst enemy. We create nearly as many problems as we solve. We’re just like everybody else, only a little worse, because we’re supposed to know better.
So in the spirit of contributing something useful, most of what I have to say targets the security industry. From the inside. Bluntly. Provocatively. Confrontingly. All in the interest of progress. That’s why I only instigate on topics I know a great deal about. Which happens to be quite a bit, because twenty-five years ago I was fixing buffer overflows in operating system kernels. A few installations on which human lives depended. A different risk profile to be sure, but the fundamentals are the same.
As a reader you might get the idea that I’m a cynic, a malcontent, and an egomaniac all rolled into one. I don’t blame you if you do. Hell, that’s certainly what I would think if you were the blogger and I was the reader.
Truthfully I’m not any of those things. What I am though is honest. And, as it turns out, prone to thinking about certain kinds of problems differently than most. So when I vocalize my opinions, it’s not unusual to provoke responses like “What the hell did he just say?”
I have read all of your blog entries: all VERY riveting.
I totally understand where you are coming from and totally agree that security is essentially a SHAM.
I am not a security guy, and so I ask: since you are a security guy -> what would you do different?
It appears to be be a lot of soap-box screaming, but with no suggestions on what to do better, what good is this blog?
Did I just waste an entire night reading every single blog entry searching for answers, only to walk away empty handed?
Excitedly waiting for some alternatives to SSL-Bribes.
This is an outstanding question. One of my goals is to NEVER ridicule something unless:
(1) I have years of experience with it, AND …
(2) Those years have led me to conclude there has got to be a better way of accomplishing the goal, AND …
(3) I’ve invested a great deal of time identifying a better way, where “better” definitely includes “viable” but not necessarily “easy,” AND …
(4) I’ve persuaded a handful of security pros whom I deeply respect, that my “better” way is indeed better
Naturally I aim not to miss the mark here, so when I do or appears I do, I reckon it’s due to one or more of:
(a) Having so much to say, I have to say it in chunks e.g. The 9 Laws of Phishing, OR …
(b) I’ve lost objectivity from having thought about it so long, OR …
(c) I’ve simply missed the mark
It would be helpful for me if you could point out one or two posts that need clarification.
How would you solve the answer to the SSL bribes? I mean, would you put together a new authentication system altogether, or train internet users (that small subset of the world’s population) that the warning when either a company has refused to pay the SSL bribe, or created self signed certificates: should be ignored, or something altogether different?
Or am I missing the point altogether?
You’re absolutely right. I have not addressed that. Chalk it up to “lost objectivity.” My next post will address it.
Know what makes me mad as hell? Reading post, after post where the author just nails it, and not having any idea who the author is. Know what makes me madder than hell? Wishing I’d thought of that, said that, and expressed it that well. Arghhhhhhh! It’s enough to drive a body to strive to do better oneself: unacceptable.
Thank you for the high compliment Cormac. To add to the mystery: We actually know each other. :)
I’m privileged then to know the Scarlet Pimpernel of security? Best of luck as you try to save sanity from the clutches of Madame Guillotine. Will this Reign of Terror never end?