Clement Dupuis posted a response to a message from a cccure.org member about his decision to use flash for a presentation that he is offering on his site. The guy had some valid arguments as to why flash can be a danger to use. He then shot himself in the foot by spouting off his "research" into the dangers of flash. What he failed to do was review the results of his research and make sure that they were relevant to his topic.
We are all susceptible to this. We get a notion in our head and run with it. We do some quick "research" on google and declare our hypothesis as truth. Security is serious business and we all do well to take it seriously but we also need to make sure that the case we build is built on fact and not FUD. This is the kind of stuff that makes it hard to get management on our side. We play the part of Chicken Little and look like a nut case. Even if our concerns are valid we have to be smart about how we deal with them. When we rush to judgement we make bad decisions or often look like fools in making good decisions. Some say that they don't mind looking like a fool or a control freak if it keeps the network safer, but I say that you can keep it safe and keep the rest of the company from thinking that IT is a bunch of nuts at the same time. It just takes common sense.
Security's Everyman
Tuesday, November 28, 2006
The flash is falling, the flash is falling!!
Subscribe to:
Post Comments (Atom)
2 comments:
FUD is one thing, but it really sucks when one hole is found in a technology and people start declaring it broken. That's not real life risk assessment. For instance, it can be said that when it rains outside, the road is slick and I am more vulnerable to dying. This must mean that either I should never, ever, ever drive in the rain, drive on roads, or perhaps ever sit in a car or moving vehicle again.
Yes, there are things that have vulnerabilities and technologies and practices in use that are insecure, but sometimes they are insecure in very obscure ways.
While that Flash example is excellent, one of my favorite ones is the look on some people's faces (virtual or real) when I say I still use WEP on one of my home wireless networks. "But it's insecure and broken!" Well, yeah, I can crack it, but none of my neighbors anywhere close to me has that knowledge let alone interest.
This changes every year though, as WPA becomes more supported and WEP cracking tools get more kiddie friendly...but the principle is still there.
Good point Loner. Just about everything digital has problems. Many are known but few of them are really dangerous to the average user. WEP is a good example. You may have a neighbor that cracks your code, but what is he going to do. Free Internet most likely. Beyond that the chances are slim that anything malicious will happen. Spammers and malware writers are out to make money and cruising for open or insecure wireless is not cost effective.
Post a Comment