############################################################################## ############################################################################## ########### Why we have such a bad security in information Systems ########### ############################################################################## ############################################################################## ### I have spend more than 18 years computing and still enjoy doing it, ### ### but needless to say computing has changed big time this is due to ### ### many factors. I will try to explain these factors next. ### ### ### ### ### ### THE FIRST HUMAN FACTOR ### ### ####################### ### ### The first important factor is the upper management's clueless-ness. ### ### YES you can blame CLUELESS managers in most organizations. ### ### Most organization hire some semi-retarded person who has no clue what ### ### is a secure system let alone secure coding. ### ### ### ### Most of these semi-retarded collect big $ while playing a game called ### ### "I_am_clueless_but_I_Wanabe_Bright" by convincing other peoples that ### ### they know what they are talking. ### ### Most managers now a day thinks about award and high salary. ### ### ### ### I know when I think about my career and the big moment in my career ### ### they tend to be time in the lab when something work when we did think ### ### it wont work. I have learned that reflecting on your team and the ### ### success as team is more important then thinking about stupid awards. ### ### ### ### THE SECOND HUMAN FACTOR ### ### ####################### ### ### The second human based factor is ignorance. Most computer are clueless ### ### or they think they have MASTERED the ART of computing after installing ### ### MSN or AOL or another click click application. ### ### In the old day to operate a computer you needed to learn how the hell ### ### this beast works. Sadly to say this is a history now a days. ### ### ### ### We hear the same stuff often and often "it does not happen to me", ### ### "why crackers they want to attack my machine". Stupid questions like ### ### these does not help you in building a secure system. ### ### ### ### THE THIRD HUMAN FACTOR ### ### ###################### ### ### The third human factor is the Media. We hear a lot of bullshit in the ### ### medias. Most of the media stuff are just not correct. ### ### For example, when a bright hacker find a vulnerability in some ### ### software they hit on him/her as if he/she was some kind of criminal. ### ### ### ### Well TRUE hacking is NOT a crime it is hobby like any other hobbies. ### ### But media has changed the real meaning of hacking. I think it is time ### ### to wakeup and smell the coffee. ### ### ### ### A real hacker is not a criminal but rather someone who is helping the ### ### NET and Technologies in many ways. I can tell you something that the ### ### hacking community has gotten a raw deal in the last few years. ### ### I believe their are some groups out their you can call them hackers or ### ### cyber information warriors or whatever you want these peoples identify ### ### them selfs to a community who loves the technologies and loves to find ### ### problems around technologies, when they peoples find these ### ### vulnerabilities they are viewed as if they are defusing bombs. ### ### WHY WE DO NOT GIVE THEM CREDITS FOR FINDING THESE VULNERABILITIES?. ### ### Why we treat them as criminals. Why we have extended the notion of ### ### criminals to include hackers. ### ### ### ### I believe that the hacking community are the ONLY peoples who are ### ### keeping the software business a little bit honest, WHO ELSE is doing ### ### it can you tell ?!!! I think we should THANK the hacking community for ### ### their good work and passion. When a problem is found in software by a ### ### hacker we tend to blame the hacker, the way I see this, is to blame ### ### the software company DO THE HACKER. ### ### The sooner that we recognize that it is not the hacking community that ### ### we need to blame but rather the software maker the sooner that we will ### ### have better secure systems. ### ### ### ### THE FOURTH HUMAN FACTOR ### ### ####################### ### ### The fourth human factor is we are blaming the WRONG peoples (Hackers). ### ### More and more we hear BAD stuff about hackers in the media, why ?. ### ### Because media view Hackers as criminals, and talking about criminal is ### ### something Mr/Miss everybody love to hear. ### ### ### ### By default peoples love to hear bad news, that is why media have ### ### succeeded in brain washing our brains. If we can apply ONE simple ### ### principal to our daily lives we can change many things. This one ### ### thing is PEACE AND LOVE TO ALL SENTIENT BEINGS. ### ### ### ### Peoples who are blaming hackers should meditate on their actions.Here ### ### is my suggestion, visualize your left hand as a Hacker and your right ### ### hand as yourself. With that in mind practice giving by passing stuff ### ### from the left hand to the right hand and vice versa. ### ### Over time you will understand that both communities need to work ### ### together to achieve ZEN-Security :-). If we continue criticizing or , ### ### gossiping about each other this will bring negative consequences. ### ### ### ### THE FIFTH HUMAN FACTOR ### ### ###################### ### ### The fifth human factor is vendors like CompanyXYZ and others. ### ### They creating softwares just to please most of these clueless users ### ### who do not want to learn and to make clicking easier. ### ### SOFTWARE VENDORS SUCCEEDED IN BRAIN WASHING US BIG TIME. ### ### ### ### My biggest fear in this information security field is all the bad ### ### software out their is my biggest fear. In our daily lives we are ### ### dealing with software that have demonstrated them selves to be full of ### ### vulnerabilities. Software vendors thought us that when a computer ### ### freeze or blue screen happen we will just reboot the computer and ### ### everything will be OK. Imagine the same happen to your car or to your ### ### heater in your home, I am sure that you will demand a fix or an answer ### ### from your vendor immediately. Why we should accept these frequent ### ### crashes in computers when their is no products area to man were ### ### frequent crashes and weird behavior would be tolerated. ### ### ### ### Imagine you are driving your car and you had to break because you saw ### ### some kids playing around, but you could not stop, to avoid the kids ### ### you directed your car to a tree and BANG. You have noticed a message ### ### on your bash-board that looked liked this: ### ### 0150088c 8b4704 mov eax,[edi+0x4] ds:0279a0a8=??? ### ### FAULT ->0150088f 8b08 mov ecx,[eax] ds:00000000=??? ### ### 01500891 ff511c call dword ptr [ecx+0x1c] ds:00a7d681=??? ### ### Intrigued by the message and the quest to understand what just has ### ### happened. You pick up your cell phone and call your car dealer. ### ### After a short chat they told you OH YOU DID NOT PATCH YOUR ### ### ON-BOARD-PROCESSOR. What would be your reaction ?. ### ### I bet your wont be very Happy and you may start ./swearing -T 60 dealer### ### and of course you are going to hold your car dealer responsible right. ### ### ### ### ### ### The heart of the problem is that most organization view code as an ### ### asset, well let me tell you something code is not an asset but a ### ### liability. ### ### ### ### ### ############################################################################## ##############################################################################