Firewall Wizards: RE: tunnel vs open a hole

["Carroll, Shawn" <SCarroll () chittenden com>]

> It seems that the real power holder in the whole debate is 
> perhaps that
> identity having been pointed to and referenced more 
> frequently in recent
> rants on coding styles and such;  the consumer.  On that 
> bent, perhaps a
> holding of breath for change to take place in forcing 
> companies and their
> coders and such to pay more attention to the details of secureity and
> bounds checks and all, might well result in a number of 
> purple heads/faces
> blowing up under-pressure.  Afterall, we as a buying public 
> still payout
> large sums of cash yearly for SUV's that almost need a direct 
> link to a
> gas pump, roll over wiht slight twists of the steering 
> mechanics to avoind
> obsticles, and do extremely poorly in crash tests.  Even with 
> seatbelts
> and airbags installed, under federal regulations.
Power, perhaps.  But only power in numbers.  Of course if people stop buying
crap (after first recognizing it as such), then crap will go away and the
non-crap will flourish.

But I wonder about the mechanisms for this to happen.

The buying public at large, I believe, as they make their buying decissions,
does NOT believe they have the power to lobby for better things, like better
TV programming or better operating systems.  I don't know that they FEEL the
power of their moral decision not to buy certain TV channels, and that their
decision to not buy will, IN AGGREGATE with other like-minded consumers'
similar decisions, will either force the quality of programming up, or
create a hot untapped market segment for someone to slip into and fill the
void.  Actually, in the case of TV programming, channels are usually sold in
large bundles anyway so you'd be forced to pay for 9/10ths crap for the
1/10th you want.

But aside from exercising moral conviction, it takes a bit of faith that (a)
the system will work and you won't simply be swinging in the breeze, alone
with your moral convictions (b) that others not only would be willing to put
their foot down and not buy crap, but do in fact recognize it as crap to
begin with.  If 90 percent of consumers love Baywatch and the Olsen twins,
what are you going to do?

I mean, less than 50 percent of Americans vote.  A subset of this same
public will be buying software.  What are they likely to do when their jobs
are at risk?  Answer: follow the crowd.  Those who rise above this are: 1.
technically competent, 2. confident, 3. perhaps have trust and buy-in, and
4. few and far between, arguably.

A better answer would be, "Don't be one of the ones who doesn't vote, and do
the right thing."  If no-nonsense measures have to be taken so that SHARED
resources are still usable (internet bandwidth) despite the large percentage
that aren't as responsible, then so be it.

Shawn

> Thanks,
>
> Ron DuFresne
>
>
> On Wed, 9 Apr 2003, George Capehart wrote:
>
> > On Tuesday 08 April 2003 11:21 pm, Marcus J. Ranum wrote:
> > > Behm, Jeffrey L. wrote:
> > > > <pet peeve>
> > > > When will programmers begin (again) to do basic error checking?
> > > > </pet peeve>
> > > It's sure as hell not because the tools don't exist. Even 
> back in the late
> > > 1980's you had tools like Saber-C (now CodeCenter) that 
> did huge amounts
> > > of runtime error checking. The tools are there and have 
> been there; it's
> > > the "get it to market yesterday" mindset and the fact 
> that a lot of
> > > software engineers are spoiled brats that have allowed 
> the lunatics to take
> > > control of the asylum.
> > <pre-rant>
> > Yes, there are *many* tools to help write, trace, and clean 
> code.  There are 
> > also several Web sites, books, and, yes, even coding 
> standards that deal with 
> > writing sane (and secure) code.  There are even whole 
> programs designed to 
> > impose good process on the whole system development life 
> cycle (the Rational 
> > Unified Process, the CMMI and SSE-CMM come immediately to 
> mind).  And, back 
> > in the Dark Ages when I was actually writing code, I *knew 
> better* than to 
> > take the shortcuts I was taking, but in the face of having 
> to deliver a 
> > product yesterday, for free, I was put in the position of 
> having to slam dunk 
> > a system.
> > </pre-rant>
> >
> > <rant>
> > It's my conviction that all of this is a management 
> problem.  If the business 
> > owner of the product/project or whatever really gave a 
> rat's a**, error 
> > checking *would* exist in code.  Or, even if the project 
> manager . . . or the 
> > technical lead cared, there would be processes in place *at 
> every phase of 
> > the SDLC* to identify and manage risk and control errors.  
> We learned 
> > (relatively) long ago that the earlier in the SDLC we discover 
> > errors/mistakes/problems the cheaper it is to fix.  
> Rhetorical question:  
> > When was the last time anyone was on a project where there 
> was serious focus 
> > on identifying problems and fixing them as early as 
> possible?  Gotta say that 
> > I was recently on a very large project ( > 10^7 USD) for a 
> very well-known 
> > company and the **_only_** focus was meeting a delivery 
> date.  An important 
> > point is that the delivery date had assumed a certain start 
> date and certain 
> > resource level.  The start date had slipped by several 
> months and the 
> > staffing level was at less than half of the planned level.  
> So, take a guess 
> > how much code review is going on on that project . . . 
> Guess how much testing 
> > will be done.  Guess how much detail *design* was done.  
> Bottom line:  Until 
> > business system owners (whether it be of an internal 
> project or a product) 
> > are held accountable for the security, quality and 
> performance of the systems 
> > for which they are responsible, programmers will continue 
> to work 16-hour 
> > plus days busting their humps and *not* doing any more in 
> their code than 
> > they absolutely have to because they don't have ***TIME*** to.
> > </rant>
> >
> > My very cynical $0.02.
> >
> > Sorry . . . I get this way.  Seems like the people who 
> would care the most, 
> > care the least.
> >
> > Disclaimer:  I work for neither Rational/IBM or the SEI.
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards