Re: lame bitching about products

[James Tucker <jftucker () gmail com>]

On Tue, 17 Aug 2004 10:44:10 +1000, Gregh <chows () ozemail com au> wrote:
> ----- Original Message -----
> From: "DWreck" <dwr3ckmailbox-fulldisclosure () yahoo com>
> To: <full-disclosure () lists netsys com>
> Sent: Tuesday, August 17, 2004 7:04 AM
> Subject: [Full-disclosure] lame bitching about products
>
> > Security professionals do NOT bitch about products.  They do their best to
> learn the products they have to live with and secure them.

A good security professional should ahve an appreciation of the
complexity of systems and their interactions. Along with this
understanding comes the realisation that no software is likely to ever
be perfect. The problems discovered in software should be dealt with
in an objective and systematic manner.

> What a load of rubbish. Security professionals DO bitch about bad products
> all the time. It's simply the way humans are built. If something pisses you
> off, you whinge about it, warn others and find ways around it.

Human nature is very good at wasting time, it would be hypocritical
for me to waste any more time discussing this, meanwhile there are
security holes all over the place.

> I dont like the way Symantec's firewall is now for various reasons but I
> find other ways. I think Macs just dont cut it for various reasons but I
> find other ways.

Different people like different interfaces. If two pieces of software
/ two systems are capable of flawlessly operating and can perform the
same useful operations then preference comes from the interface not
the abilities. For most end users all of the major players in the
industry can successfully produce documents and browse the internet,
even play multimedia, with 100% success. Problems occur in these
systems when outside factors are introduced, and that is where
security comes in. Security professionals who work cross platform
(which should be most as your IDS at very least should be different
from your desktops) are familiar to changes in interface. The solution
is simply to understand all of the fucntionality of the software and
build yourself and understanding of the style in which you have to
move / confugre in order to successfully use the interface you have
been given. In other words a good professional has no cares as to the
interface he has to work with, they just do as they need to.

> What you need to do is accept that everyone will bitch about whatever they
> want and employ a mental filter that automatically deletes messages bitching
> about bad products.

Your point for free speech is fair enough, although much of the
bashing / rediculous statements that are circling currently are
absolutely unecessary and coutner productive.


> After all, I havent tried every damned product in the world so I would like
> to have something to fall back on if I decide to try a brand of *nix I have
> never touched.

As above, the interface is merely a preference, but a knowledgable
users has no reason to care about the interface they have to work
with. You choose your home desktop OS as you want, but at work, we
rarely get the choice we want; who cares? See it as a challenge in
abstraction, not a problem. End users are most familiar with an MS
style interface, many find that intuitive; personally I find other
things more intuitive, however I am more than competent with MS
interfaces, both on the command line and in the GUI; thus I have no
reason to care, alhtough it would be nice if commands like "route" and
"ping" had the same interface, but hey, all it takes is a /? or a -h
or a "man" or a "help".

 
> > Stop complaining and start learning.  If you are a true infosec
> professional, you will be able to devise and implement an acceptable
> security architecture to mitigate your client's risk (hopefully cost
> effectively) no matter what the product mix is.

Up until a point of 0 day issues, but even then there should be
measures in place. Often budget does not allow for this though.

> >
>
> Stop complaining about complaining. Just get on with the job!

haha, well this would apply to all replies to this thread surely?

> > Security is not a religion any more than Medicine is.  They are both
> professions.

Although top members of the IT world tend to be 'geeks' and the reason
for this is that the complexity of a single computer is high enough
that you could spend most of a lifetime studying it and still not know
all of the technologies involved. Medicine can have that level of
complexity (getting down to cellular level, chemical level /
whatever), but to be a competent doctor there is not normally so much
obsession (or granular knowledge) required. That is not to say there
aren't exceptions to this; but it is the common situation IME.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html