[2696] in cryptography@c2.net mail archive
Re: Liability and Fear Mongering.
daemon@ATHENA.MIT.EDU (Black Unicorn)
Thu May 14 12:37:59 1998
Date: Wed, 13 May 1998 23:40:02 -0500
To: "Arnold G. Reinhold" <reinhold@world.std.com>
From: Black Unicorn <unicorn@schloss.li>
Cc: pgut001@cs.auckland.ac.nz, cryptography@c2.net
In-Reply-To: <v03130300b17ffdadc24c@[24.128.118.45]>
At 09:11 PM 5/13/98 , Arnold G. Reinhold wrote:
>Let me see if I've got this straight: You would prefer it if organizations
>used better security software. But you don't like people invoking liability
>fears to sell better practices because you're convinced the courts will
>never make anyone pay for computer security lapses as long as they made
>some effort. And anyone who tries to do it right is a chump because they
>are just creating a paper trail?
No.
I would like organizations to implement strong security measures but I
recognize that their budgets might not permit the kind of expenditure that
is required to really get your hands around enterprise wide security and in
that case I am suggesting strongly that assessment services, particularly
those that leave damning memos lying all over and no budget to fix the
failings noted therein, be avoided. (This is especially so since we have
identified this rock-and-a-hardplace situation as a hard-sell tactic which
is seeing increased use, and which the article you cited demonstrates
aptly, thanks).
I'm also pointing out that there is an economy to the process of designing
security solutions and that the scare tactics which involve exaggerated
claims of massive liability, particularly by those with no degree in law,
should be recognized for what they are. Fluff.
Finally I note that you can do it right without shooting yourself in the
foot later.
In short:
Buy what you need.
Need what you buy.
Was it my spelling that threw you off? I'll try harder next time.
