[9377] in bugtraq
Re: No Security is Bad Security:
daemon@ATHENA.MIT.EDU (Scott)
Fri Feb 5 06:38:17 1999
Date: Thu, 4 Feb 1999 19:25:24 -0600
Reply-To: Scott <scott@bernadette.net>
From: Scott <scott@BERNADETTE.NET>
X-To: mindrape@HOME.COM
To: BUGTRAQ@NETSPACE.ORG
>>Security is *not* cost-intensive, if you build it in the first time, or
>>add it in as you upgrade your environment, especially as you value it
>>against the total loss of your environment.
>
>How can you determine everyone's cost and value? Some don't care or feel
>they have any need for security, thus incuring unwanted cost. This stems
>from of viewing security as a defensive perspective.
>
I agree with your statement that some don't feel the need for security, thus wanting to avoid
the cost. I disagree with your conclusion that it is OK for them to feel that way. When
people forgo proper security on their equipment it makes them easy prey to become launch
platforms for other abuses that are aimed at folks outside their realm. I liken the
situation to that of mandatory seat-belt laws. According to your argument, people who don't
value their lives shouldn't be made to wear seat-belts. But what happens when they crash and
must be hospitalized? Collectively as a society our insurance rates go up, and if they have
no insurance then the public must bear the additional cost of his medical bills. In other
words by not wearing a seat-belt he places a burden on those around him. The same is true
for those that are connected to some network larger than their own. Insecure boxes place a
tremendous burden on the rest of us. If you are still unconvinced, just look at the headers
of the last SPAM/UCE you got.
Scott Stubbs
bernadette.net
