[ale] CISSP != happy + OSS
George Allen
glallen01 at gmail.com
Fri Oct 22 13:26:02 EDT 2010
Well, it wasn't that the certification its self or the course materials are
overly biased in this sense, but what I got from that particular instructor
showed some of the types of bias I hear back at work pretty clearly. We have
a different instructor today who, being a former Unix got himself, has a
much different perspective. He even included a 10min pitch for truecrypt
during one of the sidebars.
I guess the take away is that there is advocacy at the 'user' and 'IT geek'
levels, but the procurement and management types are still hearing mostly
fear-uncertainty-doubt.
Same thing applied to all the discussions of pki vs gpg. There's reasons for
both, but in general there was a consensus equaling 'web of trust' with
'peer to peer,' and by connotation, filesharing and general badness.
On Oct 22, 2010 10:34 AM, "Joshua L. Davis" <simplehuman at gmail.com> wrote:
> For what it is worth, I'm an "official" CISSP and based on the test I can
> tell you that CISSP != TRUTH in many cases. This is part of the issue in
> DoD. Misunderstandings of OSS. Many folks get this sort of tripe without
> questioning the wisdom. I frankly want to be able to look under the hood
if
> I need to. Not having this option inherently creates risk.
>
> Here is a good resource on security and open source if you guys care:
> http://www.dwheeler.com/oss_fs_why.html
>
>
> -Josh
>
> On Fri, Oct 22, 2010 at 7:36 AM, George Allen <glallen01 at gmail.com> wrote:
>
>> I'm taking a CISSP course this week, and unfortunately have to miss
>> the selinux presentation because of it. But it's pretty amazing the
>> bias against opensource built into the course. It even involves a bit
>> of dissonance: nmap, tripwire, nessus, backtrack all these tools are
>> open-source, but the same people talk about "Open-source code gives
>> false security, just because more people can look at the code doesn't
>> mean someone will write a vulnerability into it. Or that someone will
>> find a vulnerability and not say anything until after they exploit
>> it."
>>
>> At this point I piped up to say "Doesn't what you just said violate
>> Kerckhoff's principle that you just talked about - that a
>> cryptographic algorithm should derive it's security from the key, not
>> from the secrecy of the algorithm? Then how can you say publishing an
>> algorithm leads to security with cryptology, and then violates
>> security with software at large?"
>>
>> He didn't really address it.
>>
>> Still, I think the perception is that opensource is made up of random
>> patches from any kid drinking mountain dew in their mom's basement.
>> And they don't realize that there's a whole system which actually
>> rejects many patches, and does levels of quality control on both
>> incoming and included patches. Maybe this is one thing the advocates
>> also need to emphasize is that linux is developed with a process and
>> albiet with the 'bazaar' it's not flat out anarchy.
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> Joshua L. Davis
> 678.831.0182
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101022/20f08fdb/attachment.html
More information about the Ale
mailing list