[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Rothman: Belva's a Joker (was Could InfoSec beWorse than Death?)
- From: "Tom Harrison" <Tom.Harrison@xxxxxxxxx>
- Date: Wed, 27 Sep 2006 10:14:29 +0100
Hi Ken,
Sorry to chime in at this late stage in the thread, but it's one I've been
watching and trying to get my head around since you started it and I'm running
across similar "problems" to Paul. Because this all seems a little abstract (as
such theoretical discussions are wont to be), I'm going to try and put into
words (using the least detailed of all descriptions, an analogy) where I fail
to see how "Virtual Trust" is anything other than at worst a misnomer and at
best a slight marketing advantage:
Cyril lives in Hackton and owns a local news paper, The Hackton Times. Every
morning Cyril needs to distribute his product to the general populace (be they
subscribers or resellers), to do this he uses paperboys. The paperboys all ride
bicycles to get them around Hackton (it's a fairly large area so delivering by
hand is impractical). Occasionally these bikes break and need repairing.
In my mind, both the Loss Prevention and Virtual Trust paradigm focus on the
delivery condition (the bikes being functional), the only difference being that
the Virtual Trust paradigm would advocate the active servicing of bikes (the
security of the delivery mechanism) on the basis that this would establish more
"Trust" with customers (they're guaranteed to get their paper) as opposed to
just actively servicing the bikes as part of a standard working practice.
What I can't see is what actual advantage the Virtual Trust model is bringing
beyond the one that loss prevention brings, the same process is happening, the
same costs are being incurred and I can't see the slight establishment of trust
(even when we get into areas where the reliability of the delivery mechanism is
paramount) making much of a difference business wise. The fact you service the
bikes isn't going to let you do anything beyond keep the bikes going and say
that you service them - there's no extra product or anything new that's created
by servicing them. It seems to me that the limited advantage gained by using
the Virtual Trust paradigm is outweighed by the fact that a lot of people
(myself included atm) are going to see it as a way of highlighting a fairly
irrelevant point (Look! We're Secure!) to obfuscate the security process in
order to encourage more expenditure. It seems like you're trying to sell
Security as something other than a method for making somethin
g secure.
Sorry if my innane rambling got a little off the mark, I hope you can clear
some of this up for me.
Tom Harrison
> Paul, I admit it takes a bit to change one's perspective from the loss
> prevention to the virtual trust perspective. The loss
> prevention paradigm
> is very embedded so it is easier to think in those terms. But once you
> begin to think about virtual trust, it will come. You will
> begin to see
> how the security mechanisms allow us to do things rather than simply
> prevent loss. That's the point (which you actually agree with
> already). It
> just takes a bit to actually live it.
>
> Ken
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/