On Tue, 12 Dec 2000, Kathy wrote:
> It appears Bruce does not think very highly of SANS. Is SANS
> lacking the credibility or as dubious as Bruce makes them sound?
> I heard SANS has a decent security conference. Is there better
> alternatives or recommendations?
I think some very good things have come out of SANS and the conference,
but between SANS and Bruce Schneier, I'll take Bruce's word any time. I
know him slightly, and know several of the people who work with him quite
well. I have read his books (recommended), and have always found him
honest and straightforward on security issues. I don't know of an
occasion when, if asked a serious question about security, he has taken
the opportunity for self-aggrandizement rather than answering the question
to the best of his ability.
> In the article, Bruce recommends against SANS rewarding writing a
> virus that auto-fixes a vulnerability. I agree with Bruce in that
> the cure might be worse than the actual vulnerability, but has
> anyone tried this? Did they do it because of the SANS reward?
I doubt it. I'm with Bruce on this one. The act of writing such a virus
would be appealing to people with destructive impulses, and it would not
be difficult to write one, claim the reward, and then spread information
to the cracker community with info about vulnerabilities in this
supposedly-invulnerable tool.
-- Loren MacGregor
Systems Engineer
STS - BRASS
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
