Sunday, 14 September 2008

Bad security awards

I wrote recently of how it could be excused for me to complain a little whilst I'm writing here. Of course I'd like to be constructive in everything I write, but the job of security is so often finding holes that it is a rut that we get stuck in, and maybe not a bad one at that.

I recently received an e-book from a provider of security solutions. Their name shall remain private to me at this stage, as shall their niche. What I am going to reveal to the world however, is their utter crapness. The e-book was sent to me, I presume, for approval. I sat and read it for 10 minutes, tutting as I went, and then went to reply. The first draft took half an hour. Then I realised it was slightly offensive and saved it in my Outlook Drafts folder for later adjustment.

I picked up where I'd left off 2 days later, re-reading my draft, adjusting the text to be less rude, and then cutting out whole paragraphs. Eventually I deleted the whole thing and started again. The problem was manifold, and the amount of time I had already spent trying to pick the bones out of it was worthy of being paid. So thus I replied: "I did write up a full retort to everything in this article, but I realised that I would normally charge for the amount of work I've done on it. My main issue with the article is that it seems to have had headings written by someone who knows about security, but the paragraphs underneath were filled in by a marketing department with access only to Google."

"We've passed it back to our client" was the rather mute reply. I never did hear back, I guess my services aren't required on that one. The thing that really got to me was the laziness, no backing up of wild assumptions, repetition of useless statistics (did you know that 70% of attacks are internal! No way!), etc... the kind of crass indescribable blah that we read on a daily basis, and yet means entirely nothing.

Still, that isn't the worst piece of security I've seen this week. No, that goes to an internal project that wants to use digital certificates to REPLACE passwords. No way is that one getting through. If there is anyone out there who doesn't understand why this is a bad thing, please ask, I will gladly explain, again...

No comments: