RE: [External] : Re: What's that line again about 'best practices'?
Date: Fri, 28 Oct 2022 09:56:06 -0400
Message-ID: <0f2801d8ead5$06ba83d0$142f8b70$_at_rsiz.com>
ROFLMAO. (for which I apologize, I understand that you are trying to prevent real harm in a real situation, but if I had stitches in my rib cage, I would have ripped them out.)
Don’t worry. Serious hackers will adopt a “best practice” to pick that overly complex lockset (probably either social engineering to get someone on the deadbolt side to open the door or the equivalent of liquid nitrogen spray and a hammer if they can’t find a sucker and you have something work that expense to breach).
Here’s another mwf maxim: “If you adopt a security strategy that results in things judged by the users to be inconvenient, they will find a way to not use your strategy.”
Sigh.
Good luck. I suggest trying to promote the “only simplicity can be secure” best practice.
Perhaps one of the actually expert security folks on the list will suggest a “superior practice” you can use to contend with the “industry best practice” (did anyone vote or a comparison of breach rates with other strategies? Where is W. Edwards Deming when you need him?) that is difficult to “argue with.”
mwf
From: Chris Taylor [mailto:christopherdtaylor1994_at_gmail.com]
Sent: Friday, October 28, 2022 8:39 AM
To: Jeff Smith
Cc: mwf_at_rsiz.com; oracle-l_at_freelists.org
Subject: Re: [External] : Re: What's that line again about 'best practices'?
And to give some context to my question, I was in an argument with a cloud developer discussing SSM vs SSH in Amazon AWS and they've disallowed SSH "because we had a breach last year" (the breach was in their data center, before they went to cloud, and improperly hardened SSH).
Anyway, the adage was thrown out that "industry best practices are hard to argue with" - Meanwhile, him ignoring that ssh 'best practices' weren't followed when the breach occurred.
His whole argument for using this convoluted ssm setup could be applied to SSH hardening. Boggles the mind.
On Fri, Oct 28, 2022 at 8:15 AM Jeff Smith <jeff.d.smith_at_oracle.com> wrote:
Our ‘Best Practices’ are more like
‘What we think you should be doing’
But we know what folks are googling is ‘Best Practices’
I also hate this term, but it’s what the industry has landed on.
From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of Chris Taylor
Sent: Friday, October 28, 2022 8:11 AM
To: mwf_at_rsiz.com
Cc: oracle-l_at_freelists.org
Subject: [External] : Re: What's that line again about 'best practices'?
Thank you Mark!
On Thu, Oct 27, 2022, 4:28 PM Mark W. Farnham <mwf_at_rsiz.com> wrote:
James Morle suggested something along the lines that they should be renamed Usual Practices (or something like that). I’ve called them Standard Minimum Starting Points and I pointed out that the only best practice I know of is to not allow things to be called best practices. Calling something a “best practice” tends to stifle attempts to do better.
IF you can get something called a best practice into your service delivery standards and you implement that practice, you have a legal defense whether or not the users can do anything or not.
Nothing can be proven to be a best practice. Things called best practice are sometimes really just good enough to be acceptable.
You’ve probably caught the drift I believe “best practice” is a harmful term. Some things called “best practices” are really quite good initial starting points or usual practices that are just fine unless you need something better.
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Chris Taylor
Sent: Thursday, October 27, 2022 1:59 PM
To: oracle-l_at_freelists.org
Subject: OT: What's that line again about 'best practices'?
Mark or someone has an idiom I want to save this time....
Something about best practices being written by people who don't have to support them or something .....
Chris
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Oct 28 2022 - 15:56:06 CEST