Re: Security experts in Mauritius

From: Loganaden Velvindron <logan_at_afrinic.net>
Date: Sun, 1 Nov 2015 13:23:00 +0400

On 11/1/15 12:31 PM, S Moonesamy wrote:
> Hi Logan,
> At 01:49 01-11-2015, Loganaden Velvindron wrote:
>> Mauritians are still deeply rooted in the culture of secrecy, and
>> avoiding talking about problems that impact them.
>
> Yes.
>
>> Let's look at numbers. How many CVE originate from Mauritius ?
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1224
>> https://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc
>>
>> What are the security experts of Mauritius doing ?
>
> That is a CVE for an Open Source Software. How many members of LUGM
> contribute to Open Source Software? If it is only a few, it is
> unlikely that you would see CVE originating from Mauritius. It is
> easy to confuse software developer with "security expert". Finding a
> security-related bug does not make the person an "expert". At most,
> the person might have some knowledge about the software in which the
> bug was found.
It's not only LUGM. There are *many* companies in Mauritius relying on
Open Source Software. How many are actually carrying out security
audits, and discovering those flaws ? The numbers speak for themselves.

Auditing for security flaw, involves having good knowledge of software
development, *and* being able to critically analyze code to find a way
to subvert it. A security expert who cannot understand how unbounded
string copies leads to buffer overflows is NOT a security expert. Why
would a security company hire a security engineer who does not
understand those ?

Discovering a compromised website is one thing. However, going through
the web application code, and discovering the vulnerable code which
allows that to happen is what a real security expert would do. Now, how
to prevent that from happening, by rewriting the code is next step. How
many people can do that in Mauritius ? I would be happy to one day see
someone post such an analysis on his blog.
>
> If you could point me to the work of one or more of the "security
> experts" I might be able to comment about what they are doing.
>

As I said, nobody submitted a decent solution for the Heartbleed
security contest, so in my opinion, there are none in Mauritius.

I would be happy to be proven wrong one day.

>> HSC students are now learning computer science and they have a chapter
>> on Security for TLS. How much of that material are they really
>> understanding ?
>
> I did not know that secondary school students were learning about the
> security of TLS. There is an examination to assess their
> comprehension of the material which they were supposed to study.
>
And what about practical applications of those concepts ? Implement the
OpenSSL API, in a simple client/server model ?

>> When I was 16 years old, we were doing those kind of stuff for fun. It
>> wasn't in the syllabus, but heck, we did it for the thrill as we were
>> curious.
>
> Are people learning about security by following a syllabus? :-)
>

And how many can explain the technical details behind Heartbleed :p ?

> Regards,
> S. Moonesamy
>
>
>
Received on Sun Nov 01 2015 - 08:12:51 PST

This archive was generated by hypermail 2.3.0 : Sun Nov 01 2015 - 09:18:00 PST