Schneier on Security
A blog covering security and security technology.
« MagnePrint Technology for Credit/Debit Cards |
| Yet Another Schneier Interview »
December 18, 2009
Live Face-Off with Marcus Ranum at ISD
Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago.
Posted on December 18, 2009 at 10:59 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Ooh, Clash of the Titans. Muharram Greetings!
The only useful metric I have found so far is the comparision of how much time/money you lose due to internal user errors and how much you lose due to external attack.
Once the attackers are less effective than your own people's errors, you've designed the system correctly.
And Marcus Ranum makes a great point about separate networks. I cannot split the networks yet. But I do have them firewalled.
Clash of the Titans? That would be Bruce Schneier vs. Niels Ferguson on anything crypto. Let the battle begin!
(Btw, I got my money on Niels this round. Bruce is still good, but he's been blogging more than building recently. Sorry, Bruce.)
Bruce Schneier: Beyond Thunderdome?
"Two men enter, one man leaves!"
You've been all over the Internet lately, Bruce.
I always like your talks, and Ranum was great as well. Keep doing them.
Mr. Schneier, if you expect to go toe-to-toe with Mr. Ranum and survive, you had best start double-fisting boxes of donuts, bacon double cheese burgers, extra thick chocolate malts, and whole pound blocks of velveeta...
I really question the "auto-parts" commoditization of security as an industry. The IT industry we support (live in? love to hate?) has not commoditized, and won't in the next 5-10 years.
Security will always be complex, and reflect the complexity of the technologies that must be secured. Maybe the complexity of implementation technologies is an asymptotic bound for security's commoditization.
I can see why Marcus would want to pump a "pluggable parts" model, since he represents a company that profits from that perspective. Bruce not so much -- don't you thrive economically on the complexity-driven need for external genius consultants?
"I can see why Marcus would want to pump a "pluggable parts" model, since he represents a company that profits from that perspective."
I don't work for such a company and I have been banging on about frameworks and swappable/replacable parts for some considerable period of time.
One clearly developed system of plugable parts is the Unix Sys 5 streams system.
The history of this can be traced back through the European Efforts of standardisation.
The EU has many disadvantages with regards standardisation compared to the US.
This is due to the number of countries and vested interests. Whilst the US has very very few organisations.
Oddly though the "European Problem" actually works to strengthan the standards process and encorages a better method of dealing with issues.
The US tends to be "solutions" focused and the EU "frameworks" focused.
Although "frameworks" are initialy more complex they are in the long run considerably more flexable in use and tend to survive issues that arise with individual "solutions".
The other advantage of frameworks is it is actually easier to design and certify systems built this way.
@Brandioch Conner: "Once the attackers are less effective than your own people's errors, you've designed the system correctly."
Correct, assuming you have reduced internal errors to an acceptable level.
"Once the attackers are less effective than your own people's errors, you've designed the system correctly."
Nice phrase, but I disagree. More like this, "Once your security approach consistently keeps losses to an acceptable level, then you are doing it right." For most businesses, this means firewall, antivirus, and backups. For me, it might mean defect-free crypto. The point is preventing losses and making the right cost/benefit tradeoffs.
On the commodities issue, the IT industry has commoditized quite a bit and security is definitely a commodity. The commodity may be a product or managed service, but the development, pricing, and quality are much like any other commodity. The standardization of hardware, networking protocols, etc. also creates an environment where commodities are profitable. So, while security commodities aren't optimal, they are profitable and the security companies are trying to exploit this. Bruce was simply pointing this out, but doesn't necessarily support the change. He's just realistic.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.