Schneier on Security
A blog covering security and security technology.
« TSA's Ideal Laptop Bag |
| Me in the News »
March 7, 2008
My Talk on "Dual Use Technologies"
This is video from my talk at CPSR's Technology in Wartime conference.
Posted on March 7, 2008 at 2:16 PM
• 2 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I watched that video and found that, since I read your blog, that it wasn't anything particularly new.
But, then, as Winston Churchill said of writing speeches, you have to repeat the message over and over again in slightly different ways in order to hope for understanding.
I particularly liked your commentary on "assurance" and the mindset required to "get it right"... but, yes, you were also very right that no one, if they have a choice, will want to pay the price.
The real problem w/ assurance is that the _system_ may have some kind of assurance... but nothing guarantees that the applications themselves are assured secure.
Bruce Schneier: you briefly mentioned compartmentation to prevent small errors
propagating into big errors in that talk. Does the same apply with vulernabilities?
If so then wouldnt Operating Systems or runtimes based on object-capability based security (per www.erights.org definition) do nicely on compartmentation?
My experience is that an vulernability in an popular software library such as libpng or libjpeg can be utilized, for instance, to gain access to users data and mail it home to the attacker.
Due to the fact that the proccess running that library has, as default, all of the users access to that users files and resources. Where as if an instance of the library only had access to the raster output for the image, some private working storage and the bytestream containing the images data would only be able to corrupt what were shown in that raster buffer.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.