Live Face-Off with Marcus Ranum at ISD

Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago.

Posted on December 18, 2009 at 10:59 AM • 12 Comments

Comments

Brandioch ConnerDecember 18, 2009 6:09 PM

re: metrics
The only useful metric I have found so far is the comparision of how much time/money you lose due to internal user errors and how much you lose due to external attack.

Once the attackers are less effective than your own people's errors, you've designed the system correctly.

And Marcus Ranum makes a great point about separate networks. I cannot split the networks yet. But I do have them firewalled.

Nick PDecember 18, 2009 10:44 PM

Clash of the Titans? That would be Bruce Schneier vs. Niels Ferguson on anything crypto. Let the battle begin!

(Btw, I got my money on Niels this round. Bruce is still good, but he's been blogging more than building recently. Sorry, Bruce.)

ScottDecember 21, 2009 3:27 AM

You've been all over the Internet lately, Bruce.

I always like your talks, and Ranum was great as well. Keep doing them.

John WatersDecember 21, 2009 11:19 AM

Mr. Schneier, if you expect to go toe-to-toe with Mr. Ranum and survive, you had best start double-fisting boxes of donuts, bacon double cheese burgers, extra thick chocolate malts, and whole pound blocks of velveeta...


JoshDecember 21, 2009 3:47 PM

I really question the "auto-parts" commoditization of security as an industry. The IT industry we support (live in? love to hate?) has not commoditized, and won't in the next 5-10 years.

Security will always be complex, and reflect the complexity of the technologies that must be secured. Maybe the complexity of implementation technologies is an asymptotic bound for security's commoditization.

I can see why Marcus would want to pump a "pluggable parts" model, since he represents a company that profits from that perspective. Bruce not so much -- don't you thrive economically on the complexity-driven need for external genius consultants?

Clive RobinsonDecember 21, 2009 4:37 PM

@ Josh,

"I can see why Marcus would want to pump a "pluggable parts" model, since he represents a company that profits from that perspective."

I don't work for such a company and I have been banging on about frameworks and swappable/replacable parts for some considerable period of time.

One clearly developed system of plugable parts is the Unix Sys 5 streams system.

The history of this can be traced back through the European Efforts of standardisation.

The EU has many disadvantages with regards standardisation compared to the US.

This is due to the number of countries and vested interests. Whilst the US has very very few organisations.

Oddly though the "European Problem" actually works to strengthan the standards process and encorages a better method of dealing with issues.

The US tends to be "solutions" focused and the EU "frameworks" focused.

Although "frameworks" are initialy more complex they are in the long run considerably more flexable in use and tend to survive issues that arise with individual "solutions".

The other advantage of frameworks is it is actually easier to design and certify systems built this way.

HJohnDecember 22, 2009 9:13 AM

@Brandioch Conner: "Once the attackers are less effective than your own people's errors, you've designed the system correctly."
____________

Correct, assuming you have reduced internal errors to an acceptable level.

Nick PDecember 22, 2009 11:43 AM

"Once the attackers are less effective than your own people's errors, you've designed the system correctly."

Nice phrase, but I disagree. More like this, "Once your security approach consistently keeps losses to an acceptable level, then you are doing it right." For most businesses, this means firewall, antivirus, and backups. For me, it might mean defect-free crypto. The point is preventing losses and making the right cost/benefit tradeoffs.

Nick PDecember 22, 2009 11:47 AM

@ Josh

On the commodities issue, the IT industry has commoditized quite a bit and security is definitely a commodity. The commodity may be a product or managed service, but the development, pricing, and quality are much like any other commodity. The standardization of hardware, networking protocols, etc. also creates an environment where commodities are profitable. So, while security commodities aren't optimal, they are profitable and the security companies are trying to exploit this. Bruce was simply pointing this out, but doesn't necessarily support the change. He's just realistic.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..