The New School of Information Security

Ben Rothke writes "It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along thinking things are getting better and more secure. Obviously something needs to change. And that new change is what The New School of Information Security attempts to conceive." The New School of Information Security author Adam Shostack and Andrew Stewart pages 288 publisher Addison-Wesley rating 9 reviewer Ben Rothke ISBN 978-0321502780 summary Information security is highly broken; this book suggests a realistic fix. Far too much of the security industry has its roots in FUD. Billions of dollars of information security products have been sold, and for what? The book asks why is information security so dysfunctional and why companies are often wasting so much money on security. So what is this thing called the new school? The authors define it as neither a service nor a product; rather it is a new approach that uses the scientific method and objective data. This in turn gives an entirely new perspective from diverse fields to make effective security decisions. The authors rightly believe that when objective data is used, it enables better decision-making.

The New School of Information Security is a ground-breaking text in that it attempts to remove the reader from the hype of information security, and enables the reader to focus on the realities of security. The fact that such a book needs to be written in 2008 shows the sorry state of information security.

The book starts out with observations of why there are so many failures within information security. Anyone with experience in security can easily relate to these issues. One recurring theme throughout the book is that poor data, be it research or advertising negatively effects the state of security. The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.

In creating their new school, the authors have no qualms in attacking the dogma of the current state of information security. From Gartner to the Executive Alliance and more, the authors show that these groups and more often suffer from issues such as bias, lack of a scientific method and more. The book notes that the search for objective data on information security is at the heart of the philosophy of the new school. Since there is a drought of objective data today, the book asks how can we know that the conventional wisdom is the right thing to do? The observation is that the current state of affairs is unsustainable for the commercial security industry and for security practitioners.

The title of chapter 5 gives away the theme of the book — Amateurs Study Cryptography — Professionals Study Economics. The idea is that information security must do a better job of embracing such diverse fields as economics, psychology, sociology and more, to make effective decisions.

In some ways, the authors are perhaps too aggressive in their desire for security statistics. One of the most scientific approaches to information security is from CERT (www.cert.org). Yet the authors are not satisfied with CERT's findings that the majority of incidents appear to be insider based. Given what data and statistics we have in 2008, the figures from CERT are certainly good enough. Yes, they could be better, and yes, breach data is not actuarial data, but given the data from CERT, combined with recent news and court cases (UBS, Société Générale,etc.) clearly show that insiders are the most insidious threat.

Also, while the current state of information security is indeed less than perfect, the authors are a bit too condescending of areas where security is formalized (ISO 27001, etc.), yet not perfect.

After years of countless 1,000+ page massive security books, The New School of Information Security succinctly spreads its message in a brief 160 pages. In those 160 pages, the author's detail at a high-level what needs to be done to create this new school. Therein lays the books only flaw, its brevity. The authors want to get the concept of the new school out there, but they do not detail enough of the necessary requirement to make it work. They show with clarity how things are broken, but don't do enough to show how to fix it. Let's hope the authors are at work on a follow-up writing those necessary additions.

Some Slashdot readers are likely to question how an author (Shostack) can write a book on security while being employed by Microsoft. Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft. Indeed they have a lot of catching up to do, but it is being done. Put another way, Microsoft has likely spent more on security than China has spent on democracy.

Too much of information security is clearly broke and The New School of Information Security is about fixing it. The author's pragmatic approach is a refreshing respite from years of security product based FUD and silver-bullet solutions. The approach of the new school is one that screams out to be put into place. It is the job of today's CISO's and CIO's to heed that call, take the initiative, and lead their organizations there. Either they graduate their staff from the new school, or we are faced with more decades of information security failures.

Let's hope The New School of Information Security is indeed a new start for information security. The book is practical and pragmatic, and one of the most important security books of the last few years. Those serious about information security should definitely read it, and encourage others to do the same.

Ben Rothke is a security consultant with BT and the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The New School of Information Security from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Things aren't getting done because of the experts?

[CRCulver]

In my opinion, one of the most worrying trends in the computer security world was Bruce Schneier's turn from crypto guru to security consultant. He now gives only vague pronouncements of security, doesn't seem to seek to empower the community, and his books like Secrets and Lies seem designed to sell Counterpane's services. Has lessening interest in widespread use of crypto led to security experts closing themselves off in consultancy bubbles?

More complex, more problems

[techpawn]

Throwing more "experts" at the problem doesn't make the problems go away. Just like making passwords more complex doesn't seem to increase security, especially when the average user doesn't seem to be getting any better (still writing password on post-its, etc)

Re:More complex, more problems

Speaking as an information security professional, I can state with some confidence that the root cause of the problem is that I am not being paid enough.

Re:More complex, more problems

[unlametheweak]

Security exploits (and exploiters) will always tend towards the path of least resistance, and that is the end user. It will always be easier to exploit human weaknesses than computer system weaknesses. One can 'educate' a firewall for example through patches or rules and this will often be 'good enough'. On the other hand, one can educate a human, and they will be highly inconsistent (and often times down right stupid) in adapting what they learn into practice.

Security systems need to be equally hardware and software based as much as they are based on human accountability, ineptitude, arrogance, ignorance and all the other human traits that will inevitably be the failure of any highly complex security system. Any security model that gives more emphasis to technology than to human vulnerabilities will ultimately fail.

Re:More complex, more problems

[Stevecrox]

I agree completely with this, at university I was given a random 8 digit password consisting of letters, letters (small and upper) and symbols. Because the systems demanded all of them I kept it.

Unfortunatly where I work most passwords have to conform to the same standard but must be rotated every 3 months and can't repeat for a year. Next month I reach the point where I'm going to have to make something up and most probably I'll have to write it down (ran out of permutations.)

Passwords are a great idea except there doesn't seem and standardisation on them, my bank wants a 12 digit id and min 8 digit number based password, my hotmail/msn won't allow symbols, anouther online email I have requires a max 6 digit symbol/letter combination. In work I have 4 different systems I use each of which has different password requirements and each has a different expire period, various online accounts won't allow numbers (an old forum for example) some dislike symbols, Steam won't accept my university password. I have about twenty passwords I need to remember, change and update.

What we need for security is password standardisation, a choice by as many companies as possible as what they expect a password to be with support for symbols letters and numbers in every application.

Re:More complex, more problems

[techpawn]

Quoting AC:

Speaking as an information security professional, I can state with some confidence that the root cause of the problem is that I am not being paid enough.

Maybe you should get a book deal...

Re:More complex, more problems

[SlamMan]

Just wait until one of those systems is compromised, and your password for of your systems along with it. Password standardization is not such a good thing.

Re:More complex, more problems

[Sancho]

Writing passwords on post-it notes isn't a bad idea. Leaving the post-it notes with passwords outside of your control is what's bad.

I write passwords on post-it notes all the time (I use post-its only because of the stigma--I could just as easily use index cards.) You know what I do with them? I put them in my wallet. I've had a couple of decades of training on keeping tabs on my wallet, so I'm not concerned about it. And if someone is going to rob me, or break into my house in order to get passwords, the battle is honestly probably lost--they could just as easily put a gun to my head and demand the password.

Re:More complex, more problems

[PawNtheSandman]

Password + Biometric. Your password is useless unless they cut off your finger.

Re:More complex, more problems

[Sancho]

Well, that's not an option for many of the systems to which I have logins. Also, fingerprint biometrics are so easily defeated that we aren't adding much security here. I haven't read much on other forms of biometrics, but I do know enough to know that revocation in the event of compromise is pretty harsh.

Re:More complex, more problems

[compro01]

or you happen to leave your fingerprints somewhere. typical biometric "security" systems are so easily broken it's hilarious.

Re:More complex, more problems

[Jaime2]

Standardization of passwords is just a work-around (and a dangerous one). The real problem is the appalling lack of single sign on. There are tons of commercial and free implementations of LDAP and other Directories, and a lot of major applications support them. However, it is very difficult to convince developers of small project to get on board and it is very difficult to convince admins and architects the importance of single sign on. With a decent sso system, you wouldn't have to make your passwords match, you would only have one password.

There is actually a huge flaw in the whole use-the-same-password-everywhere mentality. If some compromises the cheesey blog that you use, they get the password to your online bank accounts. If someone sniffs the password from an unencrypted packet to an Intranet site, they have your network logon.

Re:More complex, more problems

[Zeinfeld]

Throwing more "experts" at the problem doesn't make the problems go away. Just like making passwords more complex doesn't seem to increase security, especially when the average user doesn't seem to be getting any better (still writing password on post-its, etc)

The obfustication of passwords started in 1990 or thereabouts when crack first appeared and there was a need to strengthen the passwords to prevent the brute force attack taking less than a day.

Forcing users to include a digit increases the search complexity by only an order of magnitude at best, it might even reduce the search space by encouraging use of shorter passwords (ten digits, but 26 characters). forcing capitalization has no effect since it is almost always the first letter that is capitalized.

Since these silly restrictions were put in place computers have become roughly four orders of magnitude faster. Today a strong password would be ten characters.

It is all superstitious pseudo-security. If you want security you do not use a password.

Re:More complex, more problems

[Jansingal]

conspiracy theory!!!

but that is really why people are so scared of iris and retina readers.

Re:More complex, more problems

[Jansingal]

>>>> typical biometric "security" systems are so easily broken it's hilarious.

that is 1000% false.
they were never so easy, all the more so now.

Please, give me one, only one example of a biometric system so easily broken it's hilarious!!

Re:More complex, more problems

[The+Archon+V2.0]

Unfortunatly where I work most passwords have to conform to the same standard but must be rotated every 3 months and can't repeat for a year. Password security can easily go overboard. At my last workplace there was an insane setup - of the five passwords I had, one had to be changed every 30 days and the genius programmer who made the application* had mis-coded a check for dictionary-based passwords. Any occurrence of ANY dictionary word failed and gave a cranky error/warning about not picking easy passwords. (Without explaining WHY it was easy, for maximum user frustration.) The password "1F@62it76#" was deemed not easy because of the "it" in the middle.

(* The only reason I don't add "genius tester" is because I suspect the app was never tested.)

Re:More complex, more problems

[sasserstyl]

I recommend you check out the MythBusters episode where they prove you wrong pretty conclusively in the fingerprint recognition space.

You can find the episode here:

http://www.surfthechannel.com/info/television/Mythbusters/38926/S4E16.html

Re:More complex, more problems

[Jansingal]

>>>>Also, fingerprint biometrics are so easily defeated that we aren't adding much security here

another person made a similar comment.

can you please reference evidence that shows fingerprint biometrics are so easily defeated in the real world. Not in a test lab.

Re:More complex, more problems

[Sancho]

I'm not aware of any cases of break-ins involving fingerprint biometrics, if that's what you're asking for. But just because it hasn't happened (or been reported on) does not mean that they are secure.

Re:More complex, more problems

[Jansingal]

so you are not aware of any cases, you have no evidene, no reference, but you throw out a leading comment.

Isn't that a classic example of FUD?

Re:More complex, more problems

[Sancho]

You seem to be a classic example of a troll.

You only asked for non-lab examples. There have been multiple, independantly run tests of the technology and how it can be fooled. As I said in my reply, that it hasn't been done in the field is not pertinent.

But thanks for playing. You won't be hearing from me again.

Re:More complex, more problems

[Jansingal]

So someone who asks for real-world evidence is a troll?

you must be a smoker :)

Re:More complex, more problems

[uniquegeek]

Only if you're stupid enough to use the same password for something that requires security and something that doesn't. Frankly, if someone hacks into my user accounts that I could care less about, I could... care less. My banking and very personal info have secure unique passwords. Everything else uses the same one or two passwords. It would be annoying if my blogger or hotmail account went down, but I'd live. The type of stuff I blog about isn't identifyingly personal, and my hotmail is used for junk.

Re:More complex, more problems

[Morrigu]

Use KeePass.

I've been using it for over 3 years, and have somewhere north of 200 passwords stored for different systems, sites and organizations.

It'll even generate new random passwords for you and can keep track of expiration dates.

Re:More complex, more problems

[Lobster+Quadrille]

Here's one:

I used to do work for a local car dealership. They had a system that used biometric inputs used to unlock the safe with all the new car's keys.

After watching the mythbusters episode in which they unlocked biometric devices with a printed scan of a fingerprint, I tried the same. Unsurprisingly, it worked. What was surprising, was that it was gave less 'false' negatives than my actual finger.

There you go, a production, not a lab environment, though I did not use that for an actual attack at the time.

If you think that nobody has ever used that in an attack, you are fooling yourself.

I have since used the same technique several times in pentests, again in production environments.

Re:More complex, more problems

[Jansingal]

Please let us know the brand and version of the hardware/software used.

My guess is that this occured some years ago.

Re:More complex, more problems

[Lobster+Quadrille]

I saw it when it hit digg, which was apparently 1 Year, 220 days ago. I don't recall the specific model of hardware or software, but I've since used it on several other systems as well.

At least one example- while not anywhere near top-quality equipment, the Microsoft Fingerprint Reader is vulnerable, and is the class of device that you're likely to see on most consumer machines, as well as in a good percentage of offices.

Re:More complex, more problems

[Jansingal]

there are indeed more robust solutions.
so... this is an OLD problem.

hardware/software is NOW more resiliant.

Re:More complex, more problems

[Lobster+Quadrille]

This is an old problem, but it is still not one that has been fixed today- the reader I linked to is a popular one, and is still actively marketed by Microsoft.

Yes, there is more resilient hardware and software out there, and has been for a long time. I personally have my doubts about these devices as well, but don't have the funding to go buying them for the sole purpose of breaking them.

At any rate, your claim was that people don't actually exploit this outside of the lab, and I pointed out that the devices it is easiest to exploit are also the most commonly encountered ones, and it is very likely that they have been exploited before.

Decide what your point is before you try to argue it.

Re:More complex, more problems

[Jansingal]

I have many points, all arguable.. and valid!

Breach notification laws are a start

[Beryllium+Sphere(tm)]

One crippling problem with gathering hard numerical data about security is that so many incidents go unreported. A few make it into books, a few make it into the press, but most are solved internally.

If you have a fire, the fire department will write it down and it will go into national statistics that fire insurance companies can bet money on. If you have a security breach, would you even try involving law enforcement?

Another hassle is that so many of the costs are hard to quantify. Loss of revenue after a fire is something you can pin down. Loss of reputation or consumer confidence after a breach? The numbers will be uselessly fuzzy.

Re:Breach notification laws are a start

[CRCulver]

If you have a security breach, would you even try involving law enforcement?

With all the stories of police seizing computer equipment in criminal investigations and then never returning it, even after years have gone by and even if no one was found guilty, I'd be reluctant to involve the police.

The irony is thick enough to cut with a laser...

[argent]

Compare and contrast these two quotes:

Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better.

And:

Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft.

"Do as I say, not as I do?"

The problems is fundamental to the technology...

[tgatliff]

The issue is not how we handle security, but rather a fundamental flaw with the technology itself..

Meaning, the design of files themselves make it too easy to copy them. Also, trying to slap on some sort of encryption layer is laughable at best because once the encryption is removed all security goes along with it.

In my opinion, as an industry we need to re-examine how documents are managed. I suspect a considerably better approach is more of a "looking glass" to managing data where instead of actually having the physical files move around the network, you instead have sort of a vnc type approach where you only view the document where it resides. Yes, there are allot of complexities to this approach, but fundamentally I think this is where the industry needs to go...

M$ Security Spending

[Apple+Acolyte]

"Even with all its security issues, what many do not realize is that no software company has spent more on security in the past decade than Microsoft." I guess that goes to show us that security is one problem you can't just throw money at and make it go away.

Re:M$ Security Spending

[Sancho]

I guess that goes to show us that security is one problem you can't just throw money at and make it go away. Well, it will be a long time before anyone figures out how to make security problems go away. Microsoft has really increased the security of their systems over the past couple of years, so while throwing money at it isn't making the problem go away, it has certainly seemed to help a bit.

Oh wait, I'm sorry, I forgot what site I'm on. Ignore the facts above--MICROSOFT SUCKS!

Re:M$ Security Spending

[Daffy+Duck]

Many people also don't realize that no software company has spent more on lunches in the past decade than Microsoft. I don't think that makes them an authority on food, though.

Re:M$ Security Spending

[Jansingal]

dude, things take time.

MSFT has done their part. now the end-users need to use that functionality!

Security too important for Security experts

[Presto+Vivace]

I hope everyone reads this book. I think they make a great point about looking at business practices as security vulnerabilities.

WHAT?!!!

[explosivejared]

The authors astutely note that security advertising often does a disservice to the security field because it glosses over complex problems and presents the illusions of a reality in which a security panacea exists. It makes the buyer believe they can reach that panacea by using their service or purchasing their product.

MARKETING causes problems?!! I'd have never dreamed of such a concoction of lunacy! This guy wants to make us think we'd actually be safer without the Nortons and McAfees of the world. I tell you this buddy, you can pry my annual $50 subscription from my cold dead hands!! I say we hunt down this guy with torches and rope in hand!

No,I do not work for Norton. What a silly question. That thousand bucks the guy in Norton shirt just gave me is totally normal, so never you mind it. Anyways, lynch the heretic!

Re:WHAT?!!!

[Jansingal]

my guess is that he likely refers to things like ads in magazines like CIO where mgmt makes marketing based decisions there.

Re:Things aren't getting done because of the exper

In my opinion, one of the most worrying trends in the computer security world was Bruce Schneier's turn from crypto guru to security consultant. A great man once said, "Logic is the beginning of wisdom -- not the end." The same can be said of cryptography and security. Crypto is an essential tool, but we shouldn't expect that it can solve our problems with a single wave of the twofish wand. What's the point in spending all your time figuring out slight improvements to your secure channels, if your employees keep getting phished out the whazoo?

Only Two Words To Remember

Devry Institute*

*Credits unlikely to transfer.

Ah, little too much of a socialist lens?

[tjstork]

The difference between the rich and the poor is greater than ever, and power over the unwilling must be maintained through security.

What... criminy... can you put down your Karl Marx for a second and look at the reality.

The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries.

There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.

I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.

Re:Ah, little too much of a socialist lens?

Guess what? If you are stupid, you will not get rich.

Don't you think this generalizes just a little bit? My guess would be that out of the, you know, billions of poor, their poverty is more a result of circumstance than being "stupid." Hard for everyone to be smart w/out food, water, sanititation, rule of law, or school.

And there are plenty of dumb rich people. Arrogant ones, too.

Re:Ah, little too much of a socialist lens?

[ShieldW0lf]

The difference between the rich and the poor is greater than ever, and power over the unwilling must be maintained through security. What... criminy... can you put down your Karl Marx for a second and look at the reality. The solution is to re-engineer the economic system, to prevent people from having the capability of getting so rich that poor people feel they are better off attacking or exploiting the system than they are living within its boundaries. There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich. I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.

I am quite sure that your Choir, which is quite large, will appreciate your preaching.

However, it is not the stupid people who are successfully destroying security. It is the smart people. And it is not the smart people who are rich. It is the vicious people who are rich, and they are quite often stupid.

If you were right, and I were wrong, then this article would not have been written, and the situation would not be in the state it is in. The evidence is not on your side.

Re:Ah, little too much of a socialist lens?

[iamdrscience]

Guess what? If you are stupid, you will not get rich.

What about lottery winners? They're not just stupid and rich, they're rich because they're stupid. It's what makes America great.

Re:Ah, little too much of a socialist lens?

[ElAsturiano]

um... dont tell me... you are one of those people who makes less than $100k and votes republican, right?
keep it up, champ!

Re:Ah, little too much of a socialist lens?

[morgan_greywolf]

Guess what? If you are stupid, you will not get rich.

Uh, Steve Ballmer is a multi-billionaire. Rich? Yes. Stupid? Hell, yes. Ballmer road Bill Gates' shirttails all the way up for fame and fortune; he would have never gotten rich if it weren't Gates' shrewd business sense. Gates was the brains, Ballmer was always the brawn.

Re:Ah, little too much of a socialist lens?

[m.ducharme]

If you are stupid, you will not get rich. Sorry, but some fairly basic stats work will show that though your statement is correct, it could equally apply to intelligent people, ambitious people, basically anyone. The socialist objection is that for any randomly chosen person, no matter what that person does, her odds of getting rich are essentially nil, and the current economic system is rigged to maintain that status quo.

The socialist seeks to find the regulatory changes that would make the economic system more equitable. I for one don't think that limiting how much money one person can make is quite the right way of doing it: I'm more in favour of putting limits on how much money can be passed from parent to child. We could allow anyone to pass on only enough money to their children so that they would enjoy, as an example, a comfortable, middle class lifestyle for the rest of their lives, and no more, mandating that the rest of the money or assets or whatever be put back into the economy directly, instead of waiting for Junior to spend it or not.

The problem with both sides of the debate (capitalist vs socialist) is that Economics is Hard, and the solutions to the world's woes are more likely to come from careful, subtle economic and regulatory fiddling, not from grand platforms presented by politicians on the Left or Right, designed to garner votes. But nobody wants to hear that.

Re:Ah, little too much of a socialist lens?

[kalidasa]

Guess what? If you are stupid, you will not get rich.

Disproof by contradiction. And just in case you decide to say that "getting rich" doesn't include inheriting (even though inheritance is the biggest factor in persisting inequitable distribution of wealth), note that Ms. Hilton probably earned about $7M in 2005-06.

Re:Ah, little too much of a socialist lens?

The rich are smarter than the rest of us? Funny, I always thought they were just more ruthless. You know, JP Morgan selling defective rifles in the Spanish Civil war to start his business, or Rockefeller sending his goons in to force competitors to sell their business out to him. Or Preston Bush making deals with the Nazis (ditto for Henry Ford).
I always love it when cheerleaders for the wealthy beak off. Keep sucking up, and who knows, maybe they'll let you clean the pool this weekend.

Re:Ah, little too much of a socialist lens?

[Deanalator]

There's always going to be jealousy and that jealousy is more the fault of the have-nots than the haves. Guess what? If you are stupid, you will not get rich.

I would argue that economic factors play a much larger role than some notion of "intelligence". Sure there are plenty of drug addicts that rob random people to get their next higher fix, but a large portion of crime, especially information crime is done by intelligent people who simply have a hard time making a decent living by more conventional means.

Also, if you think that people who are "stupid" are capable of running even small scams or criminal organizations, you are sorely mistaken. Poor intelligent people don't steal from dumb rich people because they are "jealous". They often just believe that wealth has been misappropriated.

Re:Ah, little too much of a socialist lens?

[wytcld]

In the 1960s, when America was enjoying successful capitalism unequaled since, top executives made about 35 times as much as line workers. Now, as our dollar sinks along with our position in the world, top executives make over 350 times as much as their line workers.

The last time income distribution was as skewed to the richest 1/10th of 1% as it is now was at the beginning of the Great Depression. Because capitalism failed then, we got all these socialist New Deal programs foisted on us. The hard-core Marxists want capitalism to fail again like that. It's precisely when they can get more of their programs in place. So, as a great fan of capitalism, I have to say our current repeat of the mistake made in the 1920s seems less than brillaint.

Re:Ah, little too much of a socialist lens?

[modmans2ndcoming]

I always love how nut job capitalists think if you are poor then you deserve to live without dignity or the ability to make ends meat.

Re:Ah, little too much of a socialist lens?

[modmans2ndcoming]

those "socialist" programs and reforms are what kept capitalism from killing itself in America.

Re:Ah, little too much of a socialist lens?

[tjstork]

Disproof by contradiction [wikipedia.org].

And, not only is your case weak as a generalization, it might even be weak in that instance. Is Paris Hilton stupid? She might not know calculus, but, she has managed to turn herself into a highly profitable brand. There's some brains in that, for sure.

Re:Ah, little too much of a socialist lens?

[tjstork]

Poor intelligent people don't steal from dumb rich people because they are "jealous". They often just believe that wealth has been misappropriated.

Misappropriated? That's a rationalization. They do it because they rationalize their own bad decisions into a sense of victimization and convince themselves they are entitled to do something wrong.

Liberalism would go along way if it could just admit that people who are in tough spots got there most of the time because either they or their leaders screwed up.

I mean, look at black america. That's a minority group that has just been screwed. With a huge tech boom just behind us, there's no reason black america should be any poorer than white america is, but what happened?

Many whites jumped off of manufacturing and into technology, whereas black america - in some parts of the country, jumped off of a cliff. While whites were getting into engineering and building the likes of Sun, Microsoft and Oracle, blacks interpreted their economic plight through the lens of 1960s liberalism and in doing so missed the greatest wealth generating opportunity of a generation.

Now, there of course other circumstances, too, that play into that. Schools in many poor black areas tend to suck and no solution has been found for the drug problem that pervades poorer neighborhoods. But in both of those cases, liberal policies have completely undermined their communities.

Look at schools. We've had voucher ideas on the table now for 30 years and instead, libs choose teacher's unions over students. Look at drugs. So many libs give a wink and a nod to drug culture and laughed at Nancy Reagan's just say no campaign that it completely undermined. Guess what? Kids need to learn how to say no to drugs, and that message needs to be reinforced by everyone. Look at even the arts. White people haven't done crap in the arts in America compared to blacks, for probably around 100 years - particularly in music, but even the most popular black music is filled with basically useless and counterproductive messages. Where's the liberal leadership on that? I mean, how many well off liberal families, where mummy and daddy are professors with a good bit of stock, actually tell their kids to hate people, sell drugs, beat women, and shoot cops. No, they don't. They tell their kids to stay clean and stay in school and get an education.

Now, on the flip side of the coin, there's an area where racism probably still plays a part, and that is capitalization. Does a black owned business, on its merits, have the same chance of attracting venture capital as a white business? Even there, Republican policies could have worked, for example, if we had created a public social security system and invested it, as Bush suggested, you could have had people using that capital to fund minority businesses at the same rate. You could have turned Wall Street into an ally against poverty... but instead, you had to look at things.

Even Reverend Wright said one thing - when he took up (sic), for Louis Farrakhan, it was that, -anything- that helps minorities get ahead is a good thing. But instead, libs demonize the source or the solution, unless it is a government program they can stuff patronage jobs into.

It's sad, really, it's just sad. Hopefully, with the next coming boom in better food production and alternative energy, african americans will stick to leaders that get their kids the best possible education, so they can have a generation with the tech know-how and marketing savvy to come up with a product and then the capital to market it. The best future for minorities, really, isn't some socialist mecca, its a country where minorities realize that they too could be the next car company that supplants GM the same way Microsoft knocked off IBM and Netscape, bringing billions of dollars into their communities the same way tech businesses pour money into Seattle.

Re:Ah, little too much of a socialist lens?

However, it is not the stupid people who are successfully destroying security. It is the smart people. And it is not the smart people who are rich. It is the vicious people who are rich, and they are quite often stupid.
You are kind of wrong, but kind of right. The statement about vicious people being rich makes no cents (so to speak). All you need to become rich is delta T (compound interest). Additionally it is a few smart people who are poor (or at least not rich) selling tools/exploits to stupid people (who are also not rich). Aside from some of the upper levels of organized crime I doubt that there are very many people who are rich doing a lot of damage to the security industry. Also I think the stupid people do more damage because there seem to be a lot more of them.

"You think Einstein walked around thinkin' everyone was a bunch of dumb shits?"
--Idiocracy

Re:Ah, little too much of a socialist lens?

[tjstork]

In the 1960s, when America was enjoying successful capitalism unequaled since,

Well, there were some special circumstances... like, all of our rivals were either firebombed - ala europe or japan, broke, like the UK, or didn't want any economic ties, like the Soviet bloc. So there was -only- American manufacturing...

and even then, if everyone was so happy, why were there so many riots?

Re:Ah, little too much of a socialist lens?

True, here is a better example then

Re:Ah, little too much of a socialist lens?

[ShieldW0lf]

Misappropriated? That's a rationalization. They do it because they rationalize their own bad decisions into a sense of victimization and convince themselves they are entitled to do something wrong.

No. They decide that the prevailing social contract is not one they are prepared to accept. Law and order is not an inviolate thing. It is a social contract, agreed to by all participants in the society. If you agree to be a part of the social contract, it is wrong to violate it. If you do not agree to it, it is not wrong to violate it, any more than it is wrong to violate the laws of a foreign land when you are not on their soil.

When societies laws only serve the few at the top, the rest of the people have no inherent obligation to obey them.

If it is your opinion that my statements are false, then that means you are a supporter of totalitarianism. This is the only perspective that allows the rule of law to overrule a citizens desire not to participate in a society. Free societies are made of people who voluntarily participate because the co-operation and leadership empowers them.

Re:Ah, little too much of a socialist lens?

[tjstork]

If it is your opinion that my statements are false, then that means you are a supporter of totalitarianism. This is the only perspective that allows the rule of law to overrule a citizens desire not to participate in a society. Free societies are made of people who voluntarily participate because the co-operation and leadership empowers them.

That statement is utterly absurd because you are attempting to justify treason. With your definition of a free society, you expect to receive all of its benefits and honor none of its obligations.

If you do not agree to follow the rules of the boat, then everyone else on the boat is well within their right to kick you off and toss you into the water.

Similarly, if you do not like the laws of the USA, then you can either live with them and work to change them, or you can have a revolution and impose your own by force of arms, or you can leave. If you choose to stay, and violate those laws, then by definition, you are a traitor to those who don't, and they have every right to do with you what they will.

Re:Ah, little too much of a socialist lens?

[ShieldW0lf]

That was obviously a very heartfelt post. It's a shame you don't have the first clue what treason actually is.

Being that you're an American, treason in your country is defined in this way:

-//-
Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

The Congress shall have Power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted.
-//-

In other words, treason is a crime that does not exist except where there is war.

If you want to get right down to brass tacks, the US was created because they were traitors to the British Crown. Your entire nation is founded on treason.

And, of course, the Confederates of the Civil war were also, one and all, guilty of treason against their own nation. By law, the wealth of traitors is not subject to inheritance.

Therefore, according to your own laws, the entire south is government land, and no private citizen there has any right to it. Political concessions, how sweeping the changes they create, eh?

You need to develop a slightly more mature attitude about these things. It's going to be very important, very soon.

Re:Ah, little too much of a socialist lens?

[tjstork]

The socialist objection is that for any randomly chosen person, no matter what that person does, her odds of getting rich are essentially nil, and the current economic system is rigged to maintain that status quo.

But the flipside is that, even if a person does not get rich, if he works hard and works smartly, he or she will inevitably improve himself or herself. I've got one statistic that proves that point undeniably - education. People with degrees tend to earn far more over a lifetime than people that don't. Those people that went to college either worked harder, or worked smarter, made a commitment and invested themselves, and yes, they do finish on top.

I for one don't think that limiting how much money one person can make is quite the right way of doing it: I'm more in favour of putting limits on how much money can be passed from parent to child

This I can agree with but with the exception of businesses. I say this not because I believe in a meritocracy over a nobility. I say this because those businesses that stay family held tend to take a longer term view than public corporations, have better working conditions for the people and tend to be a better part of the community. But if you own a bunch of stock and real estate that's really just a big collection of stuff, then, that's all up for grabs by the government. And, if the family had a big business, and sold it, like Wanamakers did, then, yeah, those investments that were there should probably be taxed at the point of sale.

Re:Ah, little too much of a socialist lens?

[m.ducharme]

But the flipside is that, even if a person does not get rich, if he works hard and works smartly, he or she will inevitably improve himself or herself. I've got one statistic that proves that point undeniably - education. People with degrees tend to earn far more over a lifetime than people that don't. Those people that went to college either worked harder, or worked smarter, made a commitment and invested themselves, and yes, they do finish on top. This only applies to people with access to education, whether that access is economic or geographical. My thinking isn't just about the average North American who has a school down the street and a community college in the next town over. I'm thinking about the "superghettos" that are growing in cities all over Africa, South America, Asia, where millions of people per city are packed into neighbourhoods consisting of cardboard or mud shacks.

There are billions of people on the planet who work as hard as they can to accumulate just enough wealth to not starve. They have no time to get an education and no schools to go to if they wanted one.

I for one don't think that limiting how much money one person can make is quite the right way of doing it: I'm more in favour of putting limits on how much money can be passed from parent to child This I can agree with but with the exception of businesses. I say this not because I believe in a meritocracy over a nobility. I say this because those businesses that stay family held tend to take a longer term view than public corporations, have better working conditions for the people and tend to be a better part of the community. But if you own a bunch of stock and real estate that's really just a big collection of stuff, then, that's all up for grabs by the government. And, if the family had a big business, and sold it, like Wanamakers did, then, yeah, those investments that were there should probably be taxed at the point of sale. You may have a point, but a conter-example to your model "family run" business would be Wal-Mart, which is still privately held by the Walton family, as far as I know, and is perhaps the very worst retail outlet in terms of working conditions and promoting the real health of a community.

I don't pretend that my idea is a whole solution, or even that it would prove workable in practice. I just think that we need thinking divorced from left/right dichotomies if we're going to balance things out before the poorest %90 decide to take back the wealth being hoarded by the richest %10.

Re:Ah, little too much of a socialist lens?

Guess what? If you are stupid, you will not get rich.

You very clearly have not met many rich people. While many of them sincerely believe that they are rich due to their self-diagnosed superior intelligence, other important contributors to wealth include inheritance, status-seeking, family connections, narcissism, greed, lack of scruples and luck.

Incidentally, a lot of socialists are more interested in fairness, community, mutual support and reducing the overall level of coercion in society than in property. And not all socialists are Marxists.

I suspect you're trolling anyway, or perhaps just horribly inexperienced with life. I've seen a lot of both the rich and poor worlds, having been part of both at different times of my life. And I'm no smarter now that I was when I was surviving on next to nothing. The people from my neighborhood who weren't able to escape weren't stupid either-- just marginalized and exploited. The only difference in my case was that I got here at a younger age and picked up English faster. That, and luck.

Re:Ah, little too much of a socialist lens?

[tjstork]

I'm thinking about the "superghettos" that are growing in cities all over Africa, South America, Asia, where millions of people per city are packed into neighbourhoods consisting of cardboard or mud shacks.

Lawful societies and free trade fix that. The UN calls for something like 1% of GDP in the form of a charity black hole and really, even the so-called carbon tax is really just a disguised attempt to shuffle money to the third world, but, ultimately, meaningful trade is what will elevate these people.

I mean, come on... yeah, people in Africa have it bad off, but we firebombed Japan and Germany, completely destroyed their infrastructure, and, by the way, killed 10% of their respective populations, and still, those countries have rebuilt themselves into economic powerhouses. If you even look at the stats... you would see that such renewal actually came from within both countries and that aid such as the Marshall Plan was really more of a jump start mechanism than anything else.

I don't pretend that my idea is a whole solution, or even that it would prove workable in practice. I just think that we need thinking divorced from left/right dichotomies if we're going to balance things out before the poorest %90 decide to take back the wealth being hoarded by the richest %10.

See, I don't believe that there needs to be an equal distribution of wealth at all. And, if you do look at at a world wide level, nothing has actually been better at enriching the planet than the Bush policy of free trade. Sure, people may moan about how the USA is faring under free trade, but in the meantime, the rest of the planet is moving up. Chinese, Indian, asian standards of living are all up. The Phillipines is closing in on first world status. Malaysia is rising, so is Taiwan. Prosperity is spreading around the world because of trade.

Re:Ah, little too much of a socialist lens?

[tjstork]

I just think that we need thinking divorced from left/right dichotomies if we're going to balance things out before the poorest %90 decide to take back the wealth being hoarded by the richest %10.

Income inequality is a problem only seen when viewed through the left wing dichotomies.

I mean, if you want to really look at the problems of the world, they aren't aligned with the environmental movement AT ALL.

The third world doesn't need to be planting trees to save mother earth, the third world needs to building power plants, water treatment and desalination facilities, and also use genetically modified and industrial farming techniques to improve crop output. I've talked to people from Kenya, and they to a one say that all of these ranges and beautiful things that people want Kenya to have are screwing the country up. Gorillas suck dude...no one wants lions and tigers in their back yard...

But all of this crap about mother nature is getting shoved down the throats of the third world. I mean, Bush gets a bad rap for linking aid to abstinence, but meanwhile 300 million people died because DDT was pulled off of the market worldwide due to a problem that frankly was not nearly as severe as the consequences of not using it.... and mosquitos went on a rampage.

Re:Things aren't getting done because of the exper

[Nos.]

Economics is only one of many motivations for attempting to exploit a system. There's also fame and politics that we see quite regularaly.

Secondly, even if by some unbelieveable turn of events, there were no financial motivations for hacking, that's no reason at all to be lax about security.

Things are not getting better?

[spydum]

I think I'd beg to differ. Consider the growth rate of deployed systems and data, and compare to the number of security incidents. I think someone could make a strong argument that it IS getting better, proportionately. The internet has such impressive growth, it's hard to notice the change. Check out any sites with historical trends of reported security incidents (dshield.org, cert.org, whomever). They all show very large growth rates up until 2006, where they tend to level off. The internet didn't stop growing during that period, we just managed to catch up.

Re:Things are not getting better?

[avandesande]

Security is not some end state but an ongoing practice. Nobody will every 'solve' the security problem.

Crypto isn't the only link in the chain

[weston]

I think what's likely is that Schneier realized that availability of good crypto isn't the only link in the security chain, and it's probably been a while since it was a candidate for weakest link.

Hence the discussion about how security as a field is reaching out to other disciplines -- organizational behavior and sociology and economics are essential because you're looking at the problem of why business organizations don't do well at security, and it isn't just a technical matter.

Re:Crypto isn't the only link in the chain

[zappepcs]

Technical matters begin to pale when some 20+ percent of users will give you their login credentials and personal information for free chocolates or a *chance* to win a trip to Paris.

If nearly a quarter will risk identity theft for trinkets, imagine what they would think of having real security processes.

One of the blogs/links to the story is: http://valleywag.com/381102/for-a-womans-password-offer-chocolate-for-a-mans-try-porn

Re:Crypto isn't the only link in the chain

[WATist]

I would suggest you find a better reference seeing as how that study admits that it does test to see if they had real passwords in any way(I mean they could later explain, and ask, or use some other means of non-illegal verification.)

Re:Crypto isn't the only link in the chain

[Jansingal]

>>>Technical matters begin to pale when some 20+ percent of users will give you their login credentials and personal information for free chocolates or a *chance* to win a trip to Paris.

that was a stupid, and I mean stupid poll.

I think most of the people simply made up a password. Of course, there was NO verification.

this is statistics at its worst.

Re:Crypto isn't the only link in the chain

[zappepcs]

I used it because I think it is valid. If you force people to register for a chance to win something it is quite often that those not cognizant of the dangers will use their common login credentials which they use for everything, including work, their bank account, their mortgage etc. A malicious piece of code need only scan briefly for details regarding banks visited etc. to try to use those login credentials elsewhere.

The number might not be as high as the 20+% quoted, but then even if it is only 3% it is enough for someone to make money off of. 3% of 200 million is 6 million sets of login credentials. Even if only 25% of those are usable, it can be a lot of money.

Now, let the phisher sell those on to someone else and then someone else (a valid way to make money from such information) ... soon, there are 15 groups trying to hack into your system... with a valid login! Forget dictionary attacks, if they have valid logins for your network, All your hard drives are belong to h4x0r5.

You know that it takes only on person with the right information to get into a system and cause havoc. If you are giving away most of what they need to get in, small security measures are not much of deterrent.

The 3-letter people will tell you that it takes ONLY one spy to ruin a lot of good things. In this case, they are right.

Re:Things aren't getting done because of the exper

any suggestion to "communism" is going to lead to blood shed. Just submit to the power and there shall be peace. Surrendering is the only solution.

May the Jew man shall control this planet forever!

Centralization is why IT sucks

[tjstork]

In my opinion, as an industry we need to re-examine how documents are managed.

And what's the cost benefit of that? You are talking about security and secrecy but really at the price of throwing innovation and efficiency out the window.

How can anyone on slashdot in their right mind be so dull-wittingly committed to doing in IT the very things that caused so many societies to fail! Secrecy and an atmosphere of secrecy, authentication at every turn,... my god, we have turned information into a virtual police state where you have to have papers, everywhere you go. And guess what, our digital Nazi Germany and Soviet Russia has failed just as much as their physical counterparts did.

Centralization is why IT sucks. Big Data Centers = Big Government, with the same long lead times, ineffective management, unaccountable projects and reduced performance.

We don't need an internet web 2.0, we need a PC 2.0 and push the data and decisions out to the people.

The best way to improve a company's efficiency is to eliminate internal gestapo security.

Re:Centralization is why IT sucks

[tgatliff]

I think I understand your argument, but it sounds more political than technology in nature... Also, I know my history well and it certainly does not backup that secrecy makes societies fail. Early Germany certainly did not fail because of secrecy, but rather because they had a madman at their helm. Soviet Russia just had an unsustainable government structure... The US economy is currently failing not because of our secrecy, but rather because we want to try grow our economy on the ever continued consumption of debt... :)

In short, it sounds like you work for a big company and are quite frustrated by their internal procedures that most likely were put in place by managers and sales people who know nothing about security or the implication it has on people who run the business... Quite understandable, but I would not consider this as every business.

Re:Centralization is why IT sucks

[jotok]

I agree and disagree.

1. Sometimes the need for secrecy outweighs the need for "innovation and efficiency."

2. People have plenty of data and are empowered to make decisions. But they don't know what to do; there is a fundamental education gap. These are the people who run random attachments they get from someone named "xplurg bffrgis" offering them "v14g r a." You think they're really equipped to make decisions on security?

The thing is, security is a risk management discipline. Most applications thereof don't have much of an ROI--why does the average user need to encrypt his drive when he really doesn't keep anything sensitive on it?--so you have to assess your risk and mitigate it using solutions that actually address your needs. So I would say we do need more diversity in offerings and solutions, but not really for the reasons you stated :)

Re:The problems is fundamental to the technology..

[maestro371]

In my understanding, most sensitive data is stolen from improperly configured applications that permit access to weakly secured databases. See TJX for an example. File permissions have nothing to do with this (except on a very low, irrelevant level).

This is a people problem. People write bad code, configure servers poorly, and manage security inefficiently.

Sales People Hate Science

[k31]

Most sales people went into that field because they are good at manipulating people on an emotional level; some actively hate any quantatative methods, and cannot do basic statistical analysis.

Can you blame them, though? How many people really buy based on scientific evidence and through research, rather than emotions? E.g. we all "know" that Linux is more secure than Windows...

Doh!

[farrellj]

I've been saying for years: More computer security is not better computer security!

Most security can sometimes even lead to less security! A system that is too hard to access because of it's security will eventually be bypassed by the normal users, leaving you with a bigger security hole is one example of this. Customers who put three different firewall programs on their computer, plus the one on their router is another example.

ttyl
          Farrell

Re:Doh!

[Random+Walk]

True for programmers as well: if the system makes it hard to program secure applications, it won't be done. There's a nice paper (pdf) that explains why programmers don't use the principle of least privilege (hint: with the current POSIX API, it's too complex and non-portable, and thus only a few programmers do it, basically in an ad-hoc fashion).

What about quality of experts?

[ErichTheRed]

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

How many IT projects have you worked on where the company hires one of these huge consulting firms, spends millions of dollars, and still has problems after all is said and done? I think one of the problems is the business model of these firms. The head schmooze crowd takes the CIO for a round of golf or two, and convinces them that the firm is the answer to all their security questions. The next day, a bunch of barely-trained "security consultants" descend on the company and begin making all sorts of recommendations/purchases. Sounds cynical, but I've seen it many many times. It's also applicable for any system replacement project, development project, etc.

The other problem is marketing of security products. How many times have you heard from a relative, "Oh, I've got Norton Internet Security, I'm safe." Vendors have a lot of people convinced that if they install their toolset, they can totally drop their guard.

Re:What about quality of experts?

[smooth+wombat]

How many IT projects have you worked on where the company hires one of these huge consulting firms, spends millions of dollars, and still has problems after all is said and done?

Not worked on but have been the unfortunate recipient of having to use them. First it was SAP. What a horrible piece of shit. Nearly every day we get calls from people who can't access the system and it's because the system can't handle all the requests from people processing travel vouchers, time requests, etc.

Now I have to go through an ERP project in a vain attempt to bring some semblance of organization to our products and how they are delivered. We're at $40 million and counting and I can guarantee there will be numerous problems with our suppliers and clients once it's implemented. But it's only taxpayer dollars so it's not real money.

The rest of your comment is spot on. That is exactly what happened in our current case. That and our CIO is completely incompetent at his job and lacks any semblance of organization. But he can sell ice to Eskimos in January.

Re:What about quality of experts?

[oldbamboo]

Yep,
'Experts' barely exist. I am one. And I'm not that good at all to be honest, I can barely code a 'hello world' but I've still been wheeled out countless times to point out password lengths arent up to snuff etc.
But I've got seven years experience and I know quite a lot of other things worth knowing, and I've seen some pretty sloppy practice and kicked it into touch.
Still, this book sounds cock. I mean utter cock. The review makes it sound like it is equally as worthless as me, on a bad day, trying to risk assess a three tiered app running on Websphere. They appear not to have a point, and to focus on the now dead legend of management buying the silver bullet / marketing / one stop shop is well out of date. There isn't a manager out there who is dumb enough to believe that you pay money and this crap goes away. They know it's a combination of process, people, and systems in concert that gets you out of the shit, because it's true, and because it is their language, that of business. The book sounds like a squint-eyed techie moan, from people who don't get let out of the back room to talk to the execs very much. This book sounds so far out from reality it may as well be set on the moon, and populated by Sea Monkeys. If they want to sell a new school, they could at least take the trouble to learn the 'old ' one first, instead of passing off vacuous soundbites about China and Hedgehogs or something.

Re:What about quality of experts?

[scoove]

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

In larger corporations, especially where the regulatory environment is a driving factor, you might find that money isn't being thrown at security, but rather compliance. As ErichTheRed points out, there is no shortage of these silver bullets being purchased from executives who don't know better.

As someone who heads up an information risk program for a global financial firm, I've been fortunate enough to see the policy and technical control environment and observe where and why controls failed to prevent against security incidents. Having a company that came from a regulatory-driven security model (not unlike many), the assessments of the incidents has shown repeatedly that the alignment of a program in reaction to PCI, GLBA, HIPAA, SOX, etc. does not provide for a risk-optimized information security program. Yet business executives in many firms believe that the highest bar to be funded is that prescribed by external regulation. Compliance should be regarded as the lowest bar, not the highest, as it is by no means intended to fully address the realm of information risk and security.

The recent breach experienced by Hannaford is a good illustration of this problem. Hannaford was reportedly PCI compliant at the time of the breach, yet was using WEP to secure wireless in numerous cases. Elsewhere, there is too much reliance upon comprehensive common controls to compensate for lousy security at the application level. Hannaford execs are apparently "shocked" at the breach, yet were using a wireless security control a mediocre offsec analyst can break in 2-10 minutes. At the same time, I'm certain many firms have gone overboard on other controls (prospect theory tends to explain why so many of us over-treat the perceived likely risks and completely ignore the perceived improbable black swans that end up wiping us out). It's hard for us to make a case for security when we blow too much on some things and never see a threat test it out, and get clobbered on something we ignored.

The biggest problem I see is that the business executives see security as a product, not a process, and information risk and security people don't do a good enough job correcting that misconception. The lack of understanding risk optimization by InfoSec professionals is a real issue: we tend to overspend for the risk in some controls while neglecting others.

NIST SP800-37 prescribes creating safe applications in a sea of risk, yet many large firms pretend the oceans can be calmed if the right firewall or NIDS is deployed (think about what it tells you when NIDS is regarded as a control that *prevents* threats from exercising vulnerabilities by executives!).

The best results I've seen have come from a very close tie between the business unit management and information risk using financial language to communicate risk through an optimization approach. I'd suggest ISO 31000 or AS/NZS 4360 (Aussie/NZ standard) as a great starting place to talk about not being risk averse, as so many of us in InfoSec are, but taking the right risks. I certainly encourage people to be careful about probability models - read Taleb's "The Black Swan" for some clues on why you don't want to rely on guassian models for too much of your modeling.

Back to those regulations like PCI, I've found business execs understand the concept of "minimum baseline" when put in the context of a reserve requirement on credit portfolios. That regulatory requirement serves as the bottom line level, permitting the lending firm to select its own optimizing level of risk. Some may have offsetting efforts that

Re:What about quality of experts?

[Jansingal]

>>>isn't a manager out there who is dumb enough to believe that you pay money and this crap goes away.

You must not work in the corporate world. there are at least a thousand war stories from pros in the field saying the opposite.

Re:The problems is fundamental to the technology..

[tgatliff]

That actually is a pretty good argument... I would agree that no technology in the world will stand up to someone simply giving the information away... :)

The beginning and end

[Skeet112]

Computer security begins and ends with the user common sense. If the user is not informed on common data security practices, up to date exploits, viruses, mal-ware, spyware, what have you, then they don't really have sense enough of where to start in the first place. Sure, you can buy yourself all the Anti-virus protection you want, but that isn't going to protect you from ignorance. Security software protects users from security breaches. It doesn't protect them from dumb.

Microsoft profits from insecurity.

[Futurepower(R)]

"... Microsoft has likely spent more on security than China has spent on democracy"

Very creative. I can do that, too! My example: Women spend more money on makeup than children spend on trapping hedgehogs.

Microsoft makes more money when computers are less secure, because many people who have malware buy new computers: Corrupted PC's Find New Home in the Dumpster.

Re:Microsoft profits from insecurity.

[Skeet112]

TFA only furthers my above post. Maybe these 'security experts' should start going dumpster diving for PC's... I mean, hell, that's a whole new market of revenue there! :)

Re:Microsoft profits from insecurity.

Hey, that's funny -- so do security consultants to companies vending 'open source' solutions. Remarkable!

Re:Things aren't getting done because of the exper

[flaming+error]

> one of the most worrying trends in the computer security > world was Bruce Schneier's turn from crypto guru

The title of chapter 5 gives away the theme of the book -- Amateurs Study Cryptography -- Professionals Study Economics. In other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility. Good luck with your studies young man. Perhaps you can fill that hole you think Bruce Schneier has left.

Will get worse until there's a counterattack.

[Ungrounded+Lightning]

In a conflict between weapons and armor, weapons eventually win.

What is going on in "computer security" now is a conflict where the bad guys use weapons and the good guys only use armor.

Just as with ordinary security - safes, locked doors, walls, armor, military "defense", etc. - attempts at IT infrastructure security only slow, not stop, the perpetrators. In ordinary security the "war" must be taken to the enemy - with self-defense deterrence and counterattacks, arrest/trial/incarceration, or retaliatory war. Why should information security be any different?

But as of now there is essentially no consequence - except occasional failure and the need to adjust tools to evade the latest security tweaks. The result has been an opportunity, and financial incentive, to develop a powerful security-breaking infrastructure and several very lucrative businesses based on it.

So things will keep getting worse until there is retaliation that creates enough consequences to knock the perpetrators down in number of perpetrators and longevity of activity.

Retaliation produces collateral damage, so this won't be pleasant. But systematically letting bad guys get away with their crimes creates a rising exponential of wrongdoing that eventually sucks the lifeblood out of the rest of the population. Eventually this will become so egregious that the rest of the population will be willing to accept the collateral damage if it knocks down the problem.

Re:Will get worse until there's a counterattack.

[Skeet112]

Mod +Insightful

Re:Will get worse until there's a counterattack.

That is why Russia is so successful.

We need to repeal DMCA, Computer Fraud and Abuse Act, UIGEA, Sarbanes-Oxley, CAN-SPAM, and shit load of other law altogether in order to bring the war to our enemy without any legal retaliation.

The second amendment of the U.S. Constitution protects our right to form a private army and take over Washington D.C. to become the new emperor. Why should this be any different?

Even more fundamental! An insight?

[TerranFury]

You'd still be moving the document, of course -- just, in this case, as a bitmap -- possibly JPEG-compressed. And if you're X-forwarding, then the text is actually available, in fact.

The problem is basic to the technology, but I think it's much more fundamental.

Analog electronics had a problem: Data was degraded as it was processed. Digital electronics solved the problem -- by copying the data in order to restore it at each step. Copying is inherent to the nature of digital technology. The minute I give you a D-flip-flop, you can copy a bit.

Adding layers of abstraction -- like "we'll send bitmap snapshots of the document to you instead of an ASCII stream" -- complicates matters a little, and might foil casual copying, but it doesn't fundamentally change the situation.

That said, I think you may be on to something. Crypto took a giant leap forward when people said, "let's use a crypto function that everybody understands, but which is simply hard to invert." Likewise, perhaps data management problems can be solved by saying, "We acknowledge that you can copy whatever bits we give you; we're just going to choose a horrendously inefficient coding scheme (like representing text documents as bitmaps) so that there are too many bits for you to copy using the available time and bandwidth without someone noticing." In fact, this even has some mathematical foundation: There is currently no way to determine the Kolmogorov complexity of a sequence. (Although we have some good compression algorithms, they still make assumptions which can be easily broken: Try dumping the output of a million calls to rand() to a file and zipping it. It'll be huge, even though you can represent the sequence with just the definition of your rand() function and the seed you used). I'm thinking this basic idea is a large part of the MPAA's motivation the move to higher and higher HD, for instance; in the extreme, they could give up on encryption, and replace it with a known nontrivial problem: Downsampling and recoding video. It's not quite the same magnitude as factoring products of large primes, but it's still a computational pain in the butt when you're talking about a 50GB Blu-Ray disc.

Another question, though, would be this: Is copying documents the main security issue companies face?

Lies, Liars, and Security Consultants

"It is 2008 and never has so much been spent in information security. ... Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents."

Hey, you don't suppose there's a connection, do you?

Engineers have no social skills

[Presto+Vivace]

Engineers became engineers because they have no social skills. What? Don't like generalizations? Don't think anyone can read someone's mind, let alone a whole group of people? No? Then don't be part of it. Jus' sayin'

Re:Engineers have no social skills

[ZonkerWilliam]

Oddly enough I always look for someone who has problems socially when hiring an engineer or SE, then I know the guy will understand what I need and not "be my friend".

Re:Engineers have no social skills

[Hatta]

This, and the GP's assertion are both valid. What was your point?

Re:Engineers have no social skills

[Jansingal]

and how does that comment connect to this book review?

No more than 10% of an oursourcing deal

[gelfling]

I've found in the commercial world that security in all of its flavors makes up no more than 10% of any outsourcing deal no matter how large or complex either the outsourcing deal is or the security requirements themselves. 8% is closer to the norm with some deals in the 3-4% range. That cost represents the total cost over the entire lifecycle including all labor and hardware. So I'm left wondering what people mean when they complain that so much money is being spent on security. If you're spending 1.6 million a year on an 80 million dollar deal, is that a lot?

The Security Problem

[Pyrophor]

You guys are just about hitting the nail on the head. The problem is not so much in the complexity or quantity of security measures, but the policies and training presented to the users. I believe that over half of the users in my organization could not recognize a security threat and would most likely give their password out over the phone if the person calling them said they were in the IT department. Imagine if companies held a short class or training session about once a week to identify, react, and report threats. A little bit of training goes a long way. You don't need an expert to tell you that.

Re:The Security Problem

[ZonkerWilliam]

Imagine if companies held a short class or training session about once a week to identify, react, and report threats. A little bit of training goes a long way. You don't need an expert to tell you that.

I used to do that for one company, even had a newsletter that had easy security tips, such as complex password phrases, how to determine if your email had a virus, so on. Almost always they were forgotten because the companies mentality, like most, is to get the job done at least cost. Add to that that most of the users we dealt with ended up feeling like they didn't need it because they never encountered a problem, it's downhill battle, ends up falling on the security person all ways. Thats just the hard facts.

Security lock down does not work as well

[Joe+The+Dragon]

as it leads to apps not working and it can slow work down so much that high up people tell the people under them to by pass it and do your job with out waiting for the over worked, under staffed and under payed IT guys to get around to it.

Dysfunctional?

[Iagi]

Information security is not dysfunctional. The author's logic is flawed. "Billions of dollars of information security products have been sold". "... everything points to more security breaches, vulnerabilities and incidents." [Therefore] "information security [is] so dysfunctional." I think most working Security professionals would point to other "things" that lead to this state of bad security. Probably the two largest factors being: bad decisions by management and the lack of accountability (for both management (CEO/CIO) and software vendor). With all of these breeches when was the last time we heard of anyone going to jail or being fine in a large way? If someone breaks into your site by means of a vulnerability in the Operating system or Web server, can you hold the software company liable for their crappy software? Until society or corporations decides to make people accountable then there is no incentive to make security work. And until this happens the "New school" will not be anymore successful than the "Old school."

Re:Dysfunctional?

Do you hold the architect or the contractor responsible if someone robs your office? No. So why should you blame the OS maker if someone hacks your system. They make the house, you have to live in it. You're homes security is your responsibility, so put in a security door (firewall) and teach your kids (co-workers, employees) not to open the door for strangers (emails, etc.)
As far as the CEO/CIO or security software vendor/consultant being held responsible, well that's the shareholders/owners job, not the governments or societies through laws (unless of course it's a government system).

Time to turn the corner...

[konigstein]

The problem with IT security is that the solutions are that of being reactive to problems, and that we're asking for "secure" computing from nontrusted resources. There's never any proactive look at resources and doing proper planning for what sort of problems might develop (at least in my workplace). Project Managers and accountants never like to dole out money for dealing with exploits and issues that "might, in the future, become a hazard," and so the IT team is only rushing around putting out fires instead of fireproofing the place. Security needs to be taken seriously, and in first and foremost consideration, from end point to end point in software/hardware products rather than slapped on almost as an afterthought. Also, We need to do away with concepts like Service Oriented Architectures and Netcentric Warfare. /rant

disclaimer: IANACSE (I am not a computer security expert)

IDIOT MANAGERS

Money spent on something doesn't mean it's well spent or even useful, if you work with idiots.

Witness a former manager who got an executable attachment through our email system. She proceeds to tell me how she thought the email must have been IMPORTANT since it was from someone in her address book that she kenw, and it said URGENT. So she renamed the attachement to get around the fact we were mangling .extensions at the time as a crude early measure to prevent them being executed. Now her computer is acting all funny and can we take a look at it?

ARRRGHHH!

An old Chinese Proverb

[New_Age_Reform_Act]

Fight poison with poison.

Information Security is complex.

[ZonkerWilliam]

There is no way you can rap up INFOSEC in a simple way. Each company practices it in a different way because each has it's own acceptance of liabilities due to applications that they use or equipment that they purchase. You make the best of INFOSEC with those in mind because no company will change their technology infrastructure just because it's not the most secure technology. If the company is an enterprise you can have thousands of different types of applications and equipment all working together forming an even bigger security hole.

To say INFOSEC is dysfunctional comes from someone who doesn't understand just how complex it can be.

Not what he's talking about...

[namespan]

I don't think the parent is talking about standardizing his password across every service he uses. I think he's talking about standardizing what a password can consist of and what constitutes a standard length, and a *tiny* bit of sanity regarding human factors in memory and use.

I understand in practice that might allow people to collapse to a narrow set of passwords. But I think it's also possible that this kind of standardization could allow people's ideas about what constitutes a good password to coalesce around a few basic points, which might let them more readily create a few.

And the parent is absolutely right that rotating random strings of characters every three months presents a use problem. One type of security analyst might say "suck it up, there's a tradeoff between security and use," and if you can get the user to suck it up and that works in the context of the organization, that's great. But if not, this brings us to the point in the "Amateurs study crypto, pros study economics" phrase. If you really want a secure system, solve both problems. Provide the user with some security practice that isn't going to cost him cycles the operation of the organization is going to demand he use somewhere else.

Re:Even more fundamental! An insight?

[Creepy+Crawler]

---I'm thinking this basic idea is a large part of the MPAA's motivation the move to higher and higher HD, for instance; in the extreme, they could give up on encryption, and replace it with a known nontrivial problem: Downsampling and recoding video. It's not quite the same magnitude as factoring products of large primes, but it's still a computational pain in the butt when you're talking about a 50GB Blu-Ray disc.

I think its fair to say that even if cpu speeds hold steady, our cores will grow. Given that, I'd venture how one beats the resolution problem is thus: scene detection and video computation per scene. Parallelization solves much of those perceived complexity issues.

And it only takes 1 pirate to transcode it to smaller.

Re:Things aren't getting done because of the exper

One of the most "worrying" trends?

Crypto isn't the problem it used to be 20 years ago. Nowaday, if you want to implement a cypher that no governments on earth will ever be able to break, you actually can. Sure, there are still research being made, but it has stop being the major issue in information security it once was.

Schneier was very smart to switch the focus of his energy. He correctly saw the emerging issues of his domain of expertise. And he did it in a period when way too many IT professional thought being secure meant installing firewalls.

Re:Things aren't getting done because of the exper

Any security person worth his salt knows that you need to do analysis of the effectiveness of the control vs cost of the product.

If security practitioners dont practice defense in depth, and rely on a security black box, then that organization isn't doing their job with regard to due diligence.

People have been practicing defense-in depth for over a decade. Where things are failing is security as a process, and they are failing in how they are selecting tools. SIEM, NAC, and DLP are all pretty much smoke and mirrors. They can be replaced with solid policies, outbound access controls, and centralized logging.

General hiring/assessment problem

[weston]

I seriously believe that one of the reasons throwing money at the problem hasn't been working is that people who are implementing these things aren't the best possible candidates.

It's a specific case of a larger problem: when it comes to hiring (whether a consultant or employee), "it take one to know one." If you don't have a good eye for quality industrial design, how will you be able to pick out a good industrial designer? If you don't really know something about information security, how will you recognize a competent individual or company?

The fallback alternatives aren't great. Reputation is trusting someone else (or groups of other people) to solve the problem... but this reduces back to the original problem (how will you know whether their estimation of someone's ability is reliable if you don't know what it takes to make that estimation accurately?). Certification is essentially institutionalized reputation. Resumes are trusting someone to distill their own reputation. And these are the *better* alternatives to simply swallowing marketing. :)

This extends into the realm of "best practices" -- which best practices? How do you know which ones are right for your organization? If you know them only by reputation, you won't understand the principles behind them and will likely apply them incorrectly.

A good chunk of industry has a major problem with both of these. I don't know how to solve it per se, but I'm glad to see the technical discipline of Info Security looking beyond the technical issues to the organizational and human ones. This kind of issue is what they're going to have to come to grips with if any progress is to be made on IT problems.

getting your retaliation in first, I see .. :)

[rs232]

"In my opinion, one of the most worrying trends in the computer security world was Bruce Schneier's turn from crypto guru to security consultant"

You're entitled to your opinion, in the great scheme of things, a worse trend was when billg decided to embed Internet Explorer in the OS so as to kill Netscape.

FUD review

[avandesande]

Far too much of the security industry has its roots in FUD.

And so does this review.

Re:FUD review

[Jansingal]

just where is the FUD in this review?

Re:FUD review

[avandesande]

Gimmie a break!

"It is 2008 and never has so much been spent in information security. Year after year, more and more security hardware and software is purchased, more and more security professionals are hired, and more security is done; yet things are not getting better. Every indicator, every pundit, everything points to more security breaches, vulnerabilities and incidents. Large amounts of proprietary data are compromised on a daily basis. Obviously something is wrong, yet the entire industry goes along thinking things are getting better and more secure.

And this book will save us......

Re:FUD review

[Jansingal]

Give US a break.

>>>And this book will save us......

did anyone say this is THE answer? Hell no.

the book seems to be that this is AN answer. I dont think the books author for a minute things that he can solve every problem.

It's called the 'Human Factor'...

[KC7GR]

You can have the latest, most sophisticated (and probably expensive) security hardware and software imaginable, use military-grade encryption on every single file, and post armed guards at the entrance to your data center.

But guess what? NONE of the above will make the slightest bit of difference as long as there are still people who write their passwords on sticky-notes without a second thought, and paste them to the front of their monitor, the inside of their desk drawer, or wherever.

None of the above will help as long as you still have people who are gullible enough to fall for phishing E-mails, and give up sensitive personal data, passwords and SSN's included, as long as the mail looks remotely legitimate.

Most especially: None of the above will help until each and every person that uses a computer starts getting a little bit paranoid and thinking "Is what I'm doing right now sensitive? Could it be compromised? If so, how? How would I do it if I were the attacker?"

Whatever else you may think of Bruce Schneier(sp?), he's got one thing absolutely spot-on: The first and most vulnerable point of attack in ANY computer setup, networked or not, is the person making use of that computer and/or network. If there's more than one person involved (and there almost certainly is these days), there are multiple vulnerabilities available to any would-be attacker.

Personally, I think that a world of good could be done by teaching people to read at least the essential parts of the headers in any E-mail, and showing them how to spot a fraud. I think if even 5% of the computer-using population would bother to check the headers inside any E-mail asking for personal data, it'd probably put a huge dent in phishing.

Heck... Teaching people to be just a little bit paranoid would probably do more good than anything else...

Keep the peace(es).

Marcus Ranum nailed this already

[Arrogant-Bastard]

Marcus Ranum's "The Six Dumbest Ideas in Computer Security" rant/essay neatly identified the top culprit a few years back. The mistakes he outlined continue to be made on a daily basis by nearly everyone working in the field -- and most of those people compound those errors by layering on more mistakes. (Example: "Well, yes, the firewall is default-permit outbound, but that's okay because we have an IDS.") This approach inevitably fails, yet those practicing it profess surprise every time it does -- especially if they happen to be standing in front of a press conference announcing the latest data loss incident.

We will not make any headway on this, as a profession, until we stop making rudimentary mistakes such as the ones Ranum has identified, along with a few others that are worthy additions to that list. No initiatives, no certifications, no appliances, nothing will change that -- because none of those change the attitudes of the people who are building systems and networks. Until those people manage to step back from irrelevant details like "which iframe exploit is current today?" and look at larger questions like "why are iframe exploits even possible?" or "why are browser exploits even possible?", then they will continue to waste effort "solving" the wrong problems.

Sadly, after observing this situation close up for many, many years, I've concluded that some, possible many, people will never get that far. They simply Do Not Get It, and despite essays like Ranum's or books like this one or anything else, they're not going to get it. And they will continue to fail, and so the systems/networks they've built will continue to fail. I'd say that will make for a bleak future, but -- look around! -- we're living in a bleak present.

Re:Marcus Ranum nailed this already

[turing_m]

"We will not make any headway on this, as a profession, until we stop making rudimentary mistakes such as the ones Ranum has identified, along with a few others that are worthy additions to that list."

This is one of those things that is only understood by following the money. There is no money to be found in cures, there is only money to be found in temporary fixes. One has an income stream, the other doesn't. This is a sad fact of life.

There will be a few companies who see the advantages in running a leaner business with lower ongoing costs and do their research wrt security(e.g. reading Ranum's article). They will be successful, but they won't provide much of an income stream to lots of people wanting to be security professionals.

Re:Things aren't getting done because of the exper

[ePhil_One]

In other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility.

I'm note sure about that. I think the biggest issue is the "monetitization" of "cracking". This stuff used to be done for fun and thrills, geek cred, etc. Now a huge Botnet is a cash cow, criminal organiztions pay money for comprimized ID's & CC #'s. Yes, human fallibility plays into this, but the premise that the resources being spent on security are wasted is nonsense

Perhaps you can fill that hole you think Bruce Schneier has left. Agreed. While crypto has its place, it's a very small piece of the security pie. Firewalls, Anti-malware, policy enforcement, anti-phishing, etc. The threats faced today are too numerous to list on a whim...

Guru doesn't pay !!

Gurus are fine if you're some wacko harikrisha but in the real world one has to make profit else...else...one becomes a open source, brainwashed drone !!

WHat we need to do...

[dokhebi]

The reason why there are so many people willing to steal data is not because it is easy, well yes it is easy, but because the justice system is to squeamish to punish the perpetrators.

I don't want anyone to think that they can steal data and get away with it. I want to see some dead hackers swinging from the lamp posts in Los Angeles.

This will tell the hacker community that they will need to run for fast and far if they want to live to see the fruits of their crime.

Just my $0.02 worth.

Culture Issue ... not Technology Issue

[perlith]

As of today, you could argue are enough combinations of technologies to reasonably secure a computer. That doesn't change the fact that the password is posted on post-it notes, and everybody who works for that department knows it and could tell somebody else in an instant. There needs to be more focus on incorporating computer security as a part of the next generation's work force training, ethics, and culture. Can't expect folks to configure iptables manually, but you CAN expect and HOLD ACCOUNTABLE folks for other factors such as pornography, spyware, etc. Sadly, this needs to be a decision from the top-down to be successful "Yes, computer security IS a part of your annual goals. If we hire you and you don't it seriously, we'll find somebody who will". Find me a book which addresses computer security as a company culture issue and then I'll read it.

Security book author works at Microsoft....

I suppose the only reason MS-bashers haven't mentioned this yet is because nobody bothered to click on the Amazon link and read it!

About the Author:
Adam Shostack is part of Microsoftâ(TM)s Security
Development Lifecycle strategy team

Re:Security book author works at Microsoft....

[Jansingal]

didn't the reviewer state that explicitly?

Yes, but my book provides concrete guidance

[cjonslashdot]

In my 2005 book, High-Assurance Design (which you can also buy from Amazon), I point out that:

1. 1. The average programmer is woefully untrained in basic principles related to reliability and security.
2. 2. The tools available to programmers are woefully inadequate to expect that the average programmer can produce reliable and secure applications.
3. 3. Organizations that procure applications are woefully unaware of this state of affairs, and take far too much for granted with regard to security and reliability.

The problems are therefore deep and structural. One cannot blame one segment of the industry.

In terms of what developers in IT can control, I would recommend that we take design seriously. Design does not mean waterfall process. And design is critical for security. Programmers work in a much too ad-hoc manner. We need to stop embracing the latest cool thing, the latest trendy language, and try to be more critical and thoughtful. We should ask ourselves, "is this a good tool - even if few currently use it?" and "what language would enable me to develop a well-designed system?" instead of "what is everyone else doing?"

It so happens that my book provides a great amount of guidance at an architectural level, and I feel that one should start there. But it does not end there. One must also be aware of the shortcomings in current technologies (that is what most hacking books are about). The foundation is a good understanding of secure design principles and architecture. Security is about careful design and good process. Unfortunately, the tools and languages that are generally in use do not make it easy to design and implement secure systems: it is all up to the programmer. Thus, it is essential that the programmer be extremely knowledgeable, and develop a secure architecture from the outset - at least until secure design languages emerge (if they ever do).

Problem in a Nutshell

[Bender0x7D1]

1. The bad guys are also smart.

2. The reward is higher for the bad guys than the good guys.

3. The risk for the bad guys isn't that high - they operate from different jurisdictions and with many cutouts between them and their operation.

4. They have cookies.

Ice to Eskimos

[GeekAlpha]

Give it a couple of years, and even I will be able to sell ice to Eskimos, in bulk.

Re:Things aren't getting done because of the exper

[Zeinfeld]

n other words, most of our security problems aren't rooted in flawed cryptography, they are based on the flawed allocation of resources and general human fallibility. Good luck with your studies young man. Perhaps you can fill that hole you think Bruce Schneier has left.

Why is it that everyone who posts on security is immediately compared to Bruce in derogatory terms? He certainly isn't the most influential practitioner within the field and he does not try to be. His focus is on describing what is reasonably close to state of the art to non-specialists.

Frankly, why would you want to read a book from someone who didn't think he could do a better job or at least a different job than Bruce?

On the book itself, I have not yet finished it. What I have read seems reasonable enough. And it is certainly true that in some cases the way to improve security is to focus on the economic issues (I make a related but similar case in my book in the same series). Where I suspect I will have an issue is that I suspect that there are a lot of crimes we simply don't have good measurements for yet and will find it hard to get measurements for them.

ObDisclosure, Addison Wesley have sandwiched a chapter from my book, the dotCrime Manifesto at the end of the New School.

Re:Things aren't getting done because of the exper

[Jansingal]

>>>>one of the most worrying trends in the computer security world was Bruce Schneier's turn from crypto guru to security consultant.

Read his book and you can understand why exactly he made the jump.
Crypto is one small piece in the security pie. He saw that firsthand.

>>>doesn't seem to seek to empower the community,

so why do 500+ people come when he talks?

Re:Things aren't getting done because of the exper

[Jansingal]

and that is precisely the point schneier is making!!!

Re:Things aren't getting done because of the exper

[Jansingal]

>>>He certainly isn't the most influential practitioner within the field

who would you say the most influential practitioner within the field is?

Re:The irony is thick enough to cut with a laser..

[Jansingal]

Irony, yes. Logic, no.

you missed the connection.

In a world: complex systems.

MSFT can't do it all!

BT INS?

I was about to take this article seriously until I saw that company attached to this review. No further comment.

The Solution Is So Obvious

[Matt_Jenk]

The solution just is so obvious. *Start* using the technology the way it was meant to be used by the original designers. And *stop* using open protocols (HTTP etc.) and the web browser to support application development. http://www.responsive.co.nz/source.html [responsive.co.nz]

"Information Risk" not "Information Security"

The New School of Information Security is an oxymoron and Information Security professionals are a dying breed. Wake up and smell the coffee. The industry has moved onto risk based approaches for security - just look at any of the Fortune 100 (USA) or FTSE 100 (UK) companies and how many have rebranded their security teams with names such as "IT Risk", "Technology Risk" or "Information Risk".

Re:The irony is thick enough to cut with a laser..

[argent]

Microsoft can't do it all?

Microsoft actively makes it worse, with fundamentally insecure designs like ActiveX, and the most unnecessarily complex systems on the planet.

When I started having to reinstall user's computers because a bug in Internet Explorer made the Control Panel break so badly I couldn't even bring it up to back it out in safe mode I decided they'd created a whole new kind of complex system event horizon.

Re:Things aren't getting done because of the exper

"The immediate financial impact of IT security problems has lessened, costing UK businesses about £6bn a year, compared with £10bn in 2006"

from today's financial times

cost of sec down since 2006 - ft.com

"The immediate financial impact of IT security problems has lessened, costing UK businesses about £6bn a year, compared with £10bn in 2006. This is because fewer businesses are falling victim to computer viruses, which have caused substantial financial losses in the past"

ft.com

Did I say that?

[tjstork]

I always love how nut job capitalists think if you are poor then you deserve to live without dignity or the ability to make ends meat.

Did I say that? I said that poor people are often poor because of the choices that they make. That's not the same as saying they don't deserve to eat. Why is it that the sense of entitlement has to be buoyed by victimization?

Re:Did I say that?

[modmans2ndcoming]

you said:

I always love how socialists argue that we are too caught up in property while they, more than anyone else, continually keeps score on who has what.



So I thought that we were making sweeping generalizations about ideologies and ignoring the substance of them.

Focus on wealth and not income.

[tjstork]

Disproof by contradiction [wikipedia.org]. And just in case you decide to say that "getting rich" doesn't include inheriting (even though inheritance is the biggest factor in persisting inequitable distribution of wealth), note that Ms. Hilton probably earned about $7M in 2005-06.

The disprove case is weak. It's like arguing that global warming isn't happening because it snowed later in one part of the world. By and large, most people get ahead in life because they work smarter or harder. Being evil is largely a myth self reinforced by liberal types largely because they cluster in socialist style institutions where, in fact, the only way you can get ahead is by being evil. But in the real world, working harder, more honestly and better matters and a lot of people succeed for that reason.

Re:Things aren't getting done because of the exper

[jotok]

Ahem. Schneier's change of focus is not a "trend."
However, there is a "trend" of people in our industry abusing terms like "trend" and horribly mangling the underlying concepts and mathematics. This is why this book sounds so good to me: No more FUD. Just the facts.

Ah, but then there's the British

[tjstork]

Germany certainly did not fail because of secrecy, but rather because they had a madman at their helm. Soviet Russia just had an unsustainable government structure... The US economy is currently failing not because of our secrecy, but rather because we want to try grow our economy on the ever continued consumption of debt... :)

Well, part of the consequence of Germany having a madman at the helm was that there were a number of different weapons projects, all running in parallel and in secret from each other. Had they shared their information, they could have had a more coordinated economy, but, even then, when you look at sheer numbers, lowly Great Britain, was also bombed, but managed to not only produce more aircraft than Germany (in addition to fielding a real heavy bomber), 18 aircraft carriers, I think at least 6 battleships, and quite a few destroyers, better radars and, while they were at it, gave us the mathematics upon which all computers were based, and the first computer... and did it all despite having quite a bit less of a population than Germany did. I think you have to attribute some of that to an open society.

I agree with you, overall though. I think openness is more efficient although I too am guilty at looking at everything through a political lens. With that said, one has to wonder if the Bush administration (and I supported it), have been more successful had they merely been more open and forthcoming with information, invited participation and feedback. Instead of hunkering down and tightening up the security screws because "there's a war on", maybe the Bush administration should have opened up -everything-, because, "there's a war on."

One wonders.

Re:The irony is thick enough to cut with a laser..

[Jansingal]

>>>>Microsoft actively makes it worse

and users make it even worse by using MSFT products!!

Ah, you think you think more than you do?

[tjstork]

In other words, treason is a crime that does not exist except where there is war.

Well that's the point, and you missed it. If you declare yourself a non-citizen of a country, than, your act of inhabiting its lands while refusing to obey its laws is an invasion. That makes you in a state of war against the country, and it against you, satisfies your argument that requires a state of war for treason to exist, and makes you a traitor.

Re:Ah, you think you think more than you do?

[ShieldW0lf]

Your point wasn't missed. It was wrong.

War must be declared between two nations. Even if some foreigner wanders into the country without getting stopped at the boarder and kills a thousand people, that still isn't an act of war unless it was sponsored by a foreign nation. By definition, war can only exist between two nation states.

Aside from a big discussion about what treason is or isn't, you are placed in this position:

I say there are circumstances in which actions that you label as treason are justified, and that the laws of a civilization are a contract to which its members must willingly agree. You say this is false.

If I am right, then your country deserves to exist, the claims of the British to that land hold no weight, and the members of your citizenry have the moral right to do to their current legal system what your ancestors did to the British. That being, refusal to be bound.

If you are right, then by your own definition, your country does not deserve to exist, you are under the jurisprudence of the British Crown, and all private property in your entire country, having being illegally transfered from a traitor to his children without exception, belongs to the Queen of England.

You can't have it both ways.

Re:Ah, you think you think more than you do?

[tjstork]

War must be declared between two nations. Even if some foreigner wanders into the country without getting stopped at the boarder and kills a thousand people, that still isn't an act of war unless it was sponsored by a foreign nation. By definition, war can only exist between two nation states

War can be between a nation and any group of people, from one to many, that decides to make war on it. I can declare war on the USA right now, if I wanted to, and you can too. In fact, there are individual Americans who have done it. Timothy McVeigh declared war on the USA, blew up a building, and now he is dead.

If you are right, then by your own definition, your country does not deserve to exist, you are under the jurisprudence of the British Crown, and all private property in your entire country, having being illegally transfered from a traitor to his children without exception, belongs to the Queen of England.

Nope, not at all. The founding fathers were traitors to the British crown, and they knew it. Therefor, they were smart and got tons of money from the French, turned a hopeless revolution into a world war, and secured their lives and our freedom. It's pretty simple. You aren't a traitor once you win and the war ends.

You can't have it both ways.

I'm not. It's just that, victory changes everything.

Re:Ah, you think you think more than you do?

[ShieldW0lf]

Like I said. You're a supporter of totalitarianism, and to you, it's all about the rule of force. You could have just conceded the point in the first place.

Re:The irony is thick enough to cut with a laser..

[argent]

and users make it even worse by using MSFT products!!

Go ahead, make me feel guilty, rub it in.

Re:The irony is thick enough to cut with a laser..

[Jansingal]

sorry :(

Re:Things aren't getting done because of the exper

[ChatHuant]

who would you say the most influential practitioner within the field is?

I had the pleasure of hearing Adi Shamir give a number of talks about his recent work at the Weizmann Institute. I think he's definitely a more influential figure than Schneier (albeit less well-known by the public). I don't think I'm informed enough to say he's "the most" influential though.

Re:Things aren't getting done because of the exper

[Jansingal]

I agree with you 1000%.

for those that don't know, he is the S in RSA.