Good day everyone. We've got another interesting installment from Don MacVittie as he trolls the corridors of the O'Reilly show in Santa Clara this week.
Today was an eventful day for the conference, but my experience was limited by my attempts to talk with certain attendees.
I attended an outstanding keynote, "Fixing Network Security by Hacking the Corporate Culture" by Bruce Schneier.
Bruce speaks well, knows his topic, and has a passion for it. Technology people will warm to anyone who is passionate without being offensive, and while Bruce didn't "own" the crowd by the time he was done, everyone got a laugh at some point.
He discussed the state of security, including the well-known fact that no one in management really cares about it until they've been hacked. He explained all of this in the familiar terms of risk management, but also offered a solution that he believes will eventually straighten things out.
Before I comment on the message he was sending, here are a couple of wonderful quotes from Bruce (actually paraphrases - ever tried to type a quote on a rim device while laughing?)
"SOAP is billed as a firewall-friendly protocol, which I see as like having a skull-friendly bullet."
He took some grief for this statement, but he's right... If you can navigate firewalls, and people are making simple development toolkits for the technology you get the same nightmare you have with VBA.
"If we can outsource our food preparation to 15 to 18 year olds at fast food restaurants, then with proper training we could trust network security to outsourcing".
He's got a point. He threw up a slide with a list of the "less appealing" aspects of teenagers preparing food, and yet we go buy millions of dollars worth of this stuff each day.
His four major points in his talk were:
- Enforce Liability - if you released data on your customers, you get burned. If your software is insecure, you get sued. He believes there is no value proposition in today's market for companies to protect data beyond the industry minimum, and no motivator for companies to fix software vulnerabilities.
- Allow the transfer of liabilities. He showed how insurance has forced maturation on other industries and proposed that the same would work for both software and data.
- Provide a means to reduce risk. This is where standard level definitions and outsourcing to meet those definitions comes in. He pointed out that the model of "security as a fortress" is fundamentally broken - we have to let certain people in, so we're inadvertently going to let some bad guys in too. Security as a city is his preferred metaphor - protect, detect, and respond to threats.
- Prosecute crime in an even-handed manner. The Internet is still pretty lawless, and this will have to change according to Bruce.
During questioning, he added that he did not believe this was the only, or even the best model. He did believe this was what we needed to be prepared for.
Throughout his talk, the idea of insurance companies as a steadying and standardizing force for security was inevitable. It's my hope that he's wrong, but I fear he may be right.
On another note, I spoke with a rep from Cylogistics about two new boxes they have on the show floor. Not bad toys, one has an embedded BSD board to act as firewall, and a full 1U box that can run BSD, Windows, or Linux. The other is a BSD all-in-one cube for small office and SOHO use.
I also spent some time getting to know Danese Cooper, The Open Source Program Office Manager at Sun. She's definitely an advocate we could hope for in that position, and I hope all goes well for her.
I'm impressed by the amount of mind-share Apple has sucked up with OS-X. There are plenty of people here talking about it and the high hopes they have for it. O'Reilly has set up a conference for OS-X only, and many people here are planning to attend. I guess the Mac crowd didn't die off; they just went underground.
That's it for another day! I'll be back for the final installment tomorrow.
Don.
