Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Various triggered thoughts.

I just got a chance to listen to the Silver Bullet Security podcast with Gary McGraw and Dan Geer.  I normally don’t get time to listen to podcasts, because I’m too interrupt-driven, both at work and at home (“Mooooommm ... the mainframe’s relaying spam again!”  “Dammit, who’s been ‘troubleshooting’ the firewall?  Get ‘em on the phone!”).  But this week my most disruptive children are off at training, so I can take a spare 20 minutes to listen and concentrate.

I’ve met Dan in passing a few times (including at a lovely whisky BOF ages ago); we travel in some of the same circles even if mine are at a distinctly lower altitude.  He talked in the podcast about how this is a great time to be in IT security, since it’s transitioning from an entirely IT-sourced field to one in which people are moving in from other diverse fields.  (I can vouch for this myself, having been a liberal arts major with no computer science background whatsoever.)  According to Dan, now is the magic moment in which the IT security executives don’t yet come from specialized IT security education backgrounds.  I think that’s true; security is becoming a trade, now that you can actually get degrees in it.  People who are hiring will start looking for these certified tradesmen rather than taking a chance on a “renaissance (wo)man.”  (You can see signs of this already, in that not having a CISSP will sometimes get your résumé tossed right off the bat.) 

But I think the renaissance factor is more than just the fact that information security itself wasn’t a broadband academic field until recently.  I think it’s part and parcel of the whole growth of the Internet and the people who built it—their distinct renaissance personalities.

The stereotype of the nerd who only understands science, or numbers, is a myth.  The most creative and driven people who built everything the Internet rests on today have always been renaissance people.  Sure, a lot of them came up from the technical ranks (even if they were as far afield as biostatistics), but they were so much more.  These people not only write operating systems; they build gazebos out of satellite dishes.  They learn origami and hieroglyphics.  They retire to the coast and spend their days sailing.  They spin their own thread.  They raise hogs, for crying out loud. wink

So yes, the Arpanet started out distributed for a military reason, but I believe the rest of distributed computing and networking grew the way it did because of the open and unconventional personalities of the people who built it.

Example:  Dan talked about how at MIT long ago they published all the root passwords to make it less impressive (and therefore less attractive) for people to break in to their systems.  (Of course, at the same time Richard Stallman was leaving all his accounts open for the world to use too, to the point where “to rms into a system” was a common term.)  I really don’t think that’s a solution that anything other than an academic, freethinker culture would have come up with.  These same people are still fighting for openness, diversity and neutrality today, the open source movement being the most visible example.  It’s a culture thang that happens to be conjoined with the technology.

What makes it a Perfect Storm is, of course, the fact that it’s carrying our information along with it.  Dan talked about the value of information itself increasing more than the value of the technical assets that are carrying it.  I’m not sure the value of the information itself is increasing, unless you consider the risk of loss to add value to something.

Companies have ALWAYS had this information that is at the center of attention today.  It’s nothing new.  The only difference is, information technology has made it infinitely more portable, infinitely more copyable and infinitely more malleable.  Information wasn’t considered an asset unless it was at high risk of being stolen, and you just couldn’t steal fifty boxes of paper files wholesale the way you can sneeze and copy a database today.  Not only that, but if someone stole the boxes, you’d notice right away.  If someone wanted to alter business figures, it would take laborious work and a ton of wite-out—not, as Dan mentioned in passing, a well-written and subtle virus. 

We have turned our information into water, and we haven’t figured out yet the best way of holding it.  THAT’S why it’s become an asset class all its own.

And the corollary to that is that contrary to some popular beliefs, information does NOT want to be free.  There has always been information that needs to remain private, that represents hard work and intellectual property, that people rely upon for accuracy and completeness.  That’s why leakiness is a big operational problem. 

It’s going to take creative people to solve this.  That’s why I’m glad we have the people that we do in this field. 

Posted by shrdlu on Tuesday, June 13, 2006
(0) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon
Page 1 of 1 pages