Recently in Thoughts and ponderings Category
Everyone who reads this post has probably heard of Dr. Randy Pausch's world famous "Last Lecture". Anyone who has not heard of it must stop reading now and go view it.
When the new came of Pausch's death on July 25, the editors of Communications of the ACM felt there could be no greater tribute than to share his own words[...]
What about advice for CS teachers and professors?
That it's time for us to start being more honest with ourselves about what our field is and how we should approach teaching it. Personally, I think that if we had named the field "Information Engineering" as opposed to "Computer Science", we would have had a better culture for the discipline. For example, CS departments are notorious for not instilling concepts like testing and validation the way many other engineering disciplines do.
Source: Wisdom from Randy Pausch, Leah Hoffmann. Communications of the ACM, September 2008, Vol. 51, No 9, p19. (full text pdf, account required)
What else is there to say?
As information security professionals, we are faced with this every day.
One might even leap to the conclusion that had the field been approached as a mature engineering discipline, there would be no need to have as many dedicated security professionals as we do now.
An article well worth reading.
Episode 1
Episode 2
Episode 3
Episode 4
Episode 5
Episode 6
Episode 7
Episode 8
News items like this have been bugging me for a while now.
Headlines like "China hosts most of the worlds malware" mean nothing to me. A truly remarkable headline would be quite the opposite. China is a large country. A conservative estimate it has a population of close to 1.5 billion people. At any time, the country sports a staggering 200 million Internet connections. Of course they host a large amount of malware; as a country, they are one of the largest presences on the Internet!
The flight attendants just handed out The Forms, and people are freaking out. Not because they worry about giving up their information, but because they are uncertain about what to put in the open spaces, afraid of the consequences when they make a mistake, and generally apprehensive about the unknown.
I am from The Netherlands, which would be for 65% below sea level, if it were not for some fancy engineering. After a catastrophic flooding in 1953, we embarked on a large-scale water-management project called The Delta Works. As a nation, we are fairly good at water management. Most of the large-scale water project world-wide are done by Dutch engineers.
While mobile connectivity might seem like just an additional channel, nobody would have believed that "Traffic patterns are beginning to change again: the rush hours at 9am and 5pm are giving way to mare varied "daisy-chain" patterns, with people going backwards and forwards between the office, home, and all sorts of other places throughout the day".
I broke down today.
No, I did not go out and buy an iPhone, or something like that. Triggered by Steve's positive comments, I got in the car and drove to the nearest Barnes & Noble book store to buy a Moleskine notebook.
Two, as a matter of fact.
While laying in bed, I was listening to them and I could not help but think that a pilot's job must be very similar to that of a security professional. Professional pilots on modern airplanes do not spend the majority of their time flying the plane. Instead, they are constantly running through scenarios. What can go wrong in the next 20 minutes? If it happens, what do I do? What is the closest alternative airport to which I can go in case of trouble? What do I do if I hit wind shear on my final approach to the runway? Are my instruments giving me correct readings? Am I following the directions of the air traffic controller?
I have a hate/love relationship with product vendors.
Throughout my career, I have tried hard to remain vendor-neutral and technology-neutral. Getting anywhere between 5 and 10 unsolicited vendor calls a day on a bad day is not going to make me suddenly jump and buy a product, or even look at it. Instead, it is interrupting what I am doing at the time, breaking my concentration, and probably lower my willingness to listen to you.
Yet, I do realize that many of the controls that we implement as information security professionals rely on technology, or even consist of it.
A very insightful man was interviewed on DarkReading.
In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments.
[...]
Tippett also suggested that many security pros waste time trying to buy or invent defenses that are 100 percent secure. "If a product can be cracked, it's sometimes thrown out and considered useless," he observed. "But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."Source: Antivirus Inventor: Security Departments Are Wasting Their Time
This article supports my personal motto very strongly: better is worse than good enough. While I have not fully processed the extent of the points made in the article yet, it sits well with me after a first read.