Welcome to the Future!
"What was more, they had taken the first step towrd genuine friendship. They had exchanged vulnerabilities." (2010: Odyssey Two)
All the best wishes for 2010. May it be a quiet year.
Recently in Thoughts and ponderings Category
Thanks to Hoff's tweet earlier today, I watched a presentation titled Enterprise Cloud Risk and Security.Not only is the presentation an excellent use of a slide deck (no narration necessary), but some of the observations that are outlined in it are representative of the thought processes of someone who gets it.
"Fundamentally, engineering is about knowing and respecting the limitations of one's materials. ICT systems are built with software being one of the key materials. And software is thoughstuff. For an engineer of thoughtstuff, the limitations of mathematics and cognitive science are the limitations of the material"
Masterson goes on by arguing that "We need to stop thinking in terms of security and start thinking in terms of health". This argument is based on the premise that any time a fairly simple and controlled solution is scaled up, complexity is introduced that invalidates many of the controls meant to keep it secure.
A little later, Masterson introduces another interesting concept: Redundant Arrays of Independent Clouds (RAIC). Brilliant ;) The simple (and compelling) reason for RAIC is a bit of knowledge derived from biology and in particular, ecosystems: diversity = health.
Issues covering legacy security technologies such as firewalls are also briefly touched upon:
"Concept like 'firewall' embody Russellian assumptions, and are only useful in the small. Instead, consider concepts like quarantine, sterilization chambers, and disinfection, for example."
This is not to say that firewalls cannot be useful, but as we see more and more distribution in our computing infrastructure and our data being spread globally, local perimeters will continue to be necessary, but no longer sufficient.
All and all a very interesting presentation in a novel format, bringing some good things to think about. Go watch it.
Streaming video traffic coverage of Obama's inauguration flooded North American backbones today. Traffic increases varied wildly across US providers with some seeing an overall 5% increase in backbone traffic and others jumping more than 40%.
Source: The Great Obama Traffic Flood
As a worker in information technology, I am lucky to be close enough to the wire to every now and then peek at the real world to see what is going on.
With today being a fairly special day, I decided to stroll over to our networking group to peek at the traffic monitors, and I was greeted by nice solid green lines. This was the first time in my professional career that I was at the right place at the right time: our external bandwidth was pegged at 100% use, and would not move.
Continue reading The Largest DDoS in History?.
Everyone who reads this post has probably heard of Dr. Randy Pausch's world famous "Last Lecture". Anyone who has not heard of it must stop reading now and go view it.
When the new came of Pausch's death on July 25, the editors of Communications of the ACM felt there could be no greater tribute than to share his own words[...]
What about advice for CS teachers and professors?
That it's time for us to start being more honest with ourselves about what our field is and how we should approach teaching it. Personally, I think that if we had named the field "Information Engineering" as opposed to "Computer Science", we would have had a better culture for the discipline. For example, CS departments are notorious for not instilling concepts like testing and validation the way many other engineering disciplines do.
Source: Wisdom from Randy Pausch, Leah Hoffmann. Communications of the ACM, September 2008, Vol. 51, No 9, p19. (full text pdf, account required)
What else is there to say?
As information security professionals, we are faced with this every day.
One might even leap to the conclusion that had the field been approached as a mature engineering discipline, there would be no need to have as many dedicated security professionals as we do now.
An article well worth reading.
