Recently in Thoughts and ponderings Category

Everyone who reads this post has probably heard of Dr. Randy Pausch's world famous "Last Lecture". Anyone who has not heard of it must stop reading now and go view it.
When the new came of Pausch's death on July 25, the editors of Communications of the ACM felt there could be no greater tribute than to share his own words[...]

What about advice for CS teachers and professors?

That it's time for us to start being more honest with ourselves about what our field is and how we should approach teaching it. Personally, I think that if we had named the field "Information Engineering" as opposed to "Computer Science", we would have had a better culture for the discipline. For example, CS departments are notorious for not instilling concepts like testing and validation the way many other engineering disciplines do.

Source: Wisdom from Randy Pausch, Leah Hoffmann. Communications of the ACM, September 2008, Vol. 51, No 9, p19. (full text pdf, account required)

What else is there to say?

As information security professionals, we are faced with this every day.

One might even leap to the conclusion that had the field been approached as a mature engineering discipline, there would be no need to have as many dedicated security professionals as we do now.

An article well worth reading.

Daniel Miessler has interesting post, which refers to a sequence of videos posted on YouTube. Each video is just under 10 minutes long. If you're pressed for time just watch the third one, but watching the whole series is definitely worth while. The series covers a lecture delivered at the end of the previous century by emeritus prof. Albert Bartlett of the University of Colorado at Boulder.

Episode 1

Episode 2

Episode 3

Episode 4

Episode 5

Episode 6

Episode 7

Episode 8

News items like this have been bugging me for a while now.

Headlines like "China hosts most of the worlds malware" mean nothing to me. A truly remarkable headline would be quite the opposite. China is a large country. A conservative estimate it has a population of close to 1.5 billion people. At any time, the country sports a staggering 200 million Internet connections. Of course they host a large amount of malware; as a country, they are one of the largest presences on the Internet!

International travel is stressful to many people. As am I writing this entry, I am at roughly 37,000 feet above the group on board of a KLM Boeing 777-200. Today's flight will take me from the Netherlands, back to the United States.

The flight attendants just handed out The Forms, and people are freaking out. Not because they worry about giving up their information, but because they are uncertain about what to put in the open spaces, afraid of the consequences when they make a mistake, and generally apprehensive about the unknown.

Martin and Rich did a bunch of micro podcasts at the RSA conference last week. The latest episode features David Mortman of Echelon One. The point that they are making is that organizations need to accept that security measures will fail.

I am from The Netherlands, which would be for 65% below sea level, if it were not for some fancy engineering. After a catastrophic flooding in 1953, we embarked on a large-scale water-management project called The Delta Works. As a nation, we are fairly good at water management. Most of the large-scale water project world-wide are done by Dutch engineers.

The Economist has a special topic on Mobile Telecoms this week. In the article Our nomadic future (Economist, April 12th--18th 2008, page 16) the author makes an interesting point. He postulates that by providing knowledge workers with mobile connectivity wherever they are, whenever they want, our society is reverting back to nomadism. "The emerging class of digital nomads also wander, but they take virtually nothing with them; wherever they go, they can easily reach people and information."

While mobile connectivity might seem like just an additional channel, nobody would have believed that "Traffic patterns are beginning to change again: the rush hours at 9am and 5pm are giving way to mare varied "daisy-chain" patterns, with people going backwards and forwards between the office, home, and all sorts of other places throughout the day".

I broke down today.

No, I did not go out and buy an iPhone, or something like that. Triggered by Steve's positive comments, I got in the car and drove to the nearest Barnes & Noble book store to buy a Moleskine notebook.

Two, as a matter of fact.

I live on Long Island, and depending on the wind, right under the final approach paths for John F Kennedy International Airport. The planes pass overhead when their landing gears are extending, which means that they are low and noisy.

While laying in bed, I was listening to them and I could not help but think that a pilot's job must be very similar to that of a security professional. Professional pilots on modern airplanes do not spend the majority of their time flying the plane. Instead, they are constantly running through scenarios. What can go wrong in the next 20 minutes? If it happens, what do I do? What is the closest alternative airport to which I can go in case of trouble? What do I do if I hit wind shear on my final approach to the runway? Are my instruments giving me correct readings? Am I following the directions of the air traffic controller?

I have a hate/love relationship with product vendors.

Throughout my career, I have tried hard to remain vendor-neutral and technology-neutral. Getting anywhere between 5 and 10 unsolicited vendor calls a day on a bad day is not going to make me suddenly jump and buy a product, or even look at it. Instead, it is interrupting what I am doing at the time, breaking my concentration, and probably lower my willingness to listen to you.

Yet, I do realize that many of the controls that we implement as information security professionals rely on technology, or even consist of it.

A very insightful man was interviewed on DarkReading.

In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus -- said that about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments.

[...]

Tippett also suggested that many security pros waste time trying to buy or invent defenses that are 100 percent secure. "If a product can be cracked, it's sometimes thrown out and considered useless," he observed. "But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."

Source: Antivirus Inventor: Security Departments Are Wasting Their Time

This article supports my personal motto very strongly: better is worse than good enough. While I have not fully processed the extent of the points made in the article yet, it sits well with me after a first read.