Tuesday, January 13, 2009

Security Engineering podcast with Ross Anderson

15th episode of The Silver Bullet Security Podcast.

Interview with Ross Anderson

the best security book of all time: "Security Engineering"
recently put online, it turned out the royalty go up, I proved to my satisfaction that publishing my book online does not compete with the print edition - actually helps the sell more book... "hey this is a good book, I want this on my self"

There is a little bit of improvement: there are no longer quite as many stack-overflow vulnerability as there used to be, but there are plenty others.

example, ppl who studied large sw project has reckoned that about 30% of them fail and dont work at all, or they go wildly over budget and over time and so on and so forth...
so what ppl do?
they build larger, bigger and better disaster...

the person who has to be to be a successful project manager is miles different, diametrically different from the sort of person you have to be a successul government/nation leader.

as project manager: you have to start off by getting ppl to take all the hardes decisions early, closing all the options and then sit quiet and wait for 2 years to tests & ship it... and then make make some hard & rapid decisions/compromises

government in general: is doing the oposite...
if you're a minister you have to face the press all the time, you cant sit quiet for 2 years, you have to go out and publicly change the specs every 2 months... there is an awful a lot more...

economic of dependability...

The fundamental insight is that most systems fail not because of technical problems but because incentives are wrong. I think the best paper at WEIS last year was by Ben Edelman in which he pointed out that Web sites bearing the TRUSTe certification mark were twice as likely as random, similar Web sites to be malicious.

Web site in the top-rated advertisement slot is more than twice as likely to be a scamster site as the top-rated free search site. Ben’s conclusion was, “Don’t click on ads.”

If everybody in the online world read this paper and thought about it carefully, then Google would be in bankruptcy tomorrow.

European customers have poorer protection against online banking scams of every kind, from cloned ATM cards to phishing scams, than in the US. It’s interesting to see that many of the new emoney providers—the nonbank payment services companies—are operating essentially under European rules rather than under American rules. At present, PayPal is very scrupulous at repaying every one of their customers who is the victim of a scam, but their terms and conditions do rather appoint them as the judge and jury and go as far as they can to ruling out any independent regulation. In that respect, they’re falling inside the European camp, and I predict that there’s going to be some serious tension that will involve not just computer security, per se, but regulators, the anti-moneylaundering crowd, the FBI, comparable agencies here, and so forth because phishing is one of the biggest growing threats on the Internet, and technical mechanisms alone aren’t going to fix it.

Civil engineers learn far more from the bridges that fall down than from the much greater number of bridges that stay up. Similarly, if somebody’s going to call themselves a security engineer, then they really have to study how things fail. That means that you have to read the press, the mailing lists, comp.risks, and plug into all the various sources of information about the bad things that are going on in the world.

Man-inthe-middle attacks have been around since at least the time when [Sir Francis] Walsingham doctored a letter from Mary Queen of Scots to her supporters—which was the
16th century.

time: 22:50m

Labels: ,


Post a Comment

<< Home