I went to ShmooCon 2006 Jan. 13-15th. I had been waiting on the video as well as slides from the con to be posted, however I figured I should begin publishing before I totally fail to remember what went on. Over the next few days I’ll be publishing about the different talks I attended.
Dan Geer‘s keynote was one of my preferred talks from the con. He believes that “if people respect you sufficient to have you provide a keynote, respect your audience sufficient to compose it out”. thanks to that he’s provided the full text as well as a pdf of the slides from his talk. My summary won’t do it justice, however you can at least understand what you are getting yourself into. checked out on.
Dan started by acknowledging that, like most people in the audience, he wasn’t trained in security. His formal schooling is as a biostatistician. things are altering though, soon the security market will be filling up with people that are trained solely in security. Dan feels that we should leverage our diversity while we still can. particularly to solve the issue of exactly how to determine security.
The ultimate goal is “Quantitative info danger that is on a par with quantitative monetary danger management”. The issue with the Web is that it is an aggregated danger since of its interconnected nature. Aggregated danger is why the exact same insurance coverage business doesn’t offer policies to homes next door to every other; if one burns, the other one likely will resulting in double the loss for the company. In 2003 Dan as well as six coauthors explained Microsoft’s monopoly as a monoculture endangering national security. (he was then terminated from @stake via press release) This monoculture is a big aggregated risk. There are other issues as well. contemporary insurance coverage policies are based on history, however the Web has no measurable danger history, unlike a 24 year old, non-smoking, white male.
Dan feels that security is a subset of reliability as well as that complexity will frequently hamper reliability. At this point in the speech Dan starts approaching the issue from his background as a biostatistician. He begins by showing a chart with two lines: one is an quote of vulnerable hosts that clearly exceeds the second line, which is the number of incidents. The space most likely represents security working, however likewise vulnerable holds that aren’t being attacked. He admits that these numbers are biased, however they can still provide an precise picture. The final section of his talk offers with code complexity as well as its connection with incidents.
In closing Dan is cautious to point out that this is just one man’s numbers as well as that we are still far away from a final packaged measurement solution. He encourages everybody to apply their own viewpoints, backgrounds as well as concern what they’ve seen while we still have time. Of course, this is just a summary as well as I motivate you to inspect out the full text as well as slides.