IT Security

How About noOS?

October 16, 2010
By

We have NoSQL but maybe it’s time for noOS. I’ve talked about this with colleagues for a while. Many are old enough to realize why we have operating systems, but some of the younger crowd don’t. The reason for an operating system is to equitably share the resources of a computer. This made sense when the systems were large, hulking brutes sitting in air conditioned rooms. It makes no sense today when one core of an average computer is faster than any mainframe of 40 years ago — or even a roomful of them. It’s why I’ve had discussions asking why we even need an OS anymore. Perhaps it’s time to revisit another  idea that came out of the great CS labs, namely machines that only ran a language. I’m talking about Lisp Machines, Smalltalk Machines, APL Vector Machines, etc. These machines had the beauty of allowing you to program extensions into their core via well-defined languages all within a fully interactive environment. It was bliss programming these types of systems. And it’s not like computers aren’t fast enough to allow for fully interactive, dynamic environments as the way to build applications. Today’s hardware makes those old Smalltalk, Lisp and

Read more »

Bemoaning the State of Information Security

September 22, 2010
By

I’ve been in the field of computer security for nearly 25 years and the same old stuff still bugs me. The constant desire to foist security requirements on the end-user is unbelievable, and unwarranted. Security is, at best, an esoteric field and one that most end-users are not sufficiently well versed in to be able to make logical decisions. Add to that the constant drone by security “experts” that much of the problems lie in lack of process and procedures, or user unwillingness to follow these same processes and procedures, is simply more proof that the problem lies elsewhere. The problem with security is that it’s a pain in the ass. My security pedigree allows me to state that. I wrote the Canadian Criteria (CTCPEC). I was one of six authors, and the only non-US author, on the US Federal Criteria which was to replace the Orange Book and Rainbow Series. I co-authored the Common Criteria, and was one of the lone voices of dissent when it took on the form everyone is currently familiar with. As a senior IT security researcher with the Canadian government I set up the first virus centre to study the propagation of malware and

Read more »

The Beginning: Becoming an Entrepreneur

September 16, 2010
By
The Beginning: Becoming an Entrepreneur

Being an entrepreneur all starts with a single desire: to change the world. You think you can change it by coming up with a cool piece of technology, something no one else has. Something that will fundamentally change and challenge the way the world functions within a particular arena. My arena of expertise is computer security. I’ve been doing it for nearly three decades. I’m one of the old guard and back in the ’90s had a cool idea: a generic policy engine capable of implementing and enforcing any computer security policy devised. I successfully completed my Master of Computer Science showing that the technology was feasible. My next goal was to get the capital to actually build and sell the thing. I thought it would be easy. Boy was I wrong! It had all started in late 1997 with my thesis due, time running out, and patience all around at an all time low. I decided to take an extra week during Christmas and a few weeks thereafter to finish my thesis off once and for all. I figured a month of diligent work and I’d be done! I didn’t expect what nature was about to throw our way —

Read more »

According to some … the universe is 20 years old

September 12, 2010
By

Just a bit of a rant today. I’m getting more than a bit tired of hearing from reasonably intelligent people that they can’t find a given piece of research because they tend to have this odd belief that the entire universe is but 20 years old. Twenty years old? What, are you nuts? I’m sure that’s what some of you are thinking. Hardly. 20 years ago is when the first web page went up. Some seem to think that anything before that time period simply doesn’t exist, especially if it can’t be located by Google, Bing, or some other search engine. Some organizations, like the IEEE and ACM, strive to get their older archives online but many don’t have the resources. And so I am faced with folks who simply can’t seem to comprehend the notion that a lot of research was done “back in the paleolithic”, as my kids tend to say (i.e., before the 90s). A bit of searching in a library or a good online index of articles for journals would assist even the dullest of researchers in determining what’s out there. Similarly, I tired of supposed researchers who simply give a new name to an idea

Read more »

Why We May Never Have IT Security

July 31, 2009
By

I’ve been asked repeatedly why security is so bad. For years I’ve just ignored the question, figuring it was pretty obvious to anyone who spent more than a few seconds observing IT. However, I’ve come to the conclusion that it’s not obvious. Most people don’t get why IT security is hard and getting harder and why we’ll never truly have IT security to the point where we don’t have to worry about it. Much of the problem actually stems from the fact IT security is pretty much in the same place it was back in the 70s and 80s. It’s stagnant. This isn’t a problem with the folks in IT security but rather a sad indictment of IT itself. It’s been stagnant in the 70s and 80s, not much has changed. And therein lies the problem. But why do I say that it’s the same as the 70s and 80s? Because no one is attacking the real problem: the actual IT infrastructure we have. We are still using the same technologies invented back in the 70s and 80s (sometimes earlier!) and attempting to interconnect said technologies in ways they were never meant to be connected. This has meant hacking and

Read more »

Ph.D.s, Focus, and the Loss of the Infinite

July 2, 2009
By

I’ve been trying for a long while to put into words why I became disenchanted with the Ph.D. process, and why that was one reason — though not the overriding reason — why I terminated my pursuit of a doctorate. But today, sitting back and reading a bit of Thomas Aquinas I came to a sudden epiphany. The reason is straightforward, and ironically was told to me by a dearly departed friend years ago. The problem, is that Ph.D.s are too narrowly focused. Or, as Jim Anderson so eloquently put it way back when, “Some of the stupidest people I know have Ph.D.s.” He bemoaned their inability to grasp the larger picture, instead focusing on minutiae, some small problem ignoring all else. Sometimes ignoring reality itself and coming up with a “solution” that worked only within some fantastical model that had little relation to how the real world functioned. Now Jim, like myself, was an old grey beard of security. In fact, I would argue that Jim was responsible for what today is called “information security”. The very foundations of computer security were formulated and documented by Jim way back in 1972. I was fortunate enough to work with Jim

Read more »

10 Years Too Early

April 3, 2009
By

Over at Musings of a VC in NYC there’s a new article titled “Only Ten Years Too Early“. Man that brings back some memories for me. 10 years ago I began my startup. It’s no more, but the technology we worked on is finally becoming accepted. In fact, the amount of interest mounts constantly. 10 years to the month that I started that startup I’m now building something similar, though rudimentary and simple in comparison, for clients of mine. What they want now is but a pale shadow of what we had then. 10 years early. Way too early. Sigh.

Read more »

Monoculture crosses my desk

January 15, 2009
By

It’s been a while since I read Dan et al’s original paper CyberInSecurity: The Cost of Monopoly. For whatever reason it’s crossed my desk again, but mostly because of Dan’s followup Monoculture on the Back of the Envelope. To me the original paper was crucial for people to comprehend the issues that arise when a single system becomes so prevalent. However, I think the issue is deeper than what’s presented in the papers. To me there’s a deeper issue in that IT and computers are beyond the ken of most people. This ends up creating massive security problems in that most people simply are unaware that their computers are vulnerable nor are they aware that they’ve been compromised. Unlike most of the technology we use computers are networked together into a larger whole, and therein lies the larger issue. In isolation a monoculture is immaterial but in a fully networked environment with owners of the various components unaware or unable to be unaware, we have a major issue. And this has been discussed, repeatedly, by various security experts. But what must be noted is that if today, even if shops went to a split of 1/3 Windows, 1/3 OS X,

Read more »

The Morris Worm

November 5, 2008
By

Recently it was the 20th Anniversary of the Morris Worm. A number of articles have appeared discussing the worm. It’s hard to believe it’s been 20 years. But the articles tweaked my memory and I remember quite vividly aspects in and around the release of the worm. And I remember quite well talking to Bob Morris Sr. after his son was arrested on charges pertaining to the worm. When I asked what advice you gave him he said, in his usual dry style: Buy a suit and hire a good lawyer. Many of us figured Bob Jr. would be hung out to dry simply because of who his father was. That was partially true, but since then Morris Jr. has done quite well. Kudos to him.

Read more »

Ugh. Spam. Worse still, spam filters

September 25, 2008
By

Why are spam filters so brain dead? How hard can it be for the big ISPs to just trash spam that’s in Cyrillic or various Asian scripts? Why can’t I just say: “if it’s not in Latin script, delete it”. Honestly, something so simple and it’s not done. Oh. Sure, I can “make a script” but why should I have to for something so obviously logical? Ugh.

Read more »

Page 1 of 2
1 2

Musings

A blog of my musings. Some folks find it interesting and so I continue. Hopefully it will remain fairly interesting. At worst, it'll keep me writing orthogonally to my day job.

Month at a Glance

February 2012
M T W T F S S
« Dec    
 12345
6789101112
13141516171819
20212223242526
272829  

StatPress

Visits today: 12
Total page views: 88670