Dr. Geer - Source Boston Keynote

Tue, 27 May 2008 16:19

Dan Geer, one of the foremost leaders in the field of security metrics and security economics recently gave a keynote address at the Source Boston Information Security Conference. Sadly I was not able to attend the conference due to prior commitments, however I did take the time to read the transcript of they keynote. Now I'm not generally one for discussing the theoretical merits of the information security field, instead I tend to find myself a bit more grounded in the practical research areas of our specific area of study. Because of this particular sentiment I read the keynote with much trepidation. To the average person, Dr. Geer is most known for his publishing of the paper "Cyberinsecurity: The Cost of Monopoly" that got him fired by his (and my at the time) employer. In this paper he discusses the monoculture of today's enterprise computing infrastructures and the dangers of a monoculture as evidenced by biological demonstration. The keynote takes a much higher level point of view than the paper, however many of the same points are reinforced from his previous work.

The keynote contained many quoteable moments that make even the most casual reader say "Wow, that's cool".

"On this basis and others, bot-nets are a life form."

"Patching behavior is precisely like radioactive decay -- in each succeeding interval, half of the then unpatched machines are patched and, in any case, 80% of exploits appear within the first half-life of patch-announced vulnerability and wreak 85% of their damage in the first fortnight.

And my favorite of the quotes (that I will most likely use myself in the future):

"defense in depth is simply a referendum on your willingness to spend money for layers; it is rarely, if at all, a research-grade problem.

In this speech, Dr. Geer asserts the growth of security as a service, analyzes the virulance of malware using empirical evidence of the last decade, equates computer monocultures to beehives, and indirectly discusses the transition of the attacking class from hobbyists to pay for play professionals. Only in a few cases did I disagree with the text, but I'll leave those spots for you to pick out. Now go and read the transcript.

Home | Tags: infosec | Category: /infosec | Link

About:

Tyler Shields
Creator/Philosopher/Slacker

Personal:

Papers and Presentations
Twitter Feed
txs Twitter RSS Feed

Tweet Tweet:

Calendar:

Categories:

/ (144)
  book_reviews/ (7)
  generic/ (36)
  humor/ (22)
  infosec/ (69)
  poker/ (3)
  programming/ (6)
  rants/ (1)

Book List:

05/2010::100% Done
Run for Your Life, by James Patterson and Michael Ledwidge

05/2010::100% Done
Chelsea Chelsea Bang Bang, by Chelsea Handler

04/2010::100% Done
My Horizontal Life A Collection of One-Night Stands, by Chelsea Handler

01/2010::100% Done
The Girl Who Played with Fire, by Steig Larrson

10/2009::100% Done
The Lost Symbol, by Dan Brown

more...

Pimping: