DISQUS

At what point does authentication as a proxy for authorization become inadequate, in terms of data level acess or behavior enforcement?

@shane,

Maybe I was being a bit facetious, but intentionally.

Lessig is a great thinker, but security is not his focus as far as I know either. Schneier is driving thinking about security theatre. Cryptography is a great tool that no one in business likes to use. Dr. Roger Schell, father of the Trusted System Evaluation Criteria (TCSEC) standard, commonly referred to as the Orange Book, calls cryptography "the opiate of the naive". The reason, one does not need to break it if one can easily steal the keys from insecure systems. Of course, we do still need it in the meantime.

Ranum is a recognized innovator and knows and writes more than anyone about what would be required to fix the system, but is regarded by many as some kind of heretic because he tells it as it is, and his version of truth is too painful and too hard to swallow. Bejtlich is fantastic at getting the most out of a broken model, but true innovation means fixing and changing the model, not reacting faster.

The basis for my sarcasm was a statement by Guy Kawasaki, who said:

"Those on the first curve are unable to comprehend, let alone embrace the second curve".

If this is true, then anyone on the first curve will be unable to innovate. I explored this position in a short essay in an Amazon review of "The New School of Information Security" under the title

"Not much "new school" in The New School of Information Security" found on this page:

http://www.amazon.com/review/product/0321502787/ref=cmcrdp_synop?%5Fencoding=UTF8&showViewpoints=0&sortBy=bySubmissionDateDescending#RTBEMAG1DJOQU

Is this the reason why we do not see any innovation in IT security? Something to think about.

@shane,

Maybe I was being a bit facetious, but intentionally.

Lessig is a great thinker, but security is not his focus as far as I know either. Schneier is driving thinking about security theatre. Cryptography is a great tool that no one in business likes to use. Dr. Roger Schell, father of the Trusted System Evaluation Criteria (TCSEC) standard, commonly referred to as the Orange Book, calls cryptography "the opiate of the naive". The reason, one does not need to break it if one can easily steal the keys from insecure systems. Of course, we do still need it in the meantime.

Ranum is a recognized innovator and knows and writes more than anyone about what would be required to fix the system, but is regarded by many as some kind of heretic because he tells it as it is, and his version of truth is too painful and too hard to swallow. Bejtlich is fantastic at getting the most out of a broken model, but true innovation means fixing and changing the model, not reacting faster.

The basis for my sarcasm was a statement by Guy Kawasaki, who said:

"Those on the first curve are unable to comprehend, let alone embrace the second curve".

If this is true, then anyone on the first curve will be unable to innovate. I explored this position in a short essay in an Amazon review of "The New School of Information Security" under the title

"Not much "new school" in The New School of Information Security" found on this page:

http://www.amazon.com/review/product/0321502787/ref=cmcrdp_synop?%5Fencoding=UTF8&showViewpoints=0&sortBy=bySubmissionDateDescending#RTBEMAG1DJOQU

Is this the reason why we do not see any innovation in IT security? Something to think about.

Thinkers are a dime a dozen. Presidents have always had technology advisory committees. Have they been beneficial?

Besides, what have any of these guys done lately? LOL. We need innovators, not thinkers !!!

Thinkers are a dime a dozen. Presidents have always had technology advisory committees. Have they been beneficial?

Besides, what have any of these guys done lately? LOL. We need innovators, not thinkers !!!

Observing an American election can sometimes be like watching Tweedle-dee and Tweedle-dum.

Daniel, you are a smart guy, but don't get caught by the curse of knowledge. There may be some truth in what you say, but a friend once taught me that "you catch more flies with honey".

Why should the world believe that Americans respect anyone else when apparently, they barely respect each other?

Observing an American election can sometimes be like watching Tweedle-dee and Tweedle-dum.

Daniel, you are a smart guy, but don't get caught by the curse of knowledge. There may be some truth in what you say, but a friend once taught me that "you catch more flies with honey".

Why should the world believe that Americans respect anyone else when apparently, they barely respect each other?

Timm,

My question was supposed to be a bit of rhetorical . We are a decade away from secure code,(have millions of legacy bugs probably) and application firewalls are not up to snuff yet either.

Timm,

My question was supposed to be a bit of rhetorical . We are a decade away from secure code,(have millions of legacy bugs probably) and application firewalls are not up to snuff yet either.

In light of this discussion, would it not be advantageous to look for something that prevented software vulnerabilities from be enacted on? Does that not kill 2 birds with one stone?

In light of this discussion, would it not be advantageous to look for something that prevented software vulnerabilities from be enacted on? Does that not kill 2 birds with one stone?