On Jul 27, 2010, at 10:58 PM, d...@geer.org wrote:

>> Wow, I was just going to recommend Dan's book, "Security Metrics."
> It is actually Andy Jaquith's book, I only wrote the intro.

Ouch, I'm sorry for the mistake!  (I knew I remembered your name in connection 
with the book, but it's on my bookshelf in the office and I was at home.)

> In the meantime, though, couple of years ago I did a tutorial
> on security metrics which you may find useful
> http://geer.tinho.net/measuringsecurity.tutorial.pdf

Thanks, my favorite so far is page 45 with the table on Risk Management 
Culture.  I need to tape that to the wall for inspiration.

Pathologic: Don't want to know
Bureaucratic: May not find out
Generative: Actively seek

Pathologic: Failures punished
Bureaucratic: Local repairs only
Generative: Failures beget reforms

From my point of view: The security community is being Generative (Actively 
seek) about finding the flaws in systems, but it's too often in the Pathologic 
(Failures punished) stage about how to handle those flaws once they're 

My suspicion: It's fun to Actively seek, and hard to find solutions, and it can 
be downright frustrating to champion reforms.  If the vulnerability isn't 
gigantic, it's hard to even get people to listen.  Reform is maybe 20x harder 
and 1/5th as fun as poking the holes.

That said, here's an experience worth talking about: Dan Kaminsky did a pretty 
good job of being Generative in _both_ categories.  He found a hole in DNS, and 
then worked with LOTS of vendors and even with people not directly tied to DNS 
to collaborate on reforms.  He even called me (at a smaller CA) to make sure we 
were aware of the risks and to verify that we don't only rely on automated 
forms of verification.  I really appreciated the call--it felt like my chance 
to talk to a rock star.

All the best,

Paul Tiemann 
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to