What John Gordon is doing giving a keynote at the RSA conference is utterly
and completely beyond my ability to comprehend. If you read his bio at the
link above, you'll find he has absolutely zero background in software or
computer systems. He's obviously a smart cookie (ex-physicist at Air Force
Weapons Lab, a stint at Sandia, etc) but he's not in any position to
authoritatively say jack sqat about software vulnerabilities - unless
there's something I'm not reading about his background.
I love his perspective though .. Sure John, it's the DEVELOPERS fault that
MANAGEMENT makes the promises and DEMANDS product be shipped two weeks
before it's even spec'd. God, I sure do wish I had though of just spending
more time debugging when the CEO was screaming at me.. either you ship *IT*
or I ship *YOU*. This also tells me he's completely unfamiliar with the
concept of offshore outsourcing. psss.. hey, John .. A LOT OF THE CODE'S
NOT EVEN WRITTEN HERE, BUDDY! :-)
I'm glad I didn't go .. I would have felt cheated out of my admission fee by
hearing the blathering of someone like this.
Kind Regards (and in somewhat of a cranky mood),
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Mark Curphey
Sent: Thursday, February 26, 2004 7:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [SC-L] Any software security news from the RSA conference?
Looks like the link I was pointing to didn't make it
Here it is again
And the text below
Software makers could eliminate most current security issues if
they only tried harder, according to a Homeland Security advisor
An advisor to the US' Homeland Security Council has lashed out at
software developers, arguing their failure to deliver secure code
is responsible for most security threats.
Retired lieutenant general John Gordon, presidential assistant
and advisor to the Homeland Security Council, used his keynote
address at the RSA Security conference in San Francisco on
Wednesday to question how much effort developers are putting into
ensuring their code is watertight. This is a problem for every
company that writes software. It cannot be beyond our ability to
learn how to write and distribute software with much higher
standards of care and much reduced rate of errors and much
reduced set of vulnerabilities, he said.
Gordon's keynote followed a day after that of Microsoft chairman
According to Gordon, if developers could reduce the error and
vulnerability rate by a factor of 10, it would probably
eliminate something like 90 percent of the current security
threats and vulnerabilities.
Once we start writing and deploying secure code, every other
problem in cybersecurity is fundamentally more manageable as we
close off possible points of attack, he said.
Gordon also criticised wireless network manufacturers for making
encryption too difficult to deploy, even for technically
competent users. He made the comments after explaining that he
had spent a long weekend trying to set up a Wi-Fi network at his house.
One manufacturer got to invest an entire man-day of tech support
and about eight hours of telephone charges. At the end of the
day, I still had not accomplished a successful installation,
said Gordon, who eventually managed to get the network running by
taking some steps that were not in the documentation.
However, he said the documentation didn't make it clear how to
secure his network: The industry needs to make it easy for users
like me -- who are reasonably technically competent -- to employ
solid security features and not make it so tempting to simply
Mark Curphey [EMAIL PROTECTED] wrote:
I thought this was interesting. I missed it but I am sure the
please many on this list (myself included)
Bill Cheswick [EMAIL PROTECTED] wrote:
Bill Gates gave a keynote on their current approach to security, and
the contents of SP2, due out 1H 2004. From what I heard, Bill
gets it. He addressed about 4 of my top 6 complaints and
Quite a change from the rhetoric of five years ago.
But it is an Augean stable, and they have a long way to go.
Of course, the devil is in the details, and we will have to see.
On Wed, Feb 25, 2004 at 02:38:32PM -0500, Kenneth R. van Wyk wrote:
It's been a rather quiet week so far here on SC-L. I guess
is either at the RSA conference (http://2004.rsaconference.com/) or
otherwise too busy. I've been watching some of the reports
that have been
appearing in the trade press regarding announcements and
such at the RSA
Most of the announcements seem to me to focus on new and upcoming