Re: [SC-L] Microsoft's message at RSA
Hi Andy, Great post. I especially like the part about making choices. Having users type passwords into websites that protect all their assets pretty clearly isn't working. Cardspace is pretty clearly a massive improvement. That said, I don't think the choice is between perfect liberty and perfect security, but more what Dan Geer suggested: We digerati have given the world fast, free, open transmission to anyone from anyone, and we've handed them a general-purpose device with so many layers of complexity that there is no one who understands it all. Because “you're on your own” won't fly politically, something has to change. Since you don't have to block transmission in order to surveil it, and since general-purpose capabilities in computers are lost on the vast majority of those who use them, the beneficiaries of protection will likely consider surveillance and appliances to be an improvement over risk and complexity. From where they sit, this is true and normal. While the readers of Queue may well appreciate that driving is much more real with a centrifugal advance and a stick shift, try and sell that to the mass market. The general-purpose computer must die or we must put everything under surveillance. Either option is ugly, but “all of the above” would be lights-out for people like me, people like you, people like us. We're playing for keeps now. http://www.acmqueue.org/modules.php?name=Contentpa=showpagepid=436 I hope that cheers everyone up. -gp Andy Steingruebl wrote: On Fri, May 9, 2008 at 3:42 PM, Gary McGraw [EMAIL PROTECTED] wrote: Hi andy (and everybody), Indeed. I vote for personal computer liberty over guaranteed iron clad security any day. For amusing and shocking rants on this subject google up some classic Ross Anderson. Or heck, I'll do it for you: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html I've heard this point for years, and yet when we actually look at ways of solving the consistent problems of software security, we always come back to tamper-proof/restricted-rights as a pretty reasonable starting point. I don't know whether this mailing list is really the place for me to advocate about this, but every time we get into a situation where we talk about high reliability (electronic voting for example) people are all up in arms that we haven't followed pretty strict practices to make sure the machines don't get hacked, aren't hackable by even experts, etc. hardened hardware, trusted computing bases, etc. But, if you want to try and apply the same engineering principles to protecting an individual's assets such as their home computer, bank account credentials, etc. then you're trampling on their freedom. I don't really see how we can viably have both. Sure we're looking at all sorts of things like sandboxing and whatnot, but given multi-purpose computing and the conflicting goals of absolute freedom and defense against highly motivated attackers, we're going to have to make some choices aren't we? I don't disagree that all of these technologies can be misused. Most can. We've all read the Risks columns for years about ways to screw things up. At the same time individual computers don't exist in isolation. They are generally part of an ecosystem (the internet) and as such your polluting car causes my acid rain and lung cancer. Strict liability isn't the right solution to this sort of public policy problem, regulation is. That regulation and control can take many forms, some good, some bad. I don't see the problem getting fixed though without some substantial reworking of the ecosystem. Some degree of freedom may well be a casualty. Please don't think I'm actually supporting the general decrease in liberty overall. At the same time I'm pretty sure that traffic laws are a good idea, speed limits are a good idea, even though they restrict individual freedoms.In the computing space I'm ok allowing people to opt-out but only if in doing to they don't pose a manifest danger to others. Balancing the freedom vs. the restriction isn't easy of course, and I'm not suggesting it is. I'm merely suggesting that all of the research we've ever done in the area doesn't point to our current model (relying on users to make choices about what software to use) promising. How to make this happen without it turning into a debacle is of course the tricky part. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
Hi andy (and everybody), Indeed. I vote for personal computer liberty over guaranteed iron clad security any day. For amusing and shocking rants on this subject google up some classic Ross Anderson. Or heck, I'll do it for you: http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html A related and more present worry I have is that Microsoft's messaging is going to morph on the security front from software security (good) to software security features end-to-end yadda (bad). I chatted with Steve Lipner about this at the DHS software assurance thing this week and he does not seem to share my concerns. Then again, he does worry about what the marketing people make up. In my view, we US citizens have learned the hard way over the last 8 years that security makes a great excuse to compromise integrity and personal liberty. I like the fact that Microsoft makes a big deal about software security and I hope they don't stop or lose focus and start somehow associating software security with we own your computer and we'll do what's best for you. Radically yours, gem http://www.cigital.com/~gem On 5/9/08 12:33 PM, Andy Steingruebl [EMAIL PROTECTED] wrote: On Mon, May 5, 2008 at 10:24 AM, Gary McGraw [EMAIL PROTECTED] wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? I think you're both right. I'm working on a longer writeup of the ideas on the end-to-end paper but I think you've captured part of the problem at the heart of things. We're going to have to trade some fundamental computing liberties to get the kind of security required to actually have trusted relationships via computers. Good or bad I don't want to comment on right now. If you've read Code and other laws of cyberspace by Lessig you'll see some of the same ideas albeit it from a more regulatory perspective than from a purely technical one. The updated Code 2.0 book captures a lot of these same ideas. I think Charny is missing the mark ever so slightly when he says the security goals can be achieved without compromise on the part of privacy, or functionality. As Lessig clearly points out - the rules of the networks, computers, etc. aren't real rules in any sense. its not like they are physical laws, the rules are determined by code. This code, and the policy behind it, can change. I think the real question isn't whether this is going to fly with developers, its whether its going to fly with the public at large. Are people (and their proxies - Governments) going to finally demand a change in the the rules/game? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
On Mon, May 5, 2008 at 10:24 AM, Gary McGraw [EMAIL PROTECTED] wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? I think you're both right. I'm working on a longer writeup of the ideas on the end-to-end paper but I think you've captured part of the problem at the heart of things. We're going to have to trade some fundamental computing liberties to get the kind of security required to actually have trusted relationships via computers. Good or bad I don't want to comment on right now. If you've read Code and other laws of cyberspace by Lessig you'll see some of the same ideas albeit it from a more regulatory perspective than from a purely technical one. The updated Code 2.0 book captures a lot of these same ideas. I think Charny is missing the mark ever so slightly when he says the security goals can be achieved without compromise on the part of privacy, or functionality. As Lessig clearly points out - the rules of the networks, computers, etc. aren't real rules in any sense. its not like they are physical laws, the rules are determined by code. This code, and the policy behind it, can change. I think the real question isn't whether this is going to fly with developers, its whether its going to fly with the public at large. Are people (and their proxies - Governments) going to finally demand a change in the the rules/game? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
Hi Gary, I think they are doing it, Cardspace is the key enabling technology to making it happen. Given how many enterprises are federation-enabled (and how simply the rest can be), the biggest missing piece right now is that we need an Identity Provider for the Internets. Of course this only helps to solve the access control problem, not the defensive programming problem, you can still shoot yourself in the foot with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But at least it will be nice to have the banks and brokerage houses stop having people type their username and passwords into web browsers, and then blaming the consumer when things go amiss. -gp Gary McGraw wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
http://media.omediaweb.com/rsa2008/mediaplayerVO.htm?speaker=1_4 And if you want to listen to it, there it is as well. Gunnar Peterson wrote: Hi Gary, I think they are doing it, Cardspace is the key enabling technology to making it happen. Given how many enterprises are federation-enabled (and how simply the rest can be), the biggest missing piece right now is that we need an Identity Provider for the Internets. Of course this only helps to solve the access control problem, not the defensive programming problem, you can still shoot yourself in the foot with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But at least it will be nice to have the banks and brokerage houses stop having people type their username and passwords into web browsers, and then blaming the consumer when things go amiss. -gp Gary McGraw wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
