I attended ShmooCon 2006 Jan. 13-15th. I had been waiting for the video and slides from the con to be posted, but I figured I should start posting before I completely forget what went on. Over the next few days I’ll be posting about the various talks I attended.
Dan Geer‘s keynote was one of my favorite talks from the con. He believes that “if people respect you enough to have you deliver a keynote, respect your audience enough to write it out”. Thanks to that he’s provided the full text and a pdf of the slides from his talk. My summary won’t do it justice, but you can at least know what you are getting yourself into. Read on.
Dan started by acknowledging that, like most people in the audience, he wasn’t trained in security. His formal schooling is as a biostatistician. Things are changing though, soon the security industry will be filling up with people that are trained solely in security. Dan feels that we should leverage our diversity while we still can. Specifically to solve the problem of how to measure security.
The ultimate goal is “Quantitative information risk that is on a par with quantitative financial risk management”. The problem with the internet is that it is an aggregated risk because of its interconnected nature. Aggregated risk is why the same insurance company doesn’t sell policies to houses next door to each other; if one burns, the other one likely will resulting in double the loss for the company. In 2003 Dan and six coauthors described Microsoft’s monopoly as a monoculture threatening national security. (he was then fired from @stake via press release) This monoculture is a huge aggregated risk. There are other problems as well. Modern insurance policies are based on history, but the internet has no measurable risk history, unlike a 24 year old, non-smoking, white male.
Dan feels that security is a subset of reliability and that complexity will often hamper reliability. At this point in the speech Dan starts approaching the problem from his background as a biostatistician. He begins by showing a chart with two lines: one is an estimate of vulnerable hosts that clearly exceeds the second line, which is the number of incidents. The gap probably represents security working, but also vulnerable hosts that aren’t being attacked. He admits that these numbers are biased, but they can still give an accurate picture. The final segment of his talk deals with code complexity and its connection with incidents.
In closing Dan is careful to point out that this is just one man’s numbers and that we are still far away from a final packaged measurement solution. He encourages everyone to apply their own viewpoints, backgrounds and question what they’ve seen while we still have time. Of course, this is just a summary and I encourage you to check out the full text and slides.