Sitting in on a talk given today by Gene Spafford, I got a chance to hear a very good talk for a second time. Here are some of the things that stuck out at me:
80% of email is spam
Only about 50 PhDs in infosec are graduated each year, but more than 4000 lawyers are.
Spaf sez, "Security is not about circling the wagons, it's about getting over the mountain safely" Like brakes in a car (the analogy he uses frequently) computer security features shouldn't be considered a circle-up defense mechanism, rather it should be a feature that lets you "drive faster."
What about epidemics? Most of the security threats are epidemic in nature. Getting rid of them may be impossible, but minimizing the outbreaks would be a huge accomplishment.
At many times during the talk, there were network interference problems, and in fact the video system crashed and burned halfway through. Here's Sid's Grand challenge: interference free video conferencing.
Spaf sez about our armed services using Microsoft Windows, "We've gone from the world's greatest blue-water navy to the worlds greatest blue-screen navy"
Did you know there are over 110,000 different viruses for MS products? There are at most dozens for other platforms. This is so bad that on an unprotected connection, automated scans will usurp and zombify a computer running XP in an average of 4 minutes (shortest in a recent test was four seconds).
We need trustworthy record systems. Hospital workers often don't trust their systems, so they don't use them to their full potential.
We don't measure computers in terms of dependability, reliability. We need to in order to do risk management in IT! But how do you measure the security or privacy risk on computers? This is a severe business problem.
(Link to relevant slides) (Link to similar stream) (Link to related paper)