?

Log in

No account? Create an account

As I mentioned, I gave a talk at a conference this week. It seemed well received although I am somewhat concerned people were focusing more on the fact that I was able to remember my slides well enough to give a coherent presentation than my technical content. In terms of content and speakers, the conference was great. I'm afraid it may not have been such a financial success: it was lightly attended.

I'm worried about two trends that were obvious in the conference. I'm not surprised; I've heard these trends mentioned before but I'm still quite concerned. The first is the trend for software engineering to require expensive standards and certifications. Common criteria evaluation is an obvious example, but the federal government and other sources are looking at quality standards for software they use. At one level, this sounds great. As a matter of practice though this ends up being expensive and mandating a lot of business processes. I'm not sure how small companies or especially open-source development will survive. I'm concerned that this will turn into a mechanism for large companies like Microsoft to maintain control of the market. Even if the standards actually improve software quality (something that hopefully we will be able to accomplish), it will be a very mixed outcome if we lose the innovation of open-source and small companies. If the standards don't actually improve things, it will be quite regrettable.

The second trend is similar: mandatory regulations about IT security. Now, I'm quite in favor of good IT security regulation if compliance testing is not too exhaustive. The problem is that the trend tends to be towards craptastic regulation. I spent months arguing with auditors that firewalling ICMP fragmentation needed would not improve my security and was actively harmful. Similar stories abound. The regulations tend to specifically discourage end-to-end security or real isolation of systems for a variety of reasons. Part of it is that the regulations are targeted at the average installation and don't bother to permit configurations that while they take more setup time are potentially more secure .

The other thing that was driven home yet again is that the security industry has absolutely no fucking clue how to design reasonable security that deals with targeted DOS attacks. This is likely to become yet another force that trends against the end-to-end principle: in time of DOS attack people serve customers from the large ISPs or companies and to the best of their ability let the rest of the net go to hell. Discussions of the recursive name server attacks are an excellent example of this. Unlike the other trends, this actually seems like the best we know how to do. Doing better is going to require some clever ideas, lots of hard protocol design and lots of harder politics.

Comments

It was, in fact, a very good conference, and I agree on the financial issues it probably faced. On the shuttle to the airport, the other DNSSEC crank ("It's had 13 years, let it die") and I discussed how to reconcile these two things. If, for instance, the conference had 100 more paying attendees, would we have had some of the interactions we had? Or would you and I and Radia and Charlie and Hilarie and Sandra and Donald and Eric and others all been in different rooms, and thus not have ended up with some of the same insights we did?

Oh, and I absolutely loved the fact that you were one of the few presenters who didn't have to refer to their slides to remember what they wanted to talk about. And I took notes from your presentation, so it wasn't overly distracting (there was one slide I recall that you verbally reversed two bullets on a list, which was about the only thing I called out mentally). The one guidance I would give, if you wanted to strengthen your presentations, is to actually have different verbal and written slides - on some slides, have more information on the slide, and on others, have a summary of what you will talk to, and on others, just use different wording. It's a technique that ensures that your visual audience gets the message twice, which helps them adopt the message.

On the regulation front, if you hadn't noted it, the National Infrastructure Advisory Council (www.dhs.gov/niac/) did address that question, in a long-winded committee named "Best Practices for Government Intervention to Enhance the Security of National Critical Infrastructures". Buried in the PDF report is this gem:

The NIAC believes that regulation of the Internet is unwise, and market innovation will continue to drive adoption and innovation. The traditional regulatory structure is an open process including public comment. Such a process could lead to providing a roadmap of vulnerabilities to nefarious parties intent on causing damage. Government bodies do not currently possess the array of tools necessary to adequately police Internet security standards leading to the potential of unsophisticated decisions yielding less, rather than more security. The political process by which traditional regulatory standards are reached encourages compromise rather than maximum effectiveness. Hence, the political process could result in an inefficient program that could yield a false sense of security. Government regulation of technology may blunt innovation resulting in less consumer choice, economy and security. Therefore, by the filter criteria outlined above, there seems to be no case today for government intervention in the market.

Further working groups of the NIAC have followed this guidance.

And, as you no doubt know, I'm totally in agreement with you on your point about DoS attacks.
I'm actually more worried about the audit firms and insurance companies creating what amounts to security regulations than I am the government. Although as you noticed in the conference, the government's regulations for itself can affect us all.

I sent you and a wg chair mail at work about dns.

Level of regulation targeted to level of spending

Off the top of my head, I don't remember the tiered structure. However, small businesses with small contracts from the government aren't required to comply with the process regulations. As the contract size grows, the amount of (or level of) process increases. Given my companies dependency on government contracts, and their interest in growing, these regulations are a big deal.

To my knowledge, we only have one contract large enough to require any level of process compliance. The rest are small enough that there is minimal, if any, impact.

Most contractors are aware of the various cut-off levels, and actively work to structure their contracts to get them into the tier they already support by current company policy.

I know, I should give you a link to a government site that details the level process required for a particular contract sizes, but I'm....well...feeling lazy on that front right now. Might get to it later and post another comment.

Just wanted to assuage *some* of your concerns on that front.