April 21st, 2006

(no subject)

As I mentioned, I gave a talk at a conference this week. It seemed well received although I am somewhat concerned people were focusing more on the fact that I was able to remember my slides well enough to give a coherent presentation than my technical content. In terms of content and speakers, the conference was great. I'm afraid it may not have been such a financial success: it was lightly attended.

I'm worried about two trends that were obvious in the conference. I'm not surprised; I've heard these trends mentioned before but I'm still quite concerned. The first is the trend for software engineering to require expensive standards and certifications. Common criteria evaluation is an obvious example, but the federal government and other sources are looking at quality standards for software they use. At one level, this sounds great. As a matter of practice though this ends up being expensive and mandating a lot of business processes. I'm not sure how small companies or especially open-source development will survive. I'm concerned that this will turn into a mechanism for large companies like Microsoft to maintain control of the market. Even if the standards actually improve software quality (something that hopefully we will be able to accomplish), it will be a very mixed outcome if we lose the innovation of open-source and small companies. If the standards don't actually improve things, it will be quite regrettable.

The second trend is similar: mandatory regulations about IT security. Now, I'm quite in favor of good IT security regulation if compliance testing is not too exhaustive. The problem is that the trend tends to be towards craptastic regulation. I spent months arguing with auditors that firewalling ICMP fragmentation needed would not improve my security and was actively harmful. Similar stories abound. The regulations tend to specifically discourage end-to-end security or real isolation of systems for a variety of reasons. Part of it is that the regulations are targeted at the average installation and don't bother to permit configurations that while they take more setup time are potentially more secure .

The other thing that was driven home yet again is that the security industry has absolutely no fucking clue how to design reasonable security that deals with targeted DOS attacks. This is likely to become yet another force that trends against the end-to-end principle: in time of DOS attack people serve customers from the large ISPs or companies and to the best of their ability let the rest of the net go to hell. Discussions of the recursive name server attacks are an excellent example of this. Unlike the other trends, this actually seems like the best we know how to do. Doing better is going to require some clever ideas, lots of hard protocol design and lots of harder politics.