Over on eWeek.com, an Internet Magazine, a blog entry of mine seems to have hit home [1], and caused a response. Peter Coffee has written an article, "Report Takes Software Processes to Task [2]," that starts with "I feel as if I could get an entire year's worth of columns, or perhaps even build my next career, out of the material in a Task Force Report[3]..." Promising stuff !
He then goes on to draw a couple of reasonable points from the report (how unprofessional security professionals are..., how security is multi-disciplinary...[4]) and then ruins his promising start by launching an ad hominem attack. Read it, it is mind bogglingly silly.
I won't respond, other than to point out that real security professionals do not do the ad hominem ("against the man") as it distracts from the real debate of security. As he rightly intimated, security is substantially complex. As he apparently missed, this makes security very vulnerable to the sort of $50 million pork barrel projects that look good in a report, but miss the point of the complexity. And, Mr Coffee definitely missed that doing the ad hominem thing signalled that someone was upset at their pork being spiked. Sorry about that!
Comments of any form are welcome, although I admit to being surprised at this one. Especially, if Mr Coffee would like to take up his claim to spend a year reading and benefitting from the report, I'll respond on the security aspects he raises.
[1] Ian Grigg, "cybersecurity FUD," 05th April, 2004,
http://www.financialcryptography.com/mt/archives/000107.html
[2] Peter Coffee, "Report Takes Software Processes to Task," 22nd April, 2004,
http://www.eweek.com/article2/0,1759,1571967,00.asp
[3] National Cyber Security Partnership, "Security Across the Software Development Life Cycle,"
http://www.cyberpartnership.org/SDLCFULL.pdf
[4] Ian Grigg, "Financial Cryptography in 7 Layers," 4th Financial Cryptography Conference, 2000,
http://iang.org/papers/fc7.html
Peter Coffee should pause prior to making flippant remarks about the past. Rather than looking at the people involved like Bill Gates we should look at the USA's history of producing secure software. It appears that given the lack of any history of producing secure software, attacks against the people are the only answer. We should establish some game rules before starting any attack; I wouldn't want to be viewed as some Iraqi Prison Guard.
Anyway, the software on all levels produced in affiliation with Microsoft is totally insecure, as a Microsoft consumer most of my applications have been attacked. Microsoft is the primary reason people write viruses and try to send them all over the place. What in the Microsoft entity promotes hacking and attacks on their consumers? I think it is their lack of fair play as exhibited by phony standards being hoisted upon an ill informed public so they can sleep at night believing in the ability of a Task Force to define what is or is not secure.
I'm a novice and an idiot and this allows any personal attacks to have merit but after examining the TASK FORCE REPORT I found strange and wonderful things:
1. It was published on April 1st April Fools Day.
2. Scott Charney of Microsoft Co-Chairs it. What history does his firm have producing secure software? None at all.
3. The presence of a [Patching Subgroup] leads me to believe that Microsoft with all its wonderful patches is determining the agenda.
4.National Cyber Security Summit - who the hell are these folks? Are they part of the same intellegence community that protected me and my family on 9/11?
5.The following make up the members of the TASK FORCE or sponsor it, they are paid political hacks, fake non-profits that do nothing but use an IRS loophole and lobby the government. They are as fake as their TASK FORCE:
the National Cyber Security Partnership,
the coalition of trade associations, including the U.S Chamber of Commerce,
the Information Technlology Association of America,
TechNet,
Business Software Alliance, that sponsored and organized the National Cyber Security Summit held in Santa Clara, California on December 2-3, 2003.
6. It seems rude to tell me these are important ideas since I make up my own mind. This type of verbage tends to be from those that want and desire power. The question to ask is what do they want this power for? The task force has assembled a number of important ideas and recommendations. These issues are complicated and the presentation of a recommendation is not meant to suggest that it was unanimously agreed upon.
7. EDUCATION SUBGROUP SUMMARY. The Educational System in the US was all crazy about IT during the Dotcom bubble then when it burst they couldn't see how they would make huge amounts of dosh off of some brilliant student so they do not afford tender in any fair means to IT or Computer Science in general.
8. EDUCATION SUBGROUP SUMMARY - certificate program for IT professionals. This smells like Microsoft again. Sorry but they have been discredited when it comes to secure software design. Maybe they can steal some.
I have briefly scaned the report with a jaundiced eye but that is exactly what is required to make things secure, critical assessment of the real threats not some Microsoft fantasy of owning another portion of the worlds GDP. Peter Coffee is a Microsoft Tool, as is the TASK FORCE. I think right now the People's Liberation Army of China and their cyberwarfare groups are changing their pants after they had this large laugh. Our threat now is idiots like Coffee and Micro-noodle. They lie steal and cheat in order to defend or create their monopoly.
I'm sorry, the world requires secure software design but Microsoft has no place going forward nor does Peter Coffee.
Posted by: God's gift to the world at May 22, 2004 11:35 AMColourful stuff, Mr "God's gift." I'm not sure what Iraqis and the PLA have to do with it, and I suspect the April 1st thing was just unfortunate.
But you raise some good points. Security patches should be much rarer than they are, and working to improve that process is working on the symptoms not the cause.
Oddly enough, both Microsoft and HP and probably other companies have decent people in the labs working on secure software, but instead of their work being showcased, there was discussion of outsourcing. What sort of security policy panders to nationalistic paranoia and vote garnering?
Indeed, as the seminal paper in one security discipline comes from a Microsoft researcher, what hope is there?
Posted by: Iang at May 22, 2004 12:24 PMWho is Ian Grigg?
Your description of Ian is interesting and I can see how somebody could write those things by googling around for "Ian Grigg" and systemics. Probably you've missed some even more bizarre stuff.
http://www.eweek.com/article2/0,1759,1571967,00.asp
I don't know the private aspects of Ian's life very deeply, but we have corresponded by email for 6 or 7 years. I spent a weekend with him at the Edinburgh financial cryptography conference in 2001 and found him to be sincere, and a straight shooter throughout.
He is certainly a dedicated and principled person. How otherwise, could somebody write as much, every day for 15 years on cryptography and business? You'll find he is one of the most respected thinkers and writers in the field, outside of the financial services companies. Even if he were a space alien, or a mass murderer, writing from a penitentiary someplace, his contributions in the world of ideas have been exceedingly useful and valuable to many, many people. You could surf the dbs or cypherpunks list archives, or more recently the webfunds or xml-x or gold currencies chat list.
=======
Now may I comment on the fundamental point of your article?
There are only 3 things you need to remember about identity and authentication.
1. Telecom companies, software companies and banks *always* want to control your authentication over networks, so that they can prevent you from buying or selling with their competitors, and otherwise influence what you KNOW in order to influence what you will DO. It is never sufficient for them to know who you are or "authenticate" people for a sale. They will never rest, until they can prevent you from dealing with their competitors.
2. The personal trusted device must be totally secure, i.e., the private keys must be generated and maintained privately and impossible to access from outside the device.
and
3. Such a simple thing will not be allowed to reach the individual in our lifetime. It should be at Walmart for $10 but people are too dumb to realize what they need, and since they only believe the mass media, nobody can tell them.
In my belief, it is not technically hard to design a signing device. It is easy and has already been done (although admittedly, it is *very* hard to run an honest code repository, chip foundries, and chain of custody over products like this.)
The reason the general public has never been provided with a generalized, independent capability to prove our identity, sign contracts, vote electronically, pay electronically from P2P, etc., is because the incumbent corporations and governments will not allow the reshuffling of wealth and political advantage that would result,
ho hum, what else is new...
Todd Boyle - Kirkland WA - 425-827-3107
AR/AP everywhere http://ledgerism.net/