Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

New Architect: Given the current state of security, what worries you the most these days?

Eugene Spafford: I'm not sure there's one thing I can pick out. We have so many vulnerabilities throughout the system—in the software that's deployed, in the development processes, in operations, in networks. With all the places we're using software, we have so few people who are appropriately trained in using the security tools that we have and in understanding how security really works. It's a massive problem.

NA: In your testimony before the House Science Committee, you talked about how information security data was often withheld by companies and governments because they consider it sensitive and proprietary. What should done to make that data available to those whose work might benefit from it?

ES: There are valid reasons why we would want to keep some of that information proprietary—because it does contain sensitive information. But unless we start sharing information [about security breaches] and understanding the magnitude of the problem, and have some real data balanced with some real applications, those of us trying to do research in academia and in industry aren't going to be able to build real solutions. So we have to come up with an attitude change—admitting to security problems should not necessarily be a mark of shame. It happens. In fact, it happens more often than we'd like to admit. That may mean developing some trusted parties that can sanitize the information, and perhaps some of the ISACs—the information sharing and analysis centers—are a way to do that.

NA: You also said that it was largely because of industry practices that we currently face security problems. What blame should we lay at the corporate doorstep?

ES: There's a little bit of shared responsibility in a number of places. But primarily with industry, what I see is they have a responsibility to produce goods that are not harmful to the customer, insofar as they should anticipate common threats and use a due standard of care. That's true of any vendor or any service provider. It's not an issue of software being goods or a service—it's something that you pay money to somebody else to get. And what has happened over the years is there's been a steady pressure to produce the cheapest, fastest code possible. And many known good practices for producing better software—including using safer languages and more testing and putting self-checks in the code—have all been avoided because they make the code bigger or slower or more expensive to produce.

Now, arguably, the public has been trained to measure code based on those issues and to want it faster and cheaper. So there's some blame to be laid on the public, but the vendors have helped cultivate that view, because that's what they've advertised and pushed. And in some cases, in some markets, all the credible competition has been driven out. I would argue that in some sense it's similar to the tobacco companies saying we're just selling people what they want. But the response to that is you're selling a dangerous product and you should appropriately safeguard it. That's one of the things that I think really we can lay at the feet of industry.

And the second is creating the impression somehow that software can't be written reliably. I would argue that the trusted computing paradigm that's being talked about, not only by Microsoft, but by many other companies, is continuing this impression that it's not possible to write relatively robust, correct software unless you do something really, really special. I don't believe that's true. If you train the programmers well, if you give them the right tools, and you write the code appropriately, a lot of the problems that we have right now that relate to security difficulties could be fixed, simply by applying techniques that we already know how to apply. We have to start holding responsible the people that write the code, the companies that write the code. So when it goes wrong, we don't call it a computer virus, we call it a Microsoft virus. Or instead of calling it a computer break-in, we call it a flaw in IBM or Oracle software, because they didn't code it properly.

NA: Has the law gone too far in criminalizing technology rather than behavior?

ES: I definitely think so. The Digital Millennium Copyright Act lawsuit that was brought [unsuccessfully] against ElcomSoft is an excellent example of that. We've had cases of researchers who have been threatened by media companies. We've had researchers who've had to self-censor their work. For people working in academia, even the threat of a lawsuit is not something they can defend against. It's too expensive. So it's had a chilling effect on the research.

Thomas Claburn is the production editor of New Architect.

RELATED ARTICLES Welcome To the World of Cryptographic Voting Klocwork Targets Productivity With Dev Tool Suite Fuzzing Security Testing Tool Released Data Aggregation and Bayes Classifiers Beware Open Source Encryption		TOP 5 ARTICLES No Top Articles.