1230-1345 Lunch
Lunch was great. Salmon (I think - I usually just eat whatever is put in front of me) with greens and potatoes. More potatoes and less salmon would've been good. Conversation was excellent. Talked to Jake W. and Heather Ford about global politics, NGOs, different dysfunctional aspects of different cultures, privacy, communism, capitalism, paranoia, etc. I was going to skip dessert, but that cake looked really good. And it was.
I'm feeling sharper this afternoon than I felt this morning. Food helped a lot.
1350
Scott Blake, Bindview (moderator)
Mary Ann Davidson, Oracle
Bruce Schneier, Counterpane
Bruce says that we're really dancing around the issue of transparency. He argues that the vendor is in the best position to make its software more secure, and that they need to be motivated to produce secure code. He echoed many sentiments that were voiced this morning, which makes me hope that perhaps there's more consensus on these issues than I thought.
Mary Ann: Security is not the enemy of feature sets. Part of the cost of purchasing and owning a license to a software product is its maintenance, particularly as it relates to security. Lowing overall cost of operations could be achieved if customers required secure default configurations from their vendors. It really is cheaper to build it right the first time. Engineers must have a professional engineer's license - why not have something similar for programmers? After all, programmers are building critical IT infrastructure, and it needs to be done right. Educational institutions could do a better job at teaching security, too.
[GF: I agree with 95% of what Mary said. She's making very logical, practical arguments in favour of planning ahead and working to prevent fires rather than fight fires. I wonder how much she has to fight her colleagues on such issues.]
Bruce mentions that he really doesn't like to see more regulation, but he implies that perhaps that's part of the solution.
[GF: Why is there so much libertarianism in computer geek circles, I wonder? Is it because we feel like we can define our worlds to such a great extent that we don't really need government? If so, I think we're probably sticking our heads in the sand - part of the role of government is to provide stability, and we geeks couldn't build our little insular worlds if the world wasn't stable and peaceful enough to allow such. Even if we could, the world does not revolve around us, no matter how much we pat ourselves on the back for building/maintaining "critical IT infrastructure." Of course, this is a gross oversimplification of the issue, and I really don't mean to paint Mr. Schneier with the brush that I appear to be painting him with, but I should move on.]
Mary Ann points out that the government is a very large customer base, and that regulation isn't the only way that government can influence vendor behaviour. That's an excellent point, and while it seems obvious now I hadn't thought of it before.
An audience member implied that shipping products with 'secure' defaults would be easy; Mary Ann disagreed - she pointed out that doing so with one of her company's products might break things unexpectedly. I think of course it'd be easy to design and ship a product from scratch that assumes a high level of security by default, but that doesn't solve things for all the companies and products in existence today.
Steve Lipner asserted that it was worth it to Microsoft to build in a change to default behaviour (turning on software firewall & automatic software updates) in WinXP SP2.
An audience member asked how to motivate employees to solve security problems? Answer: Confirmation of results, and traditional incentives such as bonuses & job loss.