Security Focus features an interview with Marcus Ranum, it includes typically bleak (though not inaccurate) assessment around the current state of Infosec. As usual, Marcus Ranum is not always bowing to consensus default views, but rather bringing up additional ways to think about security.
- If a standard protocol is broken or insecure, what is the best solution? Maybe supporting only some features or adding a crypto layer?
If it's broken, adding crypto just makes it broken and hidden.
If a standard protocol is broken, the best solution is to deprecate the standard and use something else. Just fix it and move on. It's not like standards are some kind of holy writ; nobody is going to be punished for ignoring bad standards, right? Remember the ISO networking protocols? Too late, too complicated, and everyone said "no thanks." We can do the same, and we should.
Big customers should feel empowered to tell vendors (or standards committees, for that matter), "Nope. That sucks. No money for you, until you fix it." The customer is always right.
This is a good example of holistic thinking applied to Infosec where solving one problem may have cascading effects and make other problems difficult or infeasible to address. The problem is compounded by the lack of interoperability in the security products, standards, and tools which are designed to meet the designer's requirements (vendor/standards body/ et al), and not necessarily the end implementer.
Comments