« Fatal System Error | Main | REST Threat Model & Attack Surface »


Bob Blakley

A great post, Gunnar. I have only one quibble; you say "running up technical design debt since 1995". Firewalls have been around (and mostly useless) since way before 1995. The term was used in the movie "Hackers" in 1983; AT&T had one running by 1988. Marcus Ranum has a good presentation on firewall history here (PDF): http://www.ranum.com/security/computer_security/archives/firewall-early-days.pdf


thanks Bob, I was not aware of some of those historical references. I would say though a case could be made the design debt did not begin to incur until post 1995. The firewall + SSL model could be viewed as sufficient (or "well capitalized" ;-P) based on the type of transactions that were being run on the web at the time.

In any case whatever starting point, we need a QE2 stimulus for our security programs!

Cormac Herley

Really apt reminder, thanks for surfacing! Though 1) it could only be made by someone of unequalled stature and 2) it had no effect. Maybe major rejiggering of resources happens only when things are stretched to the limit. A few mos of combat in WWI settled questions about the usefulness of cavalry that no amount of theorizing could. Or, "the recession finds what the auditors missed." Wasteful resource allocation is the luxury of avoiding hard tradeoff decisions. Maybe we have to be pressed a lot harder before we think sensibly about allocation in infosec.


" Maybe major rejiggering of resources happens only when things are stretched to the limit."

I agree, James Carville famously saying he wishes that when he dies that he would come back as the bond market because then everyone would be scared of him. So in this case the bond market forces governments to make hard choices that they are incapable of otherwise. Its playing out now all across Europe.

The comments to this entry are closed.