Since I am still part of the great laptop-less hoard, I’ve had to print out interesting articles and read them the old fashioned way. Underlining then transposing the information is of course is not nearly as convenient as taking notes in another window, but the things I do for public (all 28 of you according to FeedBurner). Below are my notes; some obvious, some notso.

Matasano Interviews IE Lead PM Christopher Vaughan

  • …the Internet isn’t an innocent place anymore.
  • …security isn’t just about great features and solid code. You also have to have a solid security response plan.
  • …security is everyone’s job.
  • Customers don’t know, don’t care, and shouldn’t have to worry about how a company is internally organized.
  • Jonathan Pincus‘s PREfix and PREfast which are part of Visual Studio now
  • Skylined‘s Heap-spray

My FirstBillG Review

  • He (Bill Gates) didn’t meddle in software if he trusted the people who were working on it…

Testing with leverage

  • …test code generally exhibits a low level of reusability
  • The fundamental weakness of unit tests as a quality management tool is that each test case can only test one piece of code
  • …writing enough unit tests to test a large product can be extremely time consuming and expensive
  • …a great set of test cases is not enough to find all the bugs in a complex piece of software
  • The NASA ratio of testers to developers is 20:1 <boggle>
  • The goal of the QA process … should be to raise confidence that the code works, to the greatest degree possible given the available resources
  • A test suite with good coverage raises our confidence that the code works, as does a thorough code review
  • Both (test suite and code review) is better than just one as they will find errors the other missed
  • Static analysis is the process of analyzing code without running it
  • The major cost of static analysis is analyzing the output and determining if reported items are actual bugs or false alarms

Why Information Security is Hard

  • Incentive Failures – While individual computer users might be happy to spend $100 on anti-virus software to protect themselves against attack, they are unlikely to spend even $1 to prevent their machines being used to attack Amazon or Microsoft
  • Tragedy of the Commons – If a hundred peasants graze their sheep in the village common, then whenever another sheep is added its owner gets almost the full benefit – while the other ninety-nine suffer only a small decline in the quality of the grazing. So they aren’t motivated to object, but rather to add another sheep of their own and gt as much of the grazing as they can. The result is a dustbowl.
  • Metcalfe’s Law – The more people use a system, the more useful it is to each user.
  • Three features of Information Technology Markets.
    1. The value of a product depends on how many other users adopt it
    2. Technology often has high fixed costs and low marginal costs
    3. There are often large costs to users from switching technologies, which leads to lock-in
  • Above features lead to winner-takes-all market structures
  • Successful networks tend to appeal to complementary suppliers even more than to users: the potential creators of killer apps need to be courted
  • The huge first-mover advantages that can arise in economic systems with strong positive feedback are the origin of the so-called Microsoft philosophy of “we’ll ship it on Tuesday and get it right by version 3”. I don’t think I need to say that this Bad from a Quality perspective…
  • …mandatory security would subtract value, as it would make life more difficult for application developers.
  • …much of the lack of user-friendliness of both Microsoft software and the Internet is due to the fact that both Microsoft and the Internet achieved success by appealing to developers.
  • Network owners and builders will also appeal to the developers of the next generation of applications by arranging for the build of the support costs to fall on users rather than developers, even if this makes effective security administration impractical.
  • Rather than using a standard, well analyzed and tested architecture, companies often go for a proprietary obscure one – to increase the investment that competitors have to make to create compatible products.
  • MS Passport does about 400 authentications per second on average. This could be marketing fodder for use by the SelectAccess folks…
  • Passport’s logout facility didn’t work with Netscape based browsers when it was first launched. Oops. Cross-browser testing is Good.
  • One of the most important aspects of a new technology package is whether it favours offense or defense in warfare.
  • Different testers will find different bugs. Which is why you should vary the types of people in a Test group.
  • Make the security critical part of the system small enough that the bugs can be found
  • Attack is simply easier than defense. Defending in a modern information system could also be likened to defending a large, thinly-populated territory like the nineteenth century Wild West: the men in black hats can strike anywhere, while the men in white hats have to defend everywhere.
  • The technical bias in favour of attack is made even worse by asymmetric information. … If you report [a bug], you will protect 250 million [people], if you keep quiet, you will be able to conduct operations against 500 million [other people]. I personally would be shocked if that actually was happening in the Real World. Ya, right.
  • …when buyers don’t have as much information about the quality of the products as sellers do, there will be severe downward pressure on both price and quality.
  • The problem of bad products driving out good one can be made even worse when the people evaluating them aren’t the people who suffer when they fail.
  • The real driving forces behind security system design usually have nothing to do with altruistic goals
  • Security engineering should be a matter of rational risk management rather than risk dumping

(more articles as I get time to type them up)