I don't think that the standards committees underestimate security threats; I just think they're too busy doing things that are more important to them -- like holding meetings and writing minutes
Awesome interview. The gist of it is: -Security sucks because CTO's don't understand proper security, or fail to implement policies because of office politics -The thumb is *up* the ass. Network security issues have largely been understood since the late 80s. We keep dicking around ever reinventing the encrypted tunnel instead of working on complex and interesting problems. -IETF and other bodies are so packed with commerical stoogies that they are being ineffective. -Security is a design, not an add-on. It must exist on all levels. Network security is pointless without host security. Security cannot exist only in layers 3 and 4. It must include the application! -The popularity of Computers and the Internet is what's killing the industry. Too many uneducated people use it, so most companies are too busy selling them stuff to improving the quality/security of their products. (IE Microsoft's user friendly gui instead of controlled execution of code). Interview with Marcus Ranum |