Marcus Ranum on security innovation and Big Data
by Mirko Zorz - Tuesday, 11 March 2014.
Marcus Ranum, CSO at Tenable Network Security, is an expert on security system design and implementation. In this interview he talks about the evolution of Big Data and true innovation in the computer security industry.

It's been decades and we're still figuring out how to make people use strong passwords. Where do you see true innovation in information security these days?

It seems that whenever we start to make some headway with the "passwords are a poor technique" message, something comes along and undoes all the work. Things were actually moving in the right direction for a while in the mid/late 90s but then SSL came along and everyone was able to re-believe that passwords weren't so bad.

I recall being deeply disappointed that there was never a push for some kind of federated identity, but in retrospect it's pretty obvious that any such attempt would be defeated by market forces attempting to prevent any one vendor from getting control over such an important piece of property. And, as the software industry continues to evolve, we see exactly why that would be a bad idea: such a property would be so valuable it'd sooner or later result in an "offer that cannot be refused" and then everyone's identity would be controlled by Microsoft, Oracle, Google, or ... Ugh.

I actually think that federated ID is a job for government. Why not? I suggested exactly that to Howard Schmidt a few years ago, and added the suggestion that such a system would only be palatable if you could also apply for an "avatar" identity - one that you could prove to the government agency was you; and they would confirm it - essentially government-issued fake ID.

Governments actually already have the infrastructure to do that kind of thing and in a sense they're already in that business with passports, drivers licenses, tax IDs, etc. And, as Edward Snowden tells us, the US government (among others) spends a tremendous amount of money and time already trying to figure out who is who on the internet - why not do the whole thing in a socially useful way?

But I slightly didn't answer your question. Where is innovation happening? Everywhere. Unfortunately, market demands innovation happen where customers are ready and willing to pay for it rather than where the infrastructure really needs it. Customers are always going to be happy to buy whatever's hot and hyped rather than boring stuff that's just a lot of hard work. That's why I pretty much despair of seeing a profound shift toward software quality and reliability - which we need - instead of glitzy new 3D dancing animated pig apps for your uber-smartphone.

The trendline there worries me; market dynamics continue to reinforce the idea that rapid application development pushed into the hands of millions of customers is how you get market share and get rich. You don't actually ever get around to building reliable software architectures in that scenario. In other words I think there's a great deal of innovation but it's pulling the industry sideways instead of forward.

During the past year we've seen an explosion of solutions taking advantage of Big Data. How do you expect them to evolve in the next five years?

I think that we'll see a few of them pan out to be useful, and a lot of them turn out to be - big. The premise of big data is that you can discover all this amazing stuff in your databases and unstructured data once you get it in one place where you can trawl through it and explore interrelations within it. The hard part of that particular job is the "explore" and "understand" part, which only can happen after the "buy a ton of expensive stuff" part. I'm concerned that many organizations don't understand that big data is a long-term play and its results are not guaranteed or magically automatic.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th