Thursday, January 15, 2009

Intro to Bruce Schneier

Back in 2000, Microsoft was getting hammered for it's lack of security. At the time I was working for the Exchange team focused on Key Management Server (or KMS). This was functionality used by Exchange to offer signed and encrypted emails to users in the system. Because of all the bad publicity at Microsoft, there was a push from upper management (I mean way up high) to get better at security. Some of you may remember when Microsoft stopped coding for a while to better their security. This wasn't just PR, but it was something they believed in. So because I worked on signed and encrypted email, that meant I knew something about security (which I didn't). I got drafted to the newly formed Exchange Security team. Actually it was a lot of fun. I got to learn new concepts and think in ways I wasn't use to.

I attended a seminar on security from some outside guy. This was Bruce, he was definitely a geek, he knew what he was talking about. The best thing about him was that he dogged Microsoft - in their own house. I thought that was ballsy. I immediately became a fan, read his books and joined his monthly newsletter. I like how he explained security in his books. He took abstract security concepts and brought them down to every day tangible examples. The tell tale sign that someone really knows what their talking about is when they can break it down in terms that even a child can understand. Not that techno-babble speak we all hear from time to time.

So in the end, Microsoft can out a bit more secure. Some may debate to what extent though. I came out of this a bit wiser when it came to software testing. Identity management is a small slice of the security pie, and I would argue that not to understand the overall security implications undermine any IdM system.

Bruce has a monthly newsletter that I would recommend to everyone. http://www.schneier.com/crypto-gram.html. In this latest issue he talks about impersonation - very relevant to IdM. It can also be found here. There's been some talk lately about OpenID, I think the ability to validate one's ID will decide how viable OpenID will be.

Finally, more on the musings topic than IdM there's a great article on the NSA can be found here

No comments: