I'd like to thank Federico Biancuzzi for interviewing Marcus Ranum at SecurityFocus. The interview is brilliant in my opinion. Unfortunately, I learned of the interview by an ignorant Slashdot story that completely missed the points Marcus makes in the article. Can anyone recommend an alternative to Slashdot that has a lower number of idiotic stories, but still keeps up with technology current events?
Anyway, here is my favorite excerpt:
"Do you see any new, interesting, or promising path for network security?
Nope! I see very little that's new and even less that's interesting. The truth is that most of the problems in network security were fairly well-understood by the late 1980's. What's happening is that the same ideas keep cropping up over and over again in different forms. For example, how many times are we going to re-invent the idea of signature-based detection? Anti-virus, Intrusion detection, Intrusion Prevention, Deep Packet Inspection - they all do the same thing: try to enumerate all the bad things that can happen to a computer. It makes more sense to try to enumerate the good things that a computer should be allowed to do.
I believe we're making zero progress in computer security, and have been making zero progress for quite some time."
I highly recommend everyone read and ponder this interview.