From Security Weekly WikiJump to navigationJump to search
#Given limited resources, which deserves the most focus for protection against attacks; commercial stores satisfying shoppers, Infrastructure elements (gas, electricity, water, transportation, etc.) or the fiscal sector (banks, stock markets, etc.)
#"Risk" has become a religion to some in the InfoSec community; many apply a balanced and pragmatic approach, but many seem to become statisticians instead of defenders. You've ruffled some feathers in the risk metrics crowd over this in the past. I would like to explore this with you a little, possibly discussion where risk analysis is valuable, and where you see it coming up short.
## What is the current state of computer engineering talent in the US that can provide support for national security? What can we do to better develop this talent in the US?# What is the lifetime of an encryption algorithm? Does it have a defined lifetime before you must work on an update or something completely different?#We are not crypto or mathematics specialists, but the implications you've raised with quantum computing don't require a deep understanding of crypto to understand the implications of the pending loss of confidentiality that is looming somewhere in the future, undoubtedly within the careers of some of our younger listeners (and possibly some not-so-young listeners).#Your ideas on assurance, starting with defining what that means, and the implications of a lack of assurance in the modern landscape- you've written and spoken about this for years, do you see any progress in this?# We often call people out for trying to create their own encryption algorithms. What are the major hurdles when creating such an algorithm?# What do most people get wrong when it comes to implementation and encryption? It seems as though the math works, but someone always manages to mess up implementation.
#Trust, you've spoken very clearly about the pitfalls of applying human concepts of trust to the realities of digital "trust". Could you elaborate on that a little for us?
# In a recent Keynote you outlined some major problems facing the security industry and described the "bare minimum" approach to software design. However, how can companies sufficiently compete with each other and differentiate themselves from their competitors, with simple or stripped down designs? More importantly, how do we convince consumers of that approach?