What do you think of the skills gap in the United States? How dire is it?
In the security domain alone, there is a forecast that we will be short almost 50,000 security professionals -- to build the right products, to be the practitioners, to serve as the teachers and professors -- over the course of the next five years. If we don't do something about it, if we don't create awareness programmes, if industry doesn't step up to see how we can fund university initiatives, if the government doesn't pitch in -- this is a better use of the government's time than screwing around with spam. We will be facing a big problem.
There's an argument floating about that companies can better insulate themselves from attacks by deploying heterogeneous environments -- Windows plus Linux, etc. Will this help, or will the managerial headaches outweigh the gains?
I think that enterprises already run a heterogeneous environment. Does it help security? I don't know if it does, but I don't know that it doesn't, either. Security is a process. As you introduce new technologies into that environment, you need to embrace and protect it, as you do the current infrastructure.
Too many people may be putting too much emphasis on "Is Linux more secure?" The issue in my mind isn't that; it is "Is it a more cost-effective infrastructure than the alternative?" That is the reason you make the decision.
The minute the Linux environment becomes as target-rich as the Windows environment, people will find ways to crack it. Why would you spend all your energy trying to attack a desktop system in limited use?
On spam, you suggested that carriers could solve the problem by charging spammers to carry their messages. How come they aren't doing that?
I don't know. I think you have to ask them what their motivation is for not making the necessary changes for controlling the flow of this stuff. If you think about it, computers started out with a very simple task: to count. That's all they did. So, if they did it 50 years ago, why can't they count today how many mail messages come from your mailbox or your identification? I can simply count how many mail messages your ID sends out and say, "Whoops, you've just exceeded the limit" and shut it down. Simple. Why they won't do it I don't know.
I agree that the antispam legislation is going to be fairly unenforceable, but wouldn't a carrier payment system require some sort of regulation so that a lowest-common-denominator carrier doesn't decide to carry it free?
Well, at some point somewhere in the network, a piece of traffic flows through where it can be blocked. The Internet is a network of networks, so somewhere along the way, someone can detect a flood of traffic coming from one place. All I am suggesting is this: Why use regulation for something that is almost unenforceable? Why don't we as an industry look to see if we are contributing to the problem in some way and see what we can do to stop it?
