I first met Dan Geer 10 years ago, after he debated Microsoft's Scott Charney on the "Microsoft Monoculture
" at a USENIX event in Boston. I was just starting to write about security and the man intimidated me. His intellect and speaking style were light years beyond anything I had comprehended before. As a news reporter, you talk to a lot of police officers, firefighters and politicians who speak in plain, familiar terms. Dan Geer was something else entirely.
of In-Q-Tel, the strategic investment partner of the U.S.
intelligence community, Geer will be speak at BSides Boston
Saturday. He'll focus on Heartbleed
Many times when Geer is scheduled to speak at a conference, no one really knows what he'll focus on. He climbs on stage with handwritten notes and without slides. And he never disappoints. If anyone has ever felt let down after a Geer talk, I haven't met them, anyway.
This time, we know what he'll be talking about. He wrote about it
in the Lawfare
blog a couple weeks ago.
Here, he sticks to a theme he's focused on consistently -- that the biggest threat to security is complexity. Heartbleed itself is a simple vulnerability, he notes. But the systems affected are anything but simple. From his post:
The Heartbleed problem can be blamed on complexity; all Internet standards become festooned with complicating option sets that no one person can know in their entirety. The Heartbleed problem can be blamed on insufficient investment; safety review for open source code is rarely funded, nor sustainable when it is. The Heartbleed problem can be blamed on poor planning; wide deployment within critical functions but without any repair regime.
Geer will discuss his thoughts in greater detail on stage with BSIdes Boston organizer Roy Wattanasin.
I'm looking forward to this talk. I'm even going to bring my sons along to hear it.