From access control to accountability

In the physical world we rely on eyewitnesses and increasingly, especially in Britain, on cameras. In the virtual world, according to Dan Geer, we're now approaching a critical fork in the road: "To the left, we surveil people. To the right, we surveil data. I'm arguing for data-level file-tracking because if I have to surveil either people or data, I think it's highly important that we choose to surveil the data, not the people. [Full story at]
In this column I mention an audio interview with Dan Geer. It's full of unique insights. Listen, for example, to this clip (2 min, mp3), on the value of cross-disciplinary knowledge. Here's part of it:

Everybody who is a leader in the security field today came at it from some other field, because when we all started, you couldn't get trained for this formally.
Right now, if we want to extract knowledge, skill, method, technique, you name it, from other fields, this is our last best chance.
We do not have time to invent everything we need in security from scratch. We have to steal it from every other field that has something worth stealing.
It's a great point. There's clearly a need to professionalize computer and network security. Companies today have to train new engineers in best security practices (threat modeling, attack surface area reduction) that should be taught in school but aren't. But since the most dangerous attackers are out-of-the-box thinkers, it seems reasonable to suppose that intellectual diversity is an important defense.

Former URL: