Analogue Network Security

Sign Up to be Notified for the Release of
Analogue Network Security!

Winn’s new book is coming soon!

Just enter your email address below (fake, real, doesn’t matter — just needs to reach you), and when Analogue Network Security is ready for you, we’ll send you the info and links. You’ll find out in advance, and your copy will be signed.

We really won’t sell or abuse your email, either. In fact, we solemnly swear that once the book is available for order, we will send you only 2 emails:

  1. To notify you that it’s ready, and to direct you to a shopping cart.
  2. A follow-up a few weeks later, to beg you to buy a copy.

Then we shred the list! Simple as that. Anything else is just plain rude.


In 1972, the Anderson reference monitor security model was introduced. It is still fundamentally how information security is implemented: with static fortress mentality. Along came Bell-Lapadula and Bibi a few years later, with some enhancements, notably for MLS, multi-level security systems.

In 1987, the U.S. Department of Defense published the Red Book; the Network Interpretation of the lauded 1983-85 Orange Book that set forth many of the principles for information security. The results were, essentially, ‘we have no earthly idea how to secure a network.’

Today, we now assume our networks are ‘Pwn3d’ – already infiltrated by hostiles.

We ‘know’ that by adding more technology, our security problems will go away. We think of ‘the network’ as a single ‘thing’ and attempt to protect it as such. It isn’t and we can’t.

TCP/IP. It was just an experiment. Today, it is the inter-infrastructural foundation of civilization. The internet of things is adding so-called intelligence to some 50+ billion endpoints and trillions of sensors. Where’s the security? The privacy?

Massive new projects, using “next generation” products, from quarterly profit incensed vendors, promise the same old stuff all over again. The ultimate déjà vu epic fail of security.

Is this any way to run a planet?

C’mon, fifty years of practice and we’re still…? Well, screw it. You’ll see.

I got to thinking.

Security requires a single, interdisciplinary metric for the cyber, physical and human domains. Digital is not binary.

Then things fell into place. I have a few ideas I’d like to share.