Silver Bullet Security Considered Harmful

In the comment discussion about Linus's schedulers vs. security polemic, Iang mentioned a paper he's writing:

We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.

— The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $

Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.

What to do?

Outrage at Outrage Management

So we were discussing Peter Sandman's recommendations for outrage management, which mostly have to do with how to deal with management not doing something that you've given them rational reasons to do, because of some emotional resistance or other. The opposite problem also occurs: they believe you; they just don't care. Then you could use some outrage.

Alex brings up two good points in the previous comments:

I'm afraid that outside of usefulness in those communications channels, I just would hesitate to use the term "Outrage". For example, creating "Outrage" metrics sounds like you're working in hollywood publicity for Paris Hilton, not protecting business assets. :)

Yes, exactly, it's usefulness in these communications channels, that is, with management, that emotion, up to and including outrage, has to be used and managed.

Non-Asymmetric Malware

<~~T.A.Z~~>

Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they're already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

• malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
• no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
• once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
• Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

— Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn't clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don't. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there's no such thing as a perimeter to fortify anymore?

-jsq

Outrage Considered Useful

There's a bit of comment discussion going on in Metricon Slides, and Viewed as PR about counting vs. selling, in which the major point of agreement seems to be that even at a metrics conference there weren't a lot of metrics presented that were strategic and business-like.

Let's assume for a moment that we have such metrics, and listen to Peter Sandman, whose website motto is Risk = Hazard + Outrage:

Sometimes, of course, senior management is as determined as you are to take safety seriously. And sometimes when it’s not, its reservations are sound: The risk is smaller than you’re claiming, or the evidence is weak, or the precautions are untested or too expensive. But what’s going on when a senior manager nixes your risk reduction recommendation even though you can prove that it’s cost-effective, a good business decision? Assume the boss isn’t too stupid to get it. If the evidence clearly supports the precautions you’re urging, and the boss isn’t dumb, why might the boss nonetheless have trouble assessing the evidence properly?

As a rule, when smart people act stupid, something emotional is usually getting in the way. I use the term “outrage” for the various emotion-laden factors that influence how we see risk. Whether or not a risk is actually dangerous, for example, we are all likely to react strongly if the risk is unfamiliar and unfair, and if the people behind it are untrustworthy and unresponsive. Factors like these, not the technical risk data, pretty much determine our response. Risk perception researchers can list the “outrage factors” that make people get upset about a risk even if it’s not very serious.

— The Boss’s Outrage (Part I): Talking with Top Management about Safety by Peter M. Sandman, The Peter Sandman Risk Communication Web Site, 7 January 2007

He goes on to outline several reasons management might get upset.

Interactive Fact

William Gibson talking about a shoe that appears in his latest novel, Spook Country:

Wired: One of the details that leaped out at me was the Adidas GSG9, named for the German counterterrorism squad. I felt certain you'd invented the shoe, but then I Googled it.

Gibson: The Adidas GSG9s were the obvious choice for the thinking man's ninja. Nothing I could make up could resonate in the same way. There's code in name-checking the GSG9 history — esoteric meaning. Something that started with Pattern Recognition was that I†discovered I could Google the world of the novel. I began to regard it as a sort of extended text — hypertext pages hovering just outside the printed page. There have been threads on my Web site — readers Googling and finding my footprints. I still get people asking me about "the possibilities of interactive fiction," and they seem to have no clue how we're already so there.

— Q&A: William Gibson Discusses Spook Country and Interactive Fiction, Warren Ellis, Wired, Email 07.24.07 | 2:00 AM

So true.

And not just for fiction. As blogs and the Daily Show have made clear, it's silly for any political candidate or appointee to think any longer that they can like on video or the witness stand about documented facts, because it's getting easier all the time to just google them. As YouTube has already demonstrated, such interactive reality can tip elections.

I wonder if this has anything to do with why some big companies are working on suppressing the Internet and Google has put its money where its mouth is in promoting open access.

-jsq

Wildfire Myopia

It looks like technological security isn't the only kind disorganized in government. The latest GAO report about wildfires seems like more smoke than fire:

This testimony summarizes several key actions that federal agencies need to complete or take to strengthen their management of the wildland fire program, including the need to (1) develop a long-term, cohesive strategy to reduce fuels and address wildland fire problems and (2) improve the management of their efforts to contain the costs of preparing for and responding to wildland fires.

...

For cost-containment efforts to be effective, the agencies need to integrate cost-containment goals with the other goals of the wildland fire program--such as protecting life, resources, and property--and to recognize that trade-offs will be needed to meet desired goals within the context of fiscal constraints.

— Wildland Fire Management: A Cohesive Strategy and Clear Cost-Containment Goals Are Needed for Federal Agencies to Manage Wildland Fire Activities Effectively, GAO-07-1017T, U.S. General Accounting Office, June 19, 2007

How about a strategy for integrating wildfire planning into subdivision planning, or cost allocations from homeowner wildfire insurance?

FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

— Q&A: Federal info security isn't just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven't implemented numerous simple security measures that were known before FISMA, they don't have processes to do so, and they don't adequately report what they're doing, even with FISMA. What to do?