Do we suck?

Thomas Ptacek | May 11th, 2006 | Filed Under: Industry Punditry, Uncategorized

Would you buy a used PIX from a reseller run by a “security expert” who:

  • Believes Anti-Spyware is a total failure because a report from 2004 said Giant missed 34 registry settings.

  • Believes Phishing would be solved if banks just required SSL at login.

  • Believes the CSI is the FBI. Believes $135MM of stated losses due to breaches can be extrapolated to $62Bn a year (and then later states that internal breaches alone cost $400Bn, or ~5% of US national income). Can’t work out that dividing the $42MM of claimed losses due viruses by 1735 affected survey respondents gives an average dollar cost equal to less than 1/3rd of an IT support technician’s fully burdened cost.

  • Just figured out that signatures don’t work, and, presumably, that Geritol doesn’t cure tired blood.

  • Eats bugs.

  • Confuses web site defacements with web application vulnerabilities.

  • Is concerned by the “over 6000 variants of Agobot”, and, one hopes, the 4 of them that actually matter.

  • Says passwords are bad —- so bad that it doesn’t matter if you use passwords, because cybercriminals bypass authentication anyways.

  • Believes that “There were only 7 days in 2004 without an unpatched publicly disclosed security hole” is a meaningful statistic; evidently doesn’t read Freshmeat closely enough to get that number down to 1.

  • Thinks WEP attacks imperil the Internet.

  • Also, mobile viruses.

  • And Yetis.

  • Did I mention that he believes “internal attacks” cost U.S. business 400Bn a year?

  • $400 billion.

  • Thinks the DES cracker “cracked” DES, and that’s why we have AES. Except he doesn’t know what AES is, because he thinks MD5 and SHA-1 attacks are the reason we need a new “encryption standard”.

Normally, I wouldn’t be childish and petty enough to point-by-point something like this (oh, who the fuck am I kidding?). But this thing got coverage; in Slashdot (+5 zeitgeist summary: all Microsoft’s fault —- no, really), and on Reddit, and ComputerWorld, and Rothman’s blog, and —- damn you Vivica Security! Damn you to hell!

And I will never ever ever ever write a song about Sibbie!

12 Comments so far

  • Dominic White's .tHE pRODUCT

    May 11th, 2006 3:53 am

    Adjective Absurdity: The Complete, Unquestionable and Total failure of Dodgy Statistics

    Noam Epple of Vivica Information Security Inc. believes the info sec community has failed. Understandably, I take issue with this. Thomas Ptacek has a nice reply which highlights the mistake Noam has made: You can’t look at every problem and claim t…

  • Mike Rothman

    May 11th, 2006 7:01 am

    To be clear, all the coverage I read (including my own) was focused on calling bunk on this guy. Maybe we should have just buried it and let it pass, but that’s not my style. If someone says something stupid, I need to call that out.

    I’m not sure whether this guy was trying to drive business his way or what, but let’s see what he says the solution is - if his next post ever materializes. That will be very interesting.

  • Thomas Ptacek

    May 11th, 2006 9:38 am

    Presumably, his solution will eliminate spyware, end viruses, turn SSL on for bank logins, kill bugs, repair vandalized websites, substantially reduce the number of Agobot variants, do whatever it was he was talking about regarding passwords, WPA-enable my Airport, and send me a check for 1-300MM’th of $400Bn, apparently by replacing MD5 with a new encryption standard.

    I can’t wait!

  • Stiennon

    May 11th, 2006 9:46 am

    While I love your critique of Noam’s security failure diatribe, I still think we should cut him some slack. I much prefer his message to the message that “it’s over, security is solved, time to move on” that seems to be getting coverage in some circles.

    My way of thinking goes like this:

    Yes, the trheats are real and growing. While if you do nothing to protect yourself you are toast, there are many things you can do to actually be “secure enough”.

  • Dave G.

    May 11th, 2006 2:40 pm

    Steinnon:

    I agree with thinking about security in practical terms, which is exactly why I think Noam shouldn’t be cut any slack. His message is the other extreme of the ’security is solved’ camp. I think alarmist messages being driven by an incomplete understanding on both security and associated statistics is only harmful. Some of his points are valid, unfortunately, they are poorly backed up. Other points aren’ t so valid and are made by showing a single bad example, and saying extrapolating that to an entire industry.

    Finally, he falls into the biggest trap of security professionals: Can find problems easily, solutions… not so much.

  • Noam

    May 11th, 2006 7:23 pm

    Hi, my name is Noam - yes, *that* Noam. :-)

    I do appreciate your feedback and comments - even though I don’t obviously agree with all of it. If you are going to write a strongly worded article saying that the security industry is failing, you are obviously going to get some strong feedback. I completely expected that. Thankfully, the vast majority of it has been positive.

    While you take issue with many of the statistics in the article, I am not the one making those claims - I link directly to the source or original study where appropriate. For example, you say that I, “state that internal breaches alone cost $400Bn”. I do not make this claim. The article states that this figure is, “according to a national fraud survey conducted by The Association of Certified Fraud Examiners”. I even provide a link with details on the original survey. If you have an issue with the figure, you need to take up those issues with The Association of Certified Fraud Examiners, not blame me for mentioning their survey and results!

    You also misrepresent what I say. You say I, “believes Anti-Spyware is a total failure because a report from 2004 said Giant missed 34 registry settings.” What I actually say is, “Eric Howes, a renowned security researcher at the University of Illinois at Urbana-Champaign, found that many of the best-performing anti-spyware scanner ‘fail miserably’ when it comes to removing spyware from infected computers, with some missing up to 25% percent of the critical files and registry entries installed by the malicious programs.”

    The article is a response to the attitude that these daily threats and massive security breaches are, “normal” and “business as usual” and “just the way things are”.

    Basically what I am saying is that things are very bad at the moment. I don’t think anyone can disagree with that. And I am saying that there needs to be more discussion on solving these issues. And I don’t think that is such a terrible thing to say.

  • Thomas Ptacek

    May 11th, 2006 10:46 pm

    I’m glad you can handle blunt criticism.

    I have two questions.

    1. Without the statistics, does your essay say anything?

    2. Is it possible that the only difference between what you said about the Howes Spyware report and what I said is that I actually read the report?

  • Dr. Strangelove

    May 12th, 2006 11:48 am

    “The article is a response to the attitude that these daily threats and massive security breaches are, “normal” and “business as usual” and “just the way things are”.”

    If this were the case:

    1. Why are Technology Executives still spending millions annually on security solutions?
    2. Why are Managed Security Solutions companies still in business?
    3. Why are firewalls, and anti-virus software, still being deployed (at a cost of millions annually, see item 1)
    4. Why are Security Conferences still generating fairly decent profit margins?
    5. Why haven’t I been a victim of identity theft yet?
    6. Why do I still have a job?

  • Mike Shtupp

    May 12th, 2006 1:37 pm

    http://www.vivica.ca/images/header_r1_c15.gif

    makes it all better

  • Thomas Ptacek

    May 12th, 2006 2:52 pm

    You could argue that enterprises spend the minimum required to avoid formal and informal liability, but are either unwilling or unable to invest in real solutions (which may or may not be available — I’m waiting for Noam’s MD6).

  • Chris Walsh

    May 12th, 2006 3:00 pm

    “I didn’t say it, the National Council of Fraud Examiners did”

    Sure, but you don’t need to unquestioningly swallow everything you read. Part of the practitioner’s job is to weigh the evidence and arrive at a considered judgment. The AFCE Report to the Nation (in 1996) said that insider losses amounted to 6% of corporate revenue (http://www.acfe.com/fraud/view.asp?ArticleID=9), but unless your post has been changed, or I missed a link in it, you do not link to that (or any) AFCE data.

    Note, BTW, that the report I referenced isn’t limited at to insider thefts that infosec can do much about (it included inventory shrink, stealing paper clips, bid-rigging, and the like). In short, this data source drastically overestimates the size of the “infosec problem”; and your reliance on it (if indeed, this is your source)is unwarranted.

  • Diago Mare

    December 28th, 2006 9:48 am

    The author has posted a follow-up:

    “Community Comments & Feedback to Security Absurdity Article - the Good, the Bad and the Ugly.”

    http://www.securityabsurdity.com/comments.php

    • Leave a reply