Finger 79/tcp # dcox@bpointsys.com: Black and White

Dave G. | October 2nd, 2006 | Filed Under: Guests

Login: dcox                   Name: Dennis Cox
Org: Breakingpoint Systems    Title: Chief Technology Officer
Directory: /guests/dcox       Shell: /bin/ksh
On since Tue Sep 26 21:55:00 CDT from bpointsys.com
No Mail.
Plan:
----------------------------------
Views expressed by guest bloggers not necessarily those held by 
Matasano Chargen.

Black and White

Recently, an article entitled “Animal activists free 15,000 farmed fish to their deaths” by Valerie Elliot was published in the Times Online (UK). It’s a wonderful article (in fact, there was a SciFi Movie about a similar topic in which everybody was turned into killer mad Zombies) stating that the Animal Liberation Front “freed” 15,000 halibut to the open oceans. All the halibut died.

This is a pretty standard phenomenon. If you are black and white in your beliefs you’re going to wind up killing a bunch of things.

As another example, let’s take a touchier subject - Religion. Certain religions believe that if you don’t believe in “X”, you will not be saved. In addition, you must not be a very nice person because all nice people believe in “X”. So if someone makes a joke about “X”, he must be evil because “X” is great and no one should make fun of “X”. Solution? Kill everybody that doesn’t believe in “X”!

Black and White. It either is or isn’t.

The security industry is made up of quite a few folks who are what I consider, Black and White people; People that believe in the darndest things! For example, take the recent bump key hype that finally made it to the media. The Security Expert on the news said “You shouldn’t bother locking your door because anybody could break in with no trouble at all”. What a black and white response and what an idiot, I say! It is impossible to have a conversation (I define a conversation as “listening AND talking”.) with someone that thinks in Black And White. Nothing is ever secure enough, so why bother securing at all, they argue. When I was working for TPTI I heard that all the time. Regarding blocking attacks – Man I can evade that stuff so easily. It can’t stop this or that, and the recent full disclosure threads on anti-virus (granted I personally think anti-virus is a joke) when signatures were bypassed with simple changes to case sensitivity proves their point… The security folks are right - they are flawed, they are not perfect, and they don’t get you 100% protection.

That being said, it’s really about mitigating risk. A seat belt may or may not save your life, but it will increase the odds for most cases across the board. Sure, there is that one case in Montana back in 1982 where someone died because of a seatbelt (B&W person will send me a link, I’m sure!), but generally the rule of thumb is that if you wear a seatbelt, you will have a better chance of survival and less major injuries in an accident.

If you use a Firewall, IPS, 802.1x (HUGE FAN!), or AntiVirus you may get infected and typically you, your network, and your computer will run a lot slower because of it. (Ugh!) But, you will have a better chance of surviving the next worm. That’s what it is all about - it’s about staying alive and not about being perfect, survival of the fittest. Now, what’s the cost? If $$$ gives me a 40% better chance to survive versus $$$$ which gives me 45% chance, is the higher cost worth it? Now that depends on your business, and it depends on your point of view.

So what’s the point of this rant? If you’re in security then you’re an influencer. I’ve been watching this trend for a while now, you most likely are causing more problems then good. See it’s that silly Black and White mentality that you have developed about security. Don’t misunderstand me - I’m all for calling out peoples security problems in their products. In fact it’s all fair in my opinion to say as little or as much as want in regards to marketing that is shady. HECK! Make a video and give no data and make a big splash with the media all you want at a big security show. Make the whole thing like a bad TV show about people in a airplane crash stranded on a island. Let the mystery run on for months and months. What I dislike is people acting like Bruce Schneier, who I think of as the the Rush Limbaugh of Security. Bruce talks about the TSA in the same way that Rush talks about Ted Kennedy, bringing up 9/11 as often as Rush brings up Chappaquiddick. Writing about how insecure and bad things are - and how smart he is. How what we are doing is making the world a horrible place. Complaining about the insecurities of Airport checkins, tell everybody that it does more harm then good. Even though the TSA just found a women with a loaded handgun trying to get on a plane the other day. People that spread that kind of message are causing people to IGNORE security - saying there is no hope at all (cause that’s the message you are giving them). Sadly, it’s a message that’s that may actually be far worse then no message at all. Try solving some of the security problems - instead of just talking about how insecure things are.

Remember, if you free the farmed fish - they will most likely die in the open water. Not just one, but all of them. Best to think of another method. Oh when they all die, nobody will listen to you rant about squids.

20 Comments so far

  • Alex Holst

    October 2nd, 2006 12:47 pm

    your != you’re.

  • Dave G.

    October 2nd, 2006 1:24 pm

    fixed…

  • sam

    October 2nd, 2006 4:19 pm

    “This is a pretty standard phenomenon. If you are black and white in your beliefs you’re going to wind up killing a bunch of things.”

    It’s not holding to black-and-white ideology, but how we act on our ideology. The best thinking uses sharp distinctives, and is as best as the thinker can manage, black-and-white. Sharing our world with others we negotiate and adopt “grey” positions to function effectivly. In this, I heartily agree.

    Shoot for the stars, land on the moon, but don’t crash back on earth.

    rolf @ the Schnier comments. :) Love ‘em.

  • MDF

    October 2nd, 2006 7:33 pm

    Call a spade a spade: this is fundamentalism. Crypto folks generally tend to be worst–and the easiest to bait, which is a good sport in and of itself for Godless security relativists.

    Another mantra of the security fundamentalist is the “false sense of security” argument.

  • Chris_B

    October 2nd, 2006 11:37 pm

    Poorly written and not very well thought out.

    BTW I read Schneier. I’m guessing you dont manage to finish the articles.

    Anyways thanks for writing, now I have one less consultancy on my list.

  • Thomas Ptacek

    October 2nd, 2006 11:58 pm

    That’s unfortunate. I’m not sure if you noticed that we didn’t write this; the CTO of BreakingPoint did.

  • Thomas Ptacek

    October 3rd, 2006 12:02 am

    … though I wouldn’t want to give you the impression that we haven’t been critical of Schneier in the past.

  • Chris_B

    October 3rd, 2006 12:06 am

    TP, I didnt think it was Matasano. The headers for the guest posts are pretty clear. No Bruce S. isn’t right all the time but the author of this post does not seem to have actually read any of Bruce S.’s commentary on the TSA in full, thus my comment.

  • Thomas Ptacek

    October 3rd, 2006 12:17 am

    Thanks for clearing that up.

    To be fair to Dennis, we promised to copyedit, and I dropped the ball on that.

    Dennis is making a bunch of points. I think I disagree with most of them. But I also think Dennis has earned the right to make them. You’re free to disagree with that as well.

    I feel like TippingPoint got hammered on evadeability and reliability back when Dennis was there. People like me definitely argued, repeatedly and in public, that the weakness of TPTI’s product was a reason not to deploy it at all. Probably an example of a “black and white” argument. As far as I’m concerned, some things are black and white. I’m not a big fan of “mitigating” risks that only apply to ignorant attackers, while leaving the door open to skilled ones.

    On the other hand, there’s a certain amount of security demogoguery that attaches to some security pundits. I think I’ve made my feelings on the TSA known, and they’re apparently nothing like Dennis’. But I’m not sure why the New York Times needs to be kept aware of Schneier’s musings on security. He’s not the only one who believes intelligence and emergency response are the correct responses to terrorism; apparently, all of Europe feels that way too.

    Also, pigs don’t kill more people than sharks.

  • Chris_B

    October 3rd, 2006 12:34 am

    Where I work I’ve argued against putting in snakeoil or borked products many times. I just cant put my stamp of approval on something thats going to degrade the network, not solve any security problems but provide a false sense of security.

    You know one reason I like Schneier getting published in main stream media? His message of “security theater” is a good one and its better that the pundit who speaks those words has a verifyable background in a slightly related area than just being a regular pundit, salesperson of hot air.

  • foQ

    October 3rd, 2006 9:45 am

    Wow, you really let some people have it in that post. One thing I noticed is that you lambast the B&Ws for pointing to one incident somewhere that “proves” they’re right (the seatbelt incident), but then you go on to throw out your own anecdotal story in support of your point (the woman with a handgun). I believe that many of the TSA’s most recent steps are counterproductive to actual security, and is certainly counterproductive to public opinion. To quote from the securosis.com blog “it’s our job as security experts to identify policies that don’t improve security but increase costs” (in a post regarding the TSA, coincidentally).

    In response to the comments, yes, I think Bruce Schneier does make some excellent points. But he uses FUD to try and sell them and that is only going to polarize people more. This is counterproductive if you want to change the policies. But if you want to stir up controversy (and business) it works well.

  • Doug W

    October 3rd, 2006 9:52 am

    I must agree with the reader(s) who found this to be a waste of bandwidth.

    Previously, I’ve pretty much really enjoyed everything I’ve seen here since I saw you all present at Black Hat and started reading this blog.

    This was a huge waste of space and wind-up to just take a whiny cheap shot at Schneier, and comes across as someone who skims his articles and then runs with the headlines they gleaned, rather than having any knowledge of the depth of his ideas.

    I don’t say this just because I’m a Schneier fan (though I am) — I’ve seen intelligent criticism of him before, and respect points when they are made.

    This just isn’t even close.

  • Thomas Ptacek

    October 3rd, 2006 10:06 am

    I could write another blog post on why Dennis Cox is someone you should pay attention to, even when he says things that I think you’re better off ignoring.

    Instead I’m just going to say: I am deadly serious about collecting guest posts. The people who have the biggest impact on the security “industry” don’t blog, so you don’t get to know them.

    Now you know a little bit more. =)

    I enjoy Schneier’s writing. I’m irritated by his inconsistent stance on disclosure. I’m skeptical about his contribution to cryptography relative to his reputation. I’m in the camp that thinks “Applied Cryptography” did more harm than good. Schneier also seems to be in that camp. I _love_ “Practical Cryptography”, which Schneier co-wrote. And I have very little regard for his running “homeland security” commentary. What has Schneier done compared to Avi Rubin and Ed Felten?

  • Thomas Ptacek

    October 3rd, 2006 10:09 am

    … one more thing: if Dennis Cox provoked you enough to comment — especially if you’ve never commented before — mission accomplished! I promise he’s reading these comments. Tear his post up!

  • Chris_B

    October 3rd, 2006 6:44 pm

    “I’m irritated by his inconsistent stance on disclosure.”

    Well this is definitely one B&W issue with alot of shades of gray. OT1H we have the way Matasano handles disclosure, OTOH we have SecureWorks & legions of script kiddies. Etc. &nasium.

    “What has Schneier done compared to Avi Rubin and Ed Felten?”

    Publish. Alot. There’s a fistfull of guys like Avi Rubin & Ed Felten (Ross Anderson comes to mind) who do very good work that does not get publicized outside of “the community”. You are essentially asking of Schneier, “what have you done for me lately?” in terms of technical security work, and the answer really is not a lot. Its been years since he did the nose to the grindstone stuff it seems. However, he does seem to be good at writing, speaking in public and being a face to the outside world.

    Lots of people laugh at that sort of work, but its a required role if security people want to be treated as professionals and not just dateless teenaged wonderkids and academics. Someone has to face the outside world and talk about the issues we deal with on the inside. Seems Schneier volunteered. Alot of people here may say that “someone else” would be better, but I dont see too many others stepping up to the plate.

  • Thomas Ptacek

    October 3rd, 2006 7:07 pm

    The inconsistency I’m referring to is not that some people handle disclosure like us (conservatively) and others publish exploits on stage at Toorcon. The inconsistency is it seems like when Schneier knows someone personally, or has a generally favorable view of them, their disclosure is good; when it’s someone like eEye, it’s a publicity attack.

    That’s indefensible.

    You obviously pay attention to Schneier. If there’s one problem I do not have, it’s admitting when I’m wrong. What work has Schneier published that we’ve built on? You’d be doing me a favor to lay that out for me and I’ll thank you for it.

  • Chris_B

    October 3rd, 2006 9:42 pm

    Good point on personal issues. I havent noticed it but I’ll keep my eyes open for it.

    I dont really get your point with the second question. I wasnt writing with Matasano specifically in mind, but more generally.

    FWIW I try to read as much “security” related things in main stream as I can so I have a sense of how we are perceived.

  • Thomas Ptacek

    October 3rd, 2006 10:43 pm

    Honestly, I mean things he’s done with lasting impact in general. Besides Blowfish and Twofish, which even he recommends against using.

  • Chris_B

    October 3rd, 2006 11:02 pm

    I addressed that with “in terms of technical security work, and the answer really is not a lot. Its been years since he did the nose to the grindstone stuff it seems.” Did I miss something?

  • jimmythegeek

    October 16th, 2006 8:24 pm

    Anybody seen Marty Roesch’s post on security theater? I find it hilarious.

    http://securitysauce.blogspot.com/

    Me: “Just so I’m clear, if I put that shaving creme in a clear plastic 1-quart zip-loc baggie that would have been fine?”

    TSA guy: “Uh, yeah.”

    I made eye contact with him, shaking my head and he looked back at me for a couple seconds before he cracked a sheepish-grin.

    • Leave a reply