noteworthy wrote:

A long-overdue wake up call for the information security community.

This popped up on Slashdot recently. I'm curious to get feedback from the security experts here at Memestreams.

I wrote up a long response to this yesterday and unfortunately I managed to accidentally kill the browser window. Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

Clearly, we have failed to solve the problem of disease! Healthcare professionals are responsible! They are complacent and lazy! Look at all the health problems we face! AIDS, Cancer, Heart Disease, Lung Disease, Polio, Black Death, the Flu! Look at all these poor people who have been impacted by these diseases! We're one random mutation away from a flu virus that will wipe out all of humanity! And the CDC has the audacity to not be in a permanent state of emergency! Why? Diseases are out evolving our protections and healthcare is inaccessible!

Would you take this article seriously? Would you agree that the entire healthcare industry is a failure? Would you stop going to the doctor because you figure its a big waste of time? Would you get mad at your doctor for being a complacent member of the healthcare industry?

In fact, there have been significant improvements in the state of the technical situation, due to things like more vulnerability research, automated patching, IPS technology, and exploit protection technologies. A vast number of problems have been solved. DOS attacks are much harder than they used to be. Worms don't propagate as well as they used to. Most modern attacks cannot be targeted. Trying to entice people to click on your evil web page is harder than owning their network directly. The directed attacks we see today are very sophisticated. Compare the complexity of the most recent sendmail bug to bugs in sendmail 10 years ago.

We're not done yet, but its ignorant to argue that nothing substantial has been accomplished.

Attacks are up because there are more financial motivations today then there were 5 years ago despite the fact that its harder to perform attacks than it was 5 years ago. Computer security professionals will never "solve" crime because its not a technical problem and it doesn't have a "solution." With respect to things like phishing attacks and consensually installed spyware, computer security professionals also cannot fix the reality that a fool and his money are easily parted.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, its not true, and its not useful.

[ Well, that's fair.

I would point out though that the flaw in your analogy is that people have a perception that health care is improving, in real terms, supported by proof in the form of people actually living longer. People do not have a perception that computer security is improving. Now, I suppose it's possible that the "it's getting worse!" meme is a construction of bored tech writers, but at the same time, I personally see more spam in my mailbox and on my blog than i did once.

Still, your analogy does bring up one interesting comparison. Everyone knows that to keep your body healthy, you have to eat right, wash your hands, exercise, and so forth. Computers are now a measurable fraction as complex as human bodies, and so the same kind of effort needs to be put into their health.

Of course, lots of people don't put that much effort into their actual bodies, so it's pretty unlikely they'll put it into keeping their system running smoothly. Add to that that people think of the computer as an appliance -- in many cases, a tuly *magical* appliance, in the sense that it is, to them, beyond comprehension -- and the probability goes even lower. So perhaps computer security professionals face an even more daunting task than health care professionals, in some ways.

Or maybe it really is just a matter of perception. Maybe things are getting better.

Truthfully, i was more interested in the not-yet-published Part 2 of this article, in which possible solutions are proposed. You seem to belive they won't be particularly insightful.

Still, a lot of noteworthy people seem to have responded positively to the article, so I can't dismiss it completely, even if his hyperbole is a turnoff. -k]

k wrote:
[ I would point out though that the flaw in your analogy is that people have a perception that health care is improving, in real terms, supported by proof in the form of people actually living longer... I personally see more spam in my mailbox and on my blog than i did once.]

I certainly get less spam than I did 4 years ago. 4 years ago I wasn't using spam filtering software. Spam filtering software is an improvement. I wish I had never needed to use Spam filtering software, and so maybe people blame the computer security industry for the rise of spam, but thats not really fair. The computer security industry didn't create SMTP nor did they create the financial motivations of spammers. There is a silver bullet for email spam, and its not accepting email from people who have never emailled you before and won't perform an interactivity test. Software that does that is available, but its extremely unpopular. Almost no one is willing to employ that solution because they'd rather have the spam than make someone who wants to email them jump through one authentication loop once. Thats not the computer security industry's fault either.

I listed a number of improvements in other areas in my post. There have been substantial improvements in literally every area that this guy listed in his original commentary. I could sit down a write a post that refutes nearly every point he makes... I could document every case where he is being intentionally misleading, such as when he includes a screenshot from a joke that involved installing every commercial web browser toolbar at the same time, and he captions with "the average persons computer is crawling with spyware," or when he deliberately mischaracterizes the purpose of Internet "threat level" meters. But, frankly, I've got better things to do...

Truthfully, i was more interested in the not-yet-published Part 2 of this article, in which possible solutions are proposed. You seem to belive they won't be particularly insightful.

I seriously doubt they'll be interesting. In the followup posted so far this guy lists the people who agree with him as "the good" and the people who don't as "the bad, and the ugly." Seems like the sort of thing you'd see in a book by a political pundit.

Decius wrote:

Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

I had a similar reaction. This article reached me by word of mouth; a colleague brought it up in the browser to show me, and before we'd paged past the first screenful, my reaction was, "so what's this guy selling?" My analogy was to "peace", which I still prefer to the "disease" analogy, for some of the reasons k pointed out, and for others, but your riff does illustrate how easily criticism slips into hyperbole.

Computer security professionals will never "solve" crime because it's not a technical problem and it doesn't have a "solution."

This observation dovetails nicely with my "peace" analogy.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, it's not true, and it's not useful.

So, this guy doesn't have the new ideas. One might conclude the supporters are just jumping on the bandwagon because it makes good press. It might be insightful to survey the reactions and see how they split between "yeah, what he said!" and "here's an idea."

Naturally the as-yet-unpublished Part II is where the author swoops in to save the day with his ingenious "solution."

My sense is that this article follows a common dialectical analytical pattern; I am reminded of Nicholas Carr's "IT Doesn't Matter" from 2003, although this security piece is not as well crafted. Previous Memestreams references to the Carr piece: 1, 2, 3, 4.

Helthcare is different because when someones health is flawed, they can't be returned to the manufacturer. Parents, even in such cases where careful planning was involved, almost never have control over how their offspring's body will function. Technology on the other hand is engineered through conscious decision making. So, even though all the meticulous planning in the world will not create perfection, there will always be someone to blame. Health Care and disease prevention fall in the category of enhancing and improving upon nature. Security is about fixing and finding someones mistakes and bandaging the ones which can't. Man did not build nature. After all, gods can't be expected to be perfect, that's why we build machines.

Decius wrote:

I wrote up a long response to this yesterday and unfortunately I managed to accidentally kill the browser window. Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

Clearly, we have failed to solve the problem of disease! Healthcare professionals are responsible! They are complacent and lazy! Look at all the health problems we face! AIDS, Cancer, Heart Disease, Lung Disease, Polio, Black Death, the Flu! Look at all these poor people who have been impacted by these diseases! We're one random mutation away from a flu virus that will wipe out all of humanity! And the CDC has the audacity to not be in a permanent state of emergency! Why? Diseases are out evolving our protections and healthcare is inaccessible!

Would you take this article seriously? Would you agree that the entire healthcare industry is a failure? Would you stop going to the doctor because you figure its a big waste of time? Would you get mad at your doctor for being a complacent member of the healthcare industry?

In fact, there have been significant improvements in the state of the technical situation, due to things like more vulnerability research, automated patching, IPS technology, and exploit protection technologies. A vast number of problems have been solved. DOS attacks are much harder than they used to be. Worms don't propagate as well as they used to. Most modern attacks cannot be targeted. Trying to entice people to click on your evil web page is harder than owning their network directly. The directed attacks we see today are very sophisticated. Compare the complexity of the most recent sendmail bug to bugs in sendmail 10 years ago.

We're not done yet, but its ignorant to argue that nothing substantial has been accomplished.

Attacks are up because there are more financial motivations today then there were 5 years ago despite the fact that its harder to perform attacks than it was 5 years ago. Computer security professionals will never "solve" crime because its not a technical problem and it doesn't have a "solution." With respect to things like phishing attacks and consensually installed spyware, computer security professionals also cannot fix the reality that a fool and his money are easily parted.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, its not true, and its not useful.

terratogen wrote:
Health Care and disease prevention fall in the category of enhancing and improving upon nature. Security is about fixing and finding someones mistakes and bandaging the ones which can't. Man did not build nature. After all, gods can't be expected to be perfect, that's why we build machines.

You can say the same thing about cities. The issue is the complexity of the issue and not the origin of the problem...

Decius wrote:

terratogen wrote:
Health Care and disease prevention fall in the category of enhancing and improving upon nature. Security is about fixing and finding someones mistakes and bandaging the ones which can't. Man did not build nature. After all, gods can't be expected to be perfect, that's why we build machines.

You can say the same thing about cities. The issue is the complexity of the issue and not the origin of the problem...

If a city had an obvious security gap, it would be the city developers and planners who would ultimately be responsible for fixing the problem (and perhaps even for making it). I think it's more a question of where to put the line of negligence in regard to security ethics.

terratogen wrote:
If a city had an obvious security gap, it would be the city developers and planners who would ultimately be responsible for fixing the problem (and perhaps even for making it). I think it's more a question of where to put the line of negligence in regard to security ethics.

Is poor city planning responsible for muggings?

Decius wrote:

terratogen wrote:
If a city had an obvious security gap, it would be the city developers and planners who would ultimately be responsible for fixing the problem (and perhaps even for making it). I think it's more a question of where to put the line of negligence in regard to security ethics.

Is poor city planning responsible for muggings?

It could be. There's a noted decrease in muggings in areas where there's more street lights and cops (among other factors). If the city planners thought about the population they need to set up for, and studied criminologists statistics they can prevent a danger zone. Similarly, there are many poorly designed intersections in the world that are responsible for contributing to many accidents. Even if roads were designed as perfect as possible, there would still be accidents. However, by designing systems which are sub-standard based on known, predictable or expectable flaws is negligent on the part of planners. If planners can recognize and account for what they have done to prevent various dangers (as they become known) then they are not negligent.

However, by designing systems which are sub-standard based on known, predictable or expectable flaws is negligent on the part of planners. If planners can recognize and account for what they have done to prevent various dangers (as they become known) then they are not negligent.

Oh, I certainly agree with that. Mind you, I'm more impressed with Windows Vista in that regard then I am with OSX.