The Art of Security and Why Security Vendors are the Root of All Internet Evil

I was reading a book entitled “A Whole New Mind: Why Right-Brainers Will Rule the Future”, it isn’t terribly well written and has the flow of an idea that was shoe-horned into a literary context, but interesting none the less. Anyway against the backdrop of DNSgate (btw – exploit code has been posted – here – thanks guys!) and the complete and utter failure of the security industry to offer anything beyond a never-ending hamster wheel of suites, widgets, add-ons, and modules, the book gave me pause as I reflected on what, for the most part, is a feeling of defeat and despair among security professionals.

This is a feeling that ebbs and flows with the conference season and peaks generally around mid-year with the introduction of clever methods of attack and exploitation presented in the carnival like atmosphere of a Blackhat or *con.

“Come one, come all, see the bearded lady swallow a flaming sword whilst revealing the latest virtual exploit guaranteed to introduce a completely undetectable malicious hypervisor as she rides on the shoulders of the worlds strongest man, who will devastate the entire Internet infrastructure in 10 seconds with a single finger”

Undetectable hyper-visors? 10 seconds to Internet destruction? 1,001 ways to craft a nefarious browser attack? Conceptually these are pretty scary, especially if you are reading your email and Robert Graham singles you out during one of his side-jacking presentations and shows the world how easy it is to own you and how careless you are for being owned – you wall of sheep know who you are – honestly who wouldn’t want to throw in the towel and acquiesce internet dominance to a 15 year old svelte Norwegian hacker with a bad skin condition or a gang of Nigerian spammers.

It would appear that doing business on the internet is like Dom Deluise swimming naked through shark-infested waters with an open wound while wearing a necklace of dead penguins and carrying a 3 lb salami.

It has been argued time and again that the bad-guys have the advantage, that we are on the losing side of the OODA loop, that for the most part we are simply sitting ducks and the best we can do is choose to not sit so close to the gaping jaws of a large crocodile and pray that we do not become prey. I contend that feeling is misguided and incorrect.

Although it has either been lost as inconsequential or we have been so blinded by the constant carpet-bombing of FUD marketing and the ongoing orgy of disclosure that we are simply numb to it, but we have an inherent advantage in that we use the right side of our brains, whereas the bad guys really have no need to, we are clever, we use art with science, we are driven to find the edge cases, we strive to find the unique and obscure – we believe it is the other way around, but that is a result of the complete incompetence of the major security vendors, who like the Diabetes product vendors, will forever keep us in a never-ending cycle of finger-pricking and insulin injecting security practices instead of actually trying to solve problems.

Wait, what, we have the advantage? I know it sounds like security blasphemy, but don’t jump off the roller-coaster of semi-rational fun just yet, we still need to ride through the loop de loop.

  • The majority of ground breaking security research and discoveries, especially of the “holy shit” variety, come from the good guys, not the bad
  • According to the recent Verizon breach disclosure statistics 85% of attacks are opportunistic, which leads one to believe that a. there is no reason for bad guys to find unique ways to exploit and b. we are still our own worst enemy.
  • There is no end in sight for the lack of security prowess ensuring an endless supply of easy targets for the bad guys to attack – remember if we believe that attacks are becoming more financially motivated then there is a cost-benefit analysis that will drive an attacker to take the easiest, least risky path to exploit.

The internet is resilient, business is even more so, and the good guys tend to spend more time on the problem than the bad guys.