It is 1am, I am supposed to complete a review of a security design and the more I read it the more I'd rip it all up and rewrite it from scratch. The "record changes" option in OpenOffice is turning the text into a sea of red and the pain is just growing.
Something which I have been mulling over in the past few months, at least since I've moved out of London and its pointless angst, is the current posture of the security community. Each and every day a so-called "Internet security expert" (comfortable with the security of the whole Internet? Now that's impressive!) talks about the terrible disasters which the world is facing. Be it cyber-terrorism or the terrible hackers which infest the Internet, nothing seems to be safe.
Why so much alarm, why so much need to create alarm? Well, option one is that the more people are worried the more they pay for security services. Option two is that it is true. Given the name of this blog there is no prize for guessing the option I am taking. But is it working? When I was a tad younger my parents used to read me the fable of Peter and the Wolf. There was a highly instructive concept represented within the fable: that if you continue crying wolf then when you really need it nobody turns up. Now wouldn't that be most unfortunate?
Let's take the interesting scenario for once: the whole world has been bombarded with security warnings, dreadful menaces awaiting to strike, ethernet cables awaiting a command to strangle their owners. Now, either you believed this and you've moved to a remote hut in the middle of nowhere or there is the distinct possibility that you have, quite rightly, decided that it is all a lot of hot air without much substance and are still alive and well. The second option means that you haven't exactly killed yourself in patching your system but nobody has broken in, script kiddies continue trying but can't modify the offsets on the buffer overflows and get nowhere on your 64-bit system.
Then something happens: someone really releases a lethal worm, one which sets up a major DDoS network with the aim to take everything down (who knows, how about the DNS infrastructure? Good start, isn't it?) or perhaps something which injects a good 0-day exploit into any Cisco router ("we run the Internet" can have its drawbacks on a bad day). The usual advisory goes out to bugtraq, vulnwatch, you name it. A few people install the patches, the others ignore it. Then it starts getting "hot", alerts go out, they happily get ignored. This is called "over-exposure" and is the result of being at "Red Alert" level continuously. Red becomes green and then there is no red to go to.
Oh dear.
How about we start telling people that things are actually OK? That the Internet is doing just fine and that in comparison the crime rate in Washington D.C. is infinitely larger? How about starting to work on releasing less often and concentrating on securing & stabilising software in the first place? Or, God forbid, actually work on egress filtering and installing things well in the first place? The world actually needs people helping in this direction, something terrible called "education", rather than a bad attempt at an Internet version of Stephen King.
It is coming up to 1:30am and the document is sadly still worthy of a rewrite.
Posted by arrigo at November 21, 2002 01:27 AM