Sunday, January 31, 2016

Does the market care about security?

I had some discussions this week about security and the market. When I say the market I speak of what sort of products will people or won't people buy based on some requirements centered around security. This usually ends up at a discussion about regulation. That got me wondering if there are any industries that are unregulated, have high safety requirements, and aren't completely unsafe?

After a little research, it seems SCUBA is the industry I was looking for. If you read the linked article (which you should, it's great) the SCUBA story is an important lesson for the security industry. Our industry moves fast, too fast to regulate. Regulation would either hurt innovation or be useless due to too much change. Either way it would be very expensive. SCUBA is a place where the lack of regulation has allowed for dramatic innovation over the past 50 years. The article compares the personal aircraft industry which has substantial regulation and very little innovation (but the experimental aircraft industry is innovating due to lax regulation).

I don't think all regulation is bad, it certainly has its place, but in a fast moving industry it can bring innovation to a halt. And in the context of security, what could you even regulate that would actually matter? Given the knowledge gaps we have today any regulation would just end up being a box ticking exercise.

Market forces are what have kept SCUBA safe, divers and dive shops won't use or stock bad gear. Security today has no such bar, there are lots of products that would fall under the "unsafe" category that are stocked and sold by many. Can this market driven approach work for our security industry?

It's of course not that simple for security. Security isn't exactly an industry in itself. There are security products, then there are other products. If you're writing a web app security probably takes a back seat to features. Buyers don't usually ask about security, they ask about features. People buying SCUBA gear don't ask about safety, they just assume it's OK. When you run computer software today you either know it's insecure, or you're oblivious to what's going on. There's not really a happy middle.

Even if we had an industry body everyone joined, it wouldn't make a huge difference today. There is no software that exists without security problems. It's a wide spectrum of course, there are examples that are terrible and examples that do everything right. Today both groups are rewarded equally because security isn't taken into account in many instances. Even if you do everything right, you will still have security flaws in your software.

Getting the market to drive security is going to be tricky, security isn't a product, it's part of everything. I don't think it's impossible, just really hard. SCUBA has the advantage of a known and expected use case. Imagine if that gear was expected to work underwater, in space, in a fire, in the arctic, and you have to be able to eat pizza while wearing it? Nobody would even try to build something like that. The flexibility of software is also its curse.

In the early days of SCUBA there were a lot of accidents, by moving faster than the regulators could, they not only made the sport extremely safe, but probably saved what we know as SCUBA today. If it was heavily regulated I suspect much of the technology wouldn't look all that different from what was used 30+ years ago. Software regulation would probably keep things looking a like they do today, just with a lot of voodoo to tick boxes.

Our great challenge is how do we apply this lesson from SCUBA to security? Is there a way we can start creating real positive change that can be market driven innovation and avoid the regulation quagmire?

Join the conversation, hit me up on twitter, I'm @joshbressers

Sunday, January 24, 2016

Security and Tribal Knowledge

I've noted a few times in the past the whole security industry is run by magicians. I don't mean this in a bad way, it's just how things work. Long term will will have to change, but it's not going to be an easy path.

When I say everything is run by magicians I speak of extremely smart people who are so smart they don't need or have process (they probably don't want it either so there's no incentive). They can do whatever needs to be done whenever it needs doing. The folks in the center are incredibly smart but they learned their skills on their own and don't know how to pass on knowledge. We have no way to pass knowledge on to others, many don't even know this is a problem. Magicians can be awesome if you have one, until they quit. New industries are created by magicians but no industry succeeds with magicians. There are a finite number of these people and an infinite number of problems.

This got me thinking a bit, and it reminded me of the Internet back in the early 90's.

If you were involved in the Internet back in the 90's, it was all magic back then. The number of people who knew how things worked was incredibly small. There were RFCs and books and product documents, but at the end of the day, it was all magic. If your magician quit, you were screwed until you could find and hire a new magician. The bar was incredibly high.

Sounds a lot like security today.

Back then if you had a web page, it was a huge deal. If you could write CGI scripts, you were amazing, and if you had root on a server you were probably a magician. A lot of sysadmins knew C (you had to), a lot of software was built from source. Keeping anything running was a lot of work, infrastructure barely held together and you had to be an expert at literally everything.

Today getting a web site, running server side scripts, or root aren't impressive. You can get much of those things for free. How did we get here? The bar used to be really high. The bar is pretty low now but also a lot more people understand how much of this works. They're not experts but they know enough to get things done.

How does this apply to security?

Firstly we need to lower the bar. It's not that anyone really plans to do this, it just sort of happens via better tooling. I think the Linux distribution communities helped a lot making this happen back in the day. The tools got a lot better. If you configured a server in 1995 it was horrible, everything was done by hand. Now 80% of the work just sort of happens, you don't need super deep knowledge. Almost all security work done these days is manual. I see things like AFL and LLVM as the start but we have a long way to go. As of right now we don't know which tools are actually useful. There are literally thousands of security products on the market. Only the useful ones will really make a difference in the long term.

The second thing we need to do is transfer relevant knowledge. What that knowledge is will take time to figure out. Does everyone need to know how a buffer overflow exploit works? Probably not, but the tools will really determine who needs to know what. Today you need to know everything. In the future you'll need to know how to use the tools, interpret the output, and fill in some of the gaps. Think of it as the tools having 80% of the knowledge, you just need to bring the missing 20%. Only the tool writers need to know that missing knowledge. Today people have 100% or 0% of knowledge, this is a rough learning curve.

If you look at the Internet today, there is a combination of tons of howtos and much better software to setup and run your infrastructure. There are plenty of companies that can help you build the solution you need. It's not nearly as important to know now to configure your router anymore, there are better tools that do a lot of this for you. This is where security needs to go. We need tools and documents that are useful and helpful. Unfortunately we don't yet really know how to make useful tools, or how to transfer knowledge. We have a long way to go before we can even start that conversation.

The next step security needs to make is to create and pass on tribal knowledge. It's still a bad place to be in, but it's better than magicians. We'll talk about tribal knowledge in the future.

Join the conversation, hit me up on twitter, I'm @joshbressers

Sunday, January 17, 2016

OpenSSH, security, and everyone else

If you pay attention at all, this week you heard about a security flaw in OpenSSH.

Of course nothing is going to change because of this. We didn't make any real changes after Heartbleed or Shellshock, this isn't nearly as bad, it's business as usual.

Trying to force change isn't the important part though. The important thing to think about is the context this bug exists in. The folks who work on OpenSSH are some of the brightest security minds in the world. We're talking well above average here, not just bright. If they can't avoid security mistakes, is there any hope for the normal people?

The answer no.

What do we do now?

For the moment we will continue to operate just like we have been. Things aren't great, but they're not terrible. Part of our problem is things aren't broken enough yet, we're managing to squeak by in most situations.

The next step will be developing some sort of tribal knowledge model. It will develop in a mostly organic way. Long term security will be a teachable and repeatable thing, but we can't just jump to that point, we have to grow into it.

If you look at most of the security conference content today it sort of falls into two camps.

  1. Look at my awesome research
  2. Everything is broken and we can't fix it

Both of these content sets are taught by magicians. They're not really teaching knowledge, they're showing off. How do we teach? Teaching is really hard to do, it's not easy to figure out.

Many people believe security can't be learned, it's just sort of something you have. This is nonsense. There are many possible levels of skill, there is a point where you have to be especially gifted to move on, but there is also a useful place a large number of people can reach.

Perhaps the best place to start is to think about the question "I want to learn security, where do I start?"

I've been asked that many times. I've never had a good answer.

If we want to move our industry forward that's what we have to figure out. If someone came to you asking how to learn security, we have to have an answer. Remember no idea is too crazy, if you have thoughts, let's start talking about it.

Join the conversation, hit me up on twitter, I'm @joshbressers

Sunday, January 10, 2016

What the lottery and security have in common

If you live in the US you can't escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they'll do when they win enough money to ruin their life.

This made me realize the unfortunate truth about security we like to ignore. Humans are bad at reality. Here is how most of my conversations go.

"You won't win. The odds are zero percent"
"I might! You don't know!"
GOTO 10

I'm of course labeled as being some sort of party pooper because I'm not creating stories about how I will burn through hundreds of millions of dollars in a few short weeks.

What does this have to do with security? It's because people are bad at reality. Let's find out why.

Firstly, remember that as a species evolution has built us to survive on the African Savannah. We are good at looking for horrible beasts in the grass, and begin able to quickly notice other humans (even if they appear in toast). We are bad at things like math and science because math rarely hides in the grass and eats people. The vast majority of people live their lives unaware of this as a problem. What we call "intuition" is simply "don't get eaten by things with big teeth".

Keeping this in mind, let's use the context of the lottery. The odds are basically zero percent once you take the margin of error into account. We don't care though, we want to believe that there's a chance to win. Our brain says "anything is possible" then marketing helps back that up. Almost nobody knows how bad their odds really are and since you see a winner on TV every now and then, you know it's possible, you could be next! The lottery ticket is our magic gateway to fixing all our problems.

Now switch to security. People are bad at understanding the problems. They don't grasp any of the math involved with risk, they want to do something or buy something that is the equivalent of a lottery ticket. They want a magic ticket that will solve all their problems. There are people selling these tickets. The tickets of course don't work.

How we fix this if the question. Modern medicine is a nice example. Long ago it was all magic (literally). Then by creating the scientific method and properly training doctors things got better. People stopped listening to the magicians (well, most people) and now they listen to doctors who use science to make things better. There is still plenty of quack medicine though, we want to believe in the magic cures. In general most of humanity goes to doctors when they're sick though.

Today all security is magic. We need to find a way to create security science so methods and ideas can be taught.

Between thinking about how to best blow my lottery winnings, I'll probably find some time to think about what security science looks like. Once I win though you'll all be on your own. You've been warned!

Join the conversation, hit me up on twitter, I'm @joshbressers

Monday, January 4, 2016

A security analogy that works

Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It's really hard to describe, no analogies work, and things just seem to keep getting worse.

Until now!

Maybe.

Well, things will probably keep getting worse, but I think I've found a way to describe this almost anyone can understand. We can't really talk about our problems today, which makes it impossible to fix anything.

Security is the same problem as World Hunger. Unfortunately we can't solve either, but in theory we can make things better. Let's look at the comparisons.

First, the problem we talk about isn't just one thing. It's really hundreds or thousands of other problems we lump together into one group and give it a simple yet mostly meaningless name. The real purpose of the name is to give humans a single idea they can relate to. It's not meant to make the problem more fixable, it just makes it so we can talk about it.

Security includes things like application security, operational security, secure development, secure documentation, pen testing, hacking, DDoS, and hundreds of other things.

World hunger includes homelessness, hunger, malnutrition, lack of education, clean water, and hundreds of other things.

Lots of little things.

Second, the name isn't really the problem. It's what we can see. It's a symptom of other problems. The other problems are what you have to fix, you can't fix the name.

What we call "security" is really other things, and the real problem is rarely security, it's something else, security is the symptom we can see, the real problem is less obvious and hard to see.

In the context of world hunger the real problems are things like clean water, education, equality, corruption, crime, and the list goes on. Hunger is what we see, but to fix hunger, we have to fix those other problems.

We can give people food, but that doesn't fix the real problem, it makes things better for a day or a week. This is exactly how security works today. We run from fire to fire, fixing a single easy to see problem, then run off to the next thing. We never solve any problems, we put out fires.

So assuming this analogy holds, the sort of good news is that world hunger is slowly getting better. The bad news is progress is measured in decades. This is where my thinking starts to falter. Trade can help bring more progress to a given area. What is the equivalent in security? Are there things that can help make the situation better for a localized area? Will progress take decades?

If I had to guess, which I will, I suspect we're in the dark ages of security. We don't approach problems with a scientific mind, we try random things until something works, and then decide that spinning around while holding a chicken is what fixed that buffer overflow.

What we need is "security science". This means we need ways to approach security in a formal reproducible manner. A practice that can be taught and learned. Today it's all magic, some people have magic, most don't. Remember when the world had magicians instead of doctors? Things weren't better back then no matter what those forwards from your uncle claims.

This all leaves a lot of unanswered questions, but I think it's a starting point. Today we have no starting point, we have people complaining everything is broken, people selling magic, some have given up and assume this is how everything will just always be.

What will our Security Renaissance be? What will security science look like?

Join the conversation, hit me up on twitter, I'm @joshbressers