Wednesday, March 23, 2016

I'm going to do something really cool in 3 weeks! ... Probably.

If you pay attention to the security news, there is something coming called Badlock. It just set off a treasure hunt for security flaws in Samba. Rather than link to the web site (I'd rather not support this sort of behavior), let's think about this as reasonable people.

I can imagine three possible outcomes to the events that have been set in motion.
  1. On April 12 a truly impressive security flaw will be disclosed. We will all be impressed.
  2. Someone will figure this out before April 12, they have no incentive to act responsibly and will publish what the know right away, better to be first than to be right!
  3. Whatever happens on April 12 won't be nearly as interesting or exciting as we've been led to believe. The world will say a collective 'meh' and we'll go back to looking at pictures of cats.
Numbers 1 and 2 rely on the flaw being quite serious. If it is serious, I suspect there is a far greater chance of #2 happening than #1. As an industry we should hope for #3, we don't need more terrible flaws.

The really crazy thing to think about is if the issue isn't actually serious, it probably won't be found. Everyone is looking for a giant problem. They're going to pass up minor issues (if you do find these, please report them, it's still useful work). The prize is a pot of gold we've been told, not some proverbial the journey is the reward nonsense.

The thing everyone always should remember in a situation like this is there are a lot of really smart people on the planet. If you think of something clever or discover something new, there are huge odds someone else did too. 3 weeks almost guarantees someone else can figure out whatever it is you found. It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person.

The real thing we need to think about here though is what's actually happening. There is a bigger story for us to think about around all these named issues.

If you name an issue, you are making a claim that it's very serious. There are literally thousands of security issues per year, and maybe ten gets fancy names. A name suggests this is something we should care about. That this issue is special. Except that's not really the case all the time. There have been a lot of named issues that weren't very impressive.

What happens in situations like this, when there is a near constant flow of information that's not really important? People stop listening. The human brain is really good at filtering out noise. Named security issues are going to become noise at the current rate things are going. I'm not opposed to this, I think you should name your pets not your security issues.

Send your comments to Twitter: @joshbressers