July 2007 Archives

Wed Jul 18 19:17:48 2007

Security 2.0 and Ethics 0.2 Beta

New developments, especially if they receive a name and media attention before the actors actually managed to fill the name with something, tend to generate a lot of fuzz and inaccurate information. It is an unfortunate fact that the security community is usually riding in the first coach of the FUD [1] train. Remember Y2K and Prof. Brunnstein [2,3]?

One of the primary reasons for the leading FUD role of the security community might be the mental process of reviewing a new system or set of systems for attack surfaces. In the beginning, the entire system is seen as a whole. Then, gradually, individual parts of functionality, their intention and implementation are considered in greater detail. Most of the time, a gap between intention and design or intention and implementation is uncovered sooner or later. This gap of course is only present in the small part of the system you are currently looking at.

What often follows is the false application of the same process backwards when considering the impact and importance of the discovery. It goes like this:

  • I discovered a buffer overflow in program A, which allows me to execute arbitrary code.
  • Program A is written in C.
  • My operating system is written in C.
  • Therefore, my entire operating system must be vulnerable to buffer overflows.
  • This operating system is used all over the Net.
  • Therefore, the Net is vulnerable to buffer overflows.
  • The world is going to end.

Although none of the observations above is provably wrong, the thought process of a security review is not useful for impact considerations. Many other factors play into the impact of a discovery and deserve a special, case-by-case consideration.

The Web 2.0 has all the potential for the next big wave of FUD in security. First of all, it's not done yet. We are seeing new players on the Web but the general direction of developments is sketchy at best. One of the more solid observations is that the Web 2.0 is a work of composition from known technologies at a higher abstraction level than before. Most components are not reinvented but rearranged and adjusted. This leads to some of the lesser-known components and especially patterns [6] to be considered new, revolutionary developments [4].

The new Web primarily teaches us lessons we should already know. Basics like the fact that perimeter security cannot work in networked environments, since they wouldn't be networked if it did - think mesh-ups. Basics like: defence in depth is one of the few paradigms that actually have a chance to work in the wild and keep complex systems alive. But we knew that before, didn't we?

Another indication for a new FUD wave is usually a massive increase in predictions of the future ("Some times, I get the feeling that old generation of security experts and hackers will never grasp this principles the way the upcomming waves will."[4]) and, if the predictions are not coming along fast enough, they receive help from the prognosticator ("The spider that I wrote is anything by malicious. It just spiders. However, keep in mind that it will take less then 5 minutes to make it equipped with the latest AJAX exploits. Therefore, I am not responsible for your actions. Be responsible. Here is the spider source code"[5]).

It should really be noted that there are plenty of security problems to be solved in existing and emerging environments. A security problem is not less sexy just because it doesn't affect millions of innocent users. In fact, the singular focus on the next world-smashing security issues obscures the view onto underlying issues and especially simple and reliable solutions that are sitting just around the corner, waiting to be discovered by the sensationalist crowd. There is really no need for more FUD, we got plenty of real work to do.

Update pdp was nice enough to point me to the following discussion about this article that I want to share: http://sla.ckers.org/forum/read.php?13,13871
Thanks man.

References

  1. Fear, Uncertainty and Doubt
  2. http://www.blankenese-seiten.de/kirchenkreis/04-Einrichtungen/Seniorenakad/Vortraege/Brunnsteintxt.htm
  3. http://www.chscene.ch/ccc/ds/54/032_brunnstein.html
  4. http://www.gnucitizen.org/blog/projections
  5. http://www.gnucitizen.org/blog/yahoo-site-explorer-spider
  6. http://en.wikipedia.org/wiki/Model-view-controller#Implementations (invented 1979)


Posted by FX | Permanent link | File under: rants