The glibc issue has had me thinking. What will we learn from this?
I’m pretty sure the answer is “nothing”, which then made me wonder why this is.
The conclusion I came up with is we are basically the aliens from space invaders. Change direction, increase speed! While this can give the appearance of doing something, we are all very busy all the time. It’s not super useful when you really think about it. Look at Shellshock, Heartbleed, GHOST, LOGJAM, Venom, pick an issue with a fancy name. After the flurry of news stories and interviews, did anything change, or did everyone just go back to business as usual? Business as usual pretty much.
Dan Kaminski explains glibc nicely and has some advice. But let’s look at this honestly. Is anything going to change? No. Dan found a serious DNS issue back in the day. Did we fix DNS or did we bandage it up as best as we could? We bandaged it. What Dan found was without a doubt as bad or worse than this glibc issue, nothing changed.
I’ve said this before, I’ll say it again. I’m going to say it at RSA next week. We don’t know how to fix this. We think we do, you’re thinking about it right now, about how we can fix everything! We just have to do that one … Except you can’t. We don’t really know what’s wrong. Security bugs aren’t the problem, they are the result of the problem. We can’t fix all the security bugs. I’d be surprised if we’ve even fixed 10% of security bugs that exist. Even mitigation technologies aren’t going to get us there (they are better than constantly fixing bugs, but that’s a story for another day).
It’s like being obsessed about your tire pressure when there is a hole in the tire. If you only worry about one detail, the tunnel vision makes you miss what’s actually going on. Our tires are losing air faster than we can fix them, so we’re looking for a bigger pump instead of new tires.
We say things all the time about not using C anymore, or training developers, or writing better documentation. There’s nothing wrong with these ideas exactly, but the fact is they’ve all been tried more than once and none of them work. If we started the largest developer education program ever, if we made every developer sit through a week of training. I bet it would be optimistic if our bug rate would decrease by 5%. Think about that for a while.
We first have to understand our problem. We have lots of solutions, solutions to problems that don’t really exist. Solutions without problems tend to turn into new problems. We need to understand our security problem. It’s probably more like hundreds or thousands of problems. Every group, every company, every person has different problems. We understand none of them.
We start by listening. We’re not going to fix any of this with code. We need to see what’s happening, some big picture, some in the weeds. Today we show up, yell at people (if they’re lucky), then we leave. We don’t know what’s really happening. We don’t tell anyone what they need to know. We don’t even know what they need to know. The people we’re not talking to know what the problems are though. They don’t know they know, we just have to give them time to explain it to us.
If you’re at RSA next week, come talk to me. If not, hit me up on twitter @joshbressers