What the lottery and security have in common

If you live in the US you can’t escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they’ll do when they win enough money to ruin their life.

This made me realize the unfortunate truth about security we like to ignore. Humans are bad at reality. Here is how most of my conversations go.

“You won’t win. The odds are zero percent”
“I might! You don’t know!”
GOTO 10

I’m of course labeled as being some sort of party pooper because I’m not creating stories about how I will burn through hundreds of millions of dollars in a few short weeks.

What does this have to do with security? It’s because people are bad at reality. Let’s find out why.

Firstly, remember that as a species evolution has built us to survive on the African Savannah. We are good at looking for horrible beasts in the grass, and begin able to quickly notice other humans (even if they appear in toast). We are bad at things like math and science because math rarely hides in the grass and eats people. The vast majority of people live their lives unaware of this as a problem. What we call “intuition” is simply “don’t get eaten by things with big teeth”.

Keeping this in mind, let’s use the context of the lottery. The odds are basically zero percent once you take the margin of error into account. We don’t care though, we want to believe that there’s a chance to win. Our brain says “anything is possible” then marketing helps back that up. Almost nobody knows how bad their odds really are and since you see a winner on TV every now and then, you know it’s possible, you could be next! The lottery ticket is our magic gateway to fixing all our problems.

Now switch to security. People are bad at understanding the problems. They don’t grasp any of the math involved with risk, they want to do something or buy something that is the equivalent of a lottery ticket. They want a magic ticket that will solve all their problems. There are people selling these tickets. The tickets of course don’t work.

How we fix this if the question. Modern medicine is a nice example. Long ago it was all magic (literally). Then by creating the scientific method and properly training doctors things got better. People stopped listening to the magicians (well, most people) and now they listen to doctors who use science to make things better. There is still plenty of quack medicine though, we want to believe in the magic cures. In general most of humanity goes to doctors when they’re sick though.

Today all security is magic. We need to find a way to create security science so methods and ideas can be taught.

Between thinking about how to best blow my lottery winnings, I’ll probably find some time to think about what security science looks like. Once I win though you’ll all be on your own. You’ve been warned!

Join the conversation, hit me up on twitter, I’m @joshbressers

A security analogy that works

Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It’s really hard to describe, no analogies work, and things just seem to keep getting worse.

Until now!

Maybe.

Well, things will probably keep getting worse, but I think I’ve found a way to describe this almost anyone can understand. We can’t really talk about our problems today, which makes it impossible to fix anything.

Security is the same problem as World Hunger. Unfortunately we can’t solve either, but in theory we can make things better. Let’s look at the comparisons.

First, the problem we talk about isn’t just one thing. It’s really hundreds or thousands of other problems we lump together into one group and give it a simple yet mostly meaningless name. The real purpose of the name is to give humans a single idea they can relate to. It’s not meant to make the problem more fixable, it just makes it so we can talk about it.

Security includes things like application security, operational security, secure development, secure documentation, pen testing, hacking, DDoS, and hundreds of other things.

World hunger includes homelessness, hunger, malnutrition, lack of education, clean water, and hundreds of other things.

Lots of little things.

Second, the name isn’t really the problem. It’s what we can see. It’s a symptom of other problems. The other problems are what you have to fix, you can’t fix the name.

What we call “security” is really other things, and the real problem is rarely security, it’s something else, security is the symptom we can see, the real problem is less obvious and hard to see.

In the context of world hunger the real problems are things like clean water, education, equality, corruption, crime, and the list goes on. Hunger is what we see, but to fix hunger, we have to fix those other problems.

We can give people food, but that doesn’t fix the real problem, it makes things better for a day or a week. This is exactly how security works today. We run from fire to fire, fixing a single easy to see problem, then run off to the next thing. We never solve any problems, we put out fires.

So assuming this analogy holds, the sort of good news is that world hunger is slowly getting better. The bad news is progress is measured in decades. This is where my thinking starts to falter. Trade can help bring more progress to a given area. What is the equivalent in security? Are there things that can help make the situation better for a localized area? Will progress take decades?

If I had to guess, which I will, I suspect we’re in the dark ages of security. We don’t approach problems with a scientific mind, we try random things until something works, and then decide that spinning around while holding a chicken is what fixed that buffer overflow.

What we need is “security science”. This means we need ways to approach security in a formal reproducible manner. A practice that can be taught and learned. Today it’s all magic, some people have magic, most don’t. Remember when the world had magicians instead of doctors? Things weren’t better back then no matter what those forwards from your uncle claims.

This all leaves a lot of unanswered questions, but I think it’s a starting point. Today we have no starting point, we have people complaining everything is broken, people selling magic, some have given up and assume this is how everything will just always be.

What will our Security Renaissance be? What will security science look like?

Join the conversation, hit me up on twitter, I’m @joshbressers

Security reminds me of the gym on January 2

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I’m in favor of everyone staying in shape and having a gym membership, my point isn’t to claim how annoying the n00bs are. The point of this story is how few people stick around, and most give up because doing nothing is often easier than doing something.

What does this have to do with security?

The parallel here worries me. Let’s use Heartbleed for our context.

After Heartbleed (January 1), everyone was talking about security, it was super important and everyone wanted more security (flooding the gym). After a while (February) most people stopped obsessing over security, a few stick around, most don’t. As a species we’re not really doing any better now than we were before Heartbleed. You could make some arguments, but it’s a rounding error at best.

The real issue here is this is how humans work. We love running to whatever is popular, pretending we always knew it was cool, and watching for whatever next hip thing will pop up for us to latch on to.

Our current security problems aren’t technology problems, they are human problems. We have to assume we can’t change human nature. The vast majority of people will never take security seriously. They know it’s important, they might even want to do it right, but at the end of the day they’re not going to do anything about it.

The only solution is to make secure the default option.

This is probably harder than changing human nature.

Can this problem actually be fixed? I’m not sure. I need to think about it. I don’t want to say no, but my crystal ball is pretty fuzzy here. There are a lot of weird problems all tied together in bizarre ways. I’m always happy to listen to new ideas, let me know if you have any. The more I learn the less I know seems to be the only constant.

Join the conversation, hit me up on twitter, I’m @joshbressers

A Christmas Cyber

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy.

“Merry Christmas Bob!” said Alice. “Bah humbug!” was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened the door to the server room he noticed the door knocker looked like Mallory, which was odd as the server room door didn’t have a knocker. A closer inspection led Bob to believe his mind was playing tricks on him.

Bob sat down at the terminal and heard the door slam shut. This is of course impossible as the door has a slow closer on it so this sort of thing couldn’t happen. As Bob peeked around the side of the terminal he saw the ghost of Mallory.

“How now!” said Bob, “What do you want with me?”

“Much!” said Mallory.

“Tonight you will be visited by 3 spirits, they will guide you in hopes that you can avoid my path.”

Mallory walked backwards, hit his head on the door, fell down, then stood up, looked around, and snuck out as best as one can after running into a door and falling down.

“Still an idiot” thought Bob. “I can’t imagine any of this is real.”

Cyber Past

Later that night while reading Alice’s mail instead of checking the IDS logs, Bob heard a sound that made him look up quickly. There standing before him was a woman with a ghostly appearance.
“I am the ghost of cyber past” whispered the spirit. “The … what, wait, what? This stupid thing is real?” “I’m here to show you how you used to be, the shadows of things that once were.”
Instantly Bob was transported to the server room ten years ago. He was speaking with the lead architect about how to secure the infrastructure.
“I remember him” recalled Bob. “He should have been fired for incompetence.” “You weren’t always like this” said the spirit “You once had hope you could change things and help them.” “Well, I was a foolish youth, these people are beyond help now” Bob recalled.
The Spirit gazed at the youthful Bob. “We should create a security policy that will help keep the network secure, it’s important not to get in the way too much, I have no doubt we can do this if we work together!”
Just then the scene faded and they were returned to the server room of today, a drab place that had no joy or good ideas anywhere you looked.
“Sigh, there are going to be two more of these bozos who come tonight I suppose. I probably won’t get anything done. This will be worse than end of quarter.”

Cyber Present

The clock struck one, which was odd given there isn’t a clock in the server room. “Now why is that even needed” yelled Bob.
Bob looked up and saw another Spirit. “You’re the one who will show me nobody likes me right!” The spirit looked at him and sighed. “This is why nobody likes you Bob, let’s go.”
The first stop was a party where Alice is talking to some friends. “Then he actually said bah humbug. I mean, who even does that. The guy is totally mental.” Bob shouted “It’s not like you’re any better!” “She can’t hear you” said the Spirit. Bob grumbled something foul to himself.
“I had hoped to show you more, but this is the only person I could find who even talked about you, seriously Bob, you need to be nicer to, well, anyone.”
The scene changed to Bob’s apartment. It was a disheveled room with clutter everywhere. The computer chair was the only place that didn’t have a mess on it. “I have friends in World of Warcraft!” “That’s a lie and you know it!” said the Spirit. “They kicked you out of the guild because you treat them all horribly.”
“Really Bob, I’ve been doing this a long time, you’re without a doubt the most unlikable person I’ve seen, you need to be nicer.” “Maybe if they were nice to me!” “It really doesn’t work that way. Stop being such a jerk.” Bob looked at the Spirit “Aren’t you supposed to be all mysterious and not tell me what to do?” “I’ve made an exception. Also, clean up this dump when you get home.”
With that the room vanished and Bob was again in the server room.
“What a waste of time” he sighed. “That guy was dumber than the people I have to work with.”

Cyber Future

The last Spirit was waiting for Bob as soon as he arrived. “This one is supposed to scare me” thought Bob. He looked up and saw one of his sales reps. “Oh FOR …” “Hi Bob, shall we get going?” “I always knew there was something up with you, you actually are the devil!” “Spirit Bob, I’m a spirit.” “Oh whatever, look, I’m busy, can we just assume you show me a terrible future so I can finish up?”
“No.”
The server room was suddenly much brighter, it was clearly daytime at some point in the future. There were two people talking. “Will you miss him?” said the first person, Bob didn’t recognize them. “Absolutely not” said the second person. “That guy was horrible. Nobody liked him, I’m amazed it took so long to fire him, what a pain”. “You can’t just be a tyrant, security is important, we need someone who can help, not just tell us ‘no’ anytime a question is asked.” “Hah, that’s true, all Bob ever did was say no and yell. Thank goodness they fired him.”
“They fire me!” asked Bob. “They had no choice” said the Spirit. “You weren’t actually helping, you just made problems worse really. Remember this is but the future that could be if you don’t change your ways. There is still hope for you Bob, you can make things better instead of just being part of the problem. Tonight was all about showing you the error of your ways so you can become the security person you once thought you could be. The security person the world needs, it’s important. It’s time to go now, you’ve seen enough. I’ll call you on Monday, I think your firewall it out of compliance.”
With that the server room scene changed back to the present, it was dark outside and Bob was alone in the room. He shivered, it was suddenly chilly.
Bob took a deep breath, what a night. He looked up at the clock, it was almost time to head home. The future Bob saw made him nervous. “That’s not how I want to go out, I’m smart enough to make things right” he thought. Bob leaned back in his chair. After thinking about what to do Bob decided he had to change things. That’s not the future he wanted he had to build a new future. A great future, a future he deserves!
Bob grinned, grabbed a scrap of paper and started writing something down. He taped it to the door. The note read “Merry Christmas everyone, Love Bob.”
“This will be a Christmas to remember” Bob said out loud.
He then shut off the power to the whole server room and left. His phone started ringing immediately and he ignored it as he walked to his car. “Nobody fires me!” he thought to himself. “I wonder if the guild will let me back in?”

Security is the new paperless office!

If you’re old enough, you remember reading a lot about the coming “paperless office”. It never came, but I realized there are parallels we can draw in the context of our current security problems.

Back in the 90’s, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paper with all the flying cars and hoverboards! It turns out paper didn’t go away. Everyone keeps talking about how security is the most important thing ever, investing in the paperless office was once the most important thing ever.

Stage 1: Magic!

This is where security is today. Everyone knows it’s neat, but nobody knows what to really do. Well some people know, but nobody listens to them. Instead we want a magic solution that will fix everything. Most of it doesn’t work but who cares, it’s magic, shut up and take my money!
The paperless office had tons of bizarre things from magic scanners to document systems to things that almost looked like a tablet to store all your paper. None of those things really worked well, they were’t purchased by a lot of people. Anyone who owned an early Palm Pilot probably remembers how just keeping the thing working took at least double the time a paper book consumed. That doesn’t even count the odd writing style you had to use, I’m having flashbacks just thinking about it.
Back in those days most companies had rooms to store the documents. It generally had a lock on it that was never locked, and most of the documents got filed away and were never ever looked at again. The amount of wasted paper and floor space was crazy. If there was a fire, everything got lost. The reasons to get your data out of those rooms was pretty obvious. Just like the reasons to now protect that data is obvious, but how to actually do these things is not.

Stage 2: There is no stage 2

The thing is, there wasn’t ever some mega event that ushered in the paperless office, there will probably never be a paperless office. What actually happened, and is still happening, is we saw a lot of incremental change over the course of decades to bring us to where we are today. I wouldn’t say we’re anywhere near paperless, but we will continue to approach zero. There are some things that make life a lot nicer and things seem to keep getting better.
Most companies don’t have massive document rooms anymore, they store much of that paperwork on a server somewhere. A decent system can tell you exactly who viewed what, when, and why. We do this because it’s better in almost every way, but it took a long time to work out how everything fits together. I never print out maps or travel information anymore, it’s all on my phone. I don’t keep receipts, I just scan them. A lot of HR documents are filled out through a web browser. I pay many bills through a web browser.
There are still people who claim paper is better with a nostalgic glee. There are plenty of crazy arguments about why paper is better, these people aren’t worried about utility though, they have a view of reality that isn’t based on the utility of something, they like things they way they are. More on this person later though, we all know one, keep them in mind.
None of these paperless changes happened quickly or with much fanfare. It was just the slow march of progress. Security is happening the same way. There isn’t going to be a singular giant event that changes everything, there will be lots of little ones. Over the course of the next decade some people will continue to make incremental improvements. Things will get better one step at a time. Security today is better than it was ten years ago, it’s still bad, but it is better.
Here’s the catch though. a lot of security people today are actually fighting change. It’s not the way they would have done it, and instead of helping they like to complain about how nothing will work. They are going to be the people in ten years talking about how much better life was when everything was on paper in a giant warehouse. Those trees had it coming!

Stage 3: Wait, but there was no stage 2 …

So the question now is what can we do? The question of how do we fix all this mess keeps coming up over and over again. Nobody can answer it, some people don’t even understand the question. If you consider yourself a security person, just start helping. Be patient, answer questions, give good advice. As everyone learns new lessons things will improve. There isn’t one fix. Regulation won’t fix anything, huge corporations won’t fix anything, insurance won’t fix anything. Everything will slowly fix itself. The best we can do is try to go from slowest to slower.
There is a bigger issue of are the bad guys moving faster than us? I think today they are, if that will ever change is a debate for a different day.

The world is going to deal with these problems, if the experts help it will go a lot smoother, if they don’t we’ll still get there, it just takes longer. Don’t be the guy who wishes for the good old days. Figure out how to help.

Join the conversation, hit me up on twitter, I’m @joshbressers

Security lacks patience

I had a meeting with some non security people to discuss some of the challenges around security. It’s a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient.

I sort of knew this, but I wouldn’t have listed this in the top 10 of “what’s wrong with us”.

What does it mean to be impatient? We don’t listen as well as we should. We get tired of having to explain the same thing over and over again. We don’t like to talk to someone who knows less than us (which is everyone). There are plenty of other examples, I’m not going to dwell on them though. It’s likely many of us have no idea we’re impatient.

I think the most important aspect of this though is how we deal with new idea. In almost every instance of someone proposing a new idea, we rarely talk to them about it, we spend time telling them why they’re wrong. There is nothing security people like to do more than tell someone why they’re wrong. Being technically correct is the best kind of correct!

I was at a working group recently where a number of people suggested new ideas. In almost every case the majority of time was spent explaining to them why their ideas were stupid and would never work. This isn’t a good use of time. It’s the help or shut up concept. We’re not patient, we don’t want to engage, we just want to prove why we’re right and get back to doing nothing. Don’t be this person, if you don’t have constructive feedback listen instead of talking. Bad ideas generally self destruct during discussion, and discussion makes good ideas great.

Has bluntly telling someone their idea is stupid ever actually worked? I bet in almost every instance they double down and never will listen to you again. This is how bad ideas become bad projects.

How do I be more patient?

Being more patient isn’t all that hard in theory, but it’s really hard if you’re used to proving everyone wrong all the time. You just have to learn to listen. It sounds simple but for most security people it’s going to be really hard, one of the hardest things you’ll ever do. Let’s cover some examples.

A new way to classify security flaws is proposed, you think it’s dumb. Do you

  1. Tell them why they’re wrong
  2. Argue over why your way is better (even though you don’t really have a way)
  3. Sit there and listen, even though it feels like your insides want to jump out and start yelling

The correct answer is #3. It’s really hard to listen to someone else speak if you think they’re wrong. There are few feeling of satisfaction like completely destroying someone’s idea because it wasn’t thought all the way through. This is why nobody likes you.

You find a remote execution flaw in some code a coworker wrote. Do you

  1. Make sure everyone knows they did this and push to revoke their git access
  2. Tell them how stupid they are and demand they fix the problem without any help
  3. Teach them how to fix the problem, listening to what they say while they’re trying to learn
#1 and #2 are pretty much the way things work today. It’s sort of sad when you really think about it.

If you just sit and listen, people will talk. Most people don’t like silence. If you say nothing, they will say something. In the above example, the person you listen to will start to talk about why they did what they did. That will give you what you need to teach them what they need to know. This is how you gain wisdom. We are smart, we are not wise.

Listening is powerful. Patience is listening. Next time you’re talking to someone, no matter what the topic is, just sit and listen. Make a point not to speak. You’ll learn things you never dreamt of, and you’ll build trust. Listening is more powerful than talking, every time.
Join the conversation, hit me up on twitter, I’m @joshbressers

Where is the physical trust boundary?

There’s a story of a toothbrush security advisory making the rounds.

This advisory is pretty funny but it matters. The actual issue with the toothbrush isn’t a huge deal, an attacker isn’t going to do anything exciting with the problems. The interesting issue here is we’re at the start of many problems like this we’re going to see.

Today some engineers built a clever toothbrush. Tomorrow they’re going to build new things, different things. Security will matter for some of them. It won’t matter for most of them.

Boundaries of trust


Today when we try to decide if something is a security issue we like to ask the question “Does this cross a trust boundary?” If it does, it’s probably a security issue. If no trust boundary is crossed, it’s probably not an issue. There are of course lots of corner cases and nuance, but we can generally apply the rule.

Think of it this way. If a user can delete their own files, that’s not crossing a trust boundary, that’s just doing something silly. If a user can delete someone else’s files, that’s not good.

This starts to get weird when we think about real things though.

Boundaries of physical trust?


What happens in the physical world? What counts as a trust boundary? In the toothbrush example above an attacker could gain knowledge of how someone is using a toothbrush. That’s technically a trust boundary (an attacker can gain data they’re not supposed to have), but let’s face it, it’s not a big deal. If your credit card number was also included in the data, sure no question there.

But as such, we’re talking about data that isn’t exciting. You can make the argument about tracking data from a user over the course of time and across devices, let’s not go there right now. Let’s just keep the thinking small and contained.

Where do we draw the line?


If we think about physical devices, what are our lines? A concept of just a trust boundary doesn’t really work here. I can think of three lines, all of which are important, but not equally important.

  1. Safety
  2. Harm
  3. Annoyance

Safety

When I say safety I’m thinking about a device that could literally kill a person. This could be something like disabling the brakes on a car. Making a toaster start a fire. Catastrophic events. I don’t think anyone would ever claim this class of issues isn’t a problem. They are serious, I would expect any vendor to take these very seriously.

Harm

Harm would be where someone or something can be hurt. Nothing catastrophic. Think maybe a small burn, or a scrape. Perhaps making someone fall down when using a scooter, or burn themselves with a device. We could argue this category for a while. Things will get fuzzy between if the problem is catastrophic. Some vendors will be less willing to deal with these but I bet most get fixed quickly.

Annoyance

Annoyance is where things are going to get out of hand. This is where the toothbrush advisory lives. In the case of a toothbrush it’s not going to be a huge deal. Should the vendor fix it? Probably. Should you get a new toothbrush over it? Probably not.
The nuance will be which annoying problems deserve fixes and which ones don’t? Some of these problems could cost you money. What if an attacker can turn up your thermostat so your furnace runs constantly? Now we have an issue that can cost real money. What if we have a problem where your 3D printer ruins a spool of filament? What if the oven burns the Christmas goose?
Where is our trust boundary in the world of annoying problems? You can’t just draw the line at money and goods. What happens if you can ring a person’s door bell and they have to keep getting up to check the door? Things start to get really weird.
Do you think a consumer will be willing to spend an extra $10 for “better security”? I doubt it. In the event a device will harm or kill a person there are government agencies to step in and stop such products. There are no agencies for leaking data and even if there were they would have limited resources. Compare “annoyance security” to all the products sold today that don’t actually work, who is policing those?
As of right now our future is going to be one where everything is connected to the Internet, none of it is secure, and nobody cares.
Join the conversation, hit me up on twitter, I’m @joshbressers

If your outcome is perfect or nothing, nothing always wins

This tweet
https://twitter.com/RichFelker/status/666325066838339584

Led to this thread
http://marc.info/?t=144778171800001&r=1&w=2

The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It’s not, the waste of time is arguing about why trying new things is dumb.

Here’s the important thing security people always screw up.

The only waste of time is if you do nothing and complain about the people who are doing something.

It is possible the ROP work that’s being done won’t end up preventing anything. If that’s true the absolute worst thing that will result is learning a lesson. It’s all too easy in the security space to act like this. If it’s not perfect you can make the argument it’s bad. It’s a common trait of a dysfunctional group.

This is however true in crypto, never invent your own crypto algorithm.

But in the context of humanity, this is how progress happens. First someone has an idea, it might be a terrible idea, but they work on it, then they get help, the people helping expand and change the idea, eventually, after people work together, the end is greater than the means. Or if it’s a bad idea, it goes nowhere. Failure only exists if you learn nothing.

This isn’t how security has worked, it’s probably why everything seems so broken. The problem isn’t the normal people, it’s the security people. Here’s how a normal security idea happens:

  1. Idea
  2. YOUR IDEA IS STUPID YOU’RE WASTING YOUR TIME AND YOU’RE STUPID!!!
  3. Give up

That’s madness.

From now on, if someone has an idea and you think it’s silly, say nothing. Just sit and watch. If you’re right it will light on fire and you can run around giving hi5s. It probably won’t though. If someone starts something, and others come to help, it’s going to grow into something, or they’ll fail and learn something. This is how humans learn and get better. It’s how open source works, it’s why open source won. It’s why security is losing.

The current happy ending to the ROP thread is it’s going to continue, the naysayers seem to have calmed down for now. I was a bit worried for a while I’ll admit. I have no doubt they’ll be back though.

Help or shut up. That is all.

Join the conversation, hit me up on twitter, I’m @joshbressers

Your containers were built in some guy’s barn!

Today containers are a bit like how cars used to work a long long long time ago. You couldn’t really buy a car, you had to build it yourself or find someone who could build one for you in their barn. The parts were terrible and things would break all the time. It probably ran on steam or was pulled by a horse.
Containers aren’t magic. Well they are for most people. Almost all technology is basically magic for almost everyone. There are some who understand it but generally speaking, it’s complicated. People know enough to get by which is fine, but that also means you have to trust your supplier. Your car is probably magic to you. You put gas in a hole in the back, then you can press buttons, push peddles, and turn wheels to transport you places. I’m sure a lot of people at this point are running through the basics of how cars work in their heads to reassure themselves its’ not magic and they know what’s going on!
They’re magic, unless you own an engine hoist (and know how to use it).
Now let’s think about containers in this context. For the vast majority of container users, they get a file from somewhere, it’s full of stuff that doesn’t make a lot of sense. Then they run some commands they found on the internet, then some magic happens, then they repeat this twiddling things here and there until on try 47 they have a working container.
It’s easy to say it doesn’t matter where the container content came from, or who wrote the dockerfile, or what happens at build time. It’s easy because we’re still very early in the life of this technology. Most things are still fresh enough that security can squeak by. Most technology is fresh enough you don’t have to worry about API or ABI issues. Most technology is new enough it mostly works.
Except even with as new as this technology is, we are starting to see reports of how many security flaws exist in docker images. This will only get worse, not better, if nothing changes. Almost nobody is paying attention, containers mean we don’t have to care about this stuff, right!? We’re at a point where we have guys building cars in their barns. Would you trust your family in a car built in some guy’s barn? No, you want a car built with good parts and has been safety tested. Your containers are being built in some guy’s barn.
If nothing changes, imagine what the future will look like. What if we had containers in 1995. There would still be people deploying Windows 95 in a container and putting it on the Internet. In 20 years, there are still going to be containers we use today being deployed. Imagine still seeing Heartbleed in 20 years if nothing changes, the thought is horrifying.
Of course I’m a bit over dramatic about all this, but the basic premise is sound. You have to understand what your container bits are. Make sure your supplier can support them. Make sure your supplier knows what they’re shipping. Demand containers built with high quality parts, not pieces of old tractors found in some barn. We need secure software supply chains, there are only a few places doing it today, start asking questions and paying attention.

Join the conversation, hit me up on twitter, I’m @joshbressers

Is the Linux ransomware the first of many?

If you pay any attention to the news, no doubt the story of the Linux ransomware that’s making the rounds. There has been much said about the technical merits of this, but there are two things I keep wondering.

Is this a singular incident, or the first of many?

You could argue this either way. It might be a one off blip, it might be the first of more to come. We shouldn’t start to get worked up just yet. If there’s another one of these before the year ends I’m going to stock up on coffee for the impending long nights.
Why now?
Why are we seeing this now? Linux and Apache have been running a lot of web servers for a very long time. Is there something different now that wasn’t there before? Unpatched software isn’t new. Ransomware is sort of new. Drive-by attacks aren’t new. What is new is the amount of attention this thing is getting.
It is helpful that the author made a mistake so the technical analysis is more interesting that it would be otherwise. I wonder if this wouldn’t have been nearly as exciting without that.
If this is the first of many, 2016 could be a long year. Let’s hope it’s an anomaly.
Join the conversation, hit me up on twitter, I’m @joshbressers