Security

There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won’t be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security. Every now and then I run across someone claiming that our training and education is going great. Sometimes I believe them for a few seconds, then I remember the state of things. Here’s the thing. While there is a lot of good training and education opportunities. The ratio between competent security people and developers is without doubt going down. Software engineering positions are growing at more than double the rate of other positions. By definition it’s significantly harder to educate a security person, the math says there’s a problem here (this disregards the fact that as an industry we do a horrible job of passing on knowledge). ...

Every now and then the conversation erupts about what is security really? There’s the old saying that the only secure computer is one that’s off (or fill in your favorite quote here, there are hundreds). But the thing is, security isn’t the binary concept: you can be secure, or insecure. That’s not how anything works. Everything is a sliding scale, you are never secure, you are never insecure. You’re somewhere in the middle. Rather than bumble around about your risk though, you need to understand what’s going on and plan for the risk. ...

If you’ve been paying any attention for the past few weeks, you know what ransomware is. It’s a pretty massive pain for anyone who gets it, and in some cases, it was a matter of life and death. It’s easy to understand what makes this stuff scary, but there’s another angle most haven’t caught on to yet, and it’s not a pleasant train of thought. Firstly, let’s consider a few thing. ...

If you pay attention to the security news, there is something coming called Badlock. It just set off a treasure hunt for security flaws in Samba. Rather than link to the web site (I’d rather not support this sort of behavior), let’s think about this as reasonable people. I can imagine three possible outcomes to the events that have been set in motion. On April 12 a truly impressive security flaw will be disclosed. We will all be impressed. Someone will figure this out before April 12, they have no incentive to act responsibly and will publish what the know right away, better to be first than to be right! Whatever happens on April 12 won’t be nearly as interesting or exciting as we’ve been led to believe. The world will say a collective ‘meh’ and we’ll go back to looking at pictures of cats. Numbers 1 and 2 rely on the flaw being quite serious. If it is serious, I suspect there is a far greater chance of #2 happening than #1. As an industry we should hope for #3, we don’t need more terrible flaws. ...

As anyone who reads this blog knows, I’ve been talking about soft skills in security for quite some time now. I’m willing to say it’s one of our biggest issues at the moment, a point which I get a lot of disagreement on. I have sympathy for anyone who thinks this stuff doesn’t matter, I used to be there. Until I had to start talking to people. As soon as you talk to most anyone outside the security echo chamber, you see what’s actually going on, and it’s not great. ...

During the RSA conference, I was talking about containers and it occurred to me we can think about them like a sandwich. Not so much that they’re tasty, but rather where does your container come from. I was pleased that almost all of the security people I spoke with understand the current security nightmare containers are. The challenge of course is how do we explain what’s going on to everyone else. Securtiy is hard and we’re bad at talking about it. They also didn’t know what Red Hat was doing, which is totally our own fault, but we’ll talk about that somewhere else. ...

The RSA conference is done. It was a very long and busy show, there were plenty of interesting people there and lots of clever ideas and things to do. I think the best part is what didn’t happen though. We love talking about the exciting things from the show, I’m going to talk about the unexciting non events I was waiting to happen (but thankfully they did not). The DROWN issue came and went. It wasn’t very exciting, it got the appropriate amount of attention. Basically SSLv2 is still broken, don’t use it for any reasons. If you use SSLv2, it’s like licking the handrail at the airport. Nobody is going to feel bad for you. ...

It’s been no secret that I think the lack of soft skills in the security space is one of our biggest problems. While usually I usually only write all about the world’s problems and how to fix them here, during RSA I’m going to take a somewhat different approach. I’m giving a talk on Friday titled Why Won’t Anyone Listen to Us? I’m going to talk about how a security person can talk to a normal person without turning them against us. We’re a group that doesn’t like talking to anyone, even each other. We need to start talking to people. I’m not saying we should stand around and accept abuse, I am saying the world wants help with security. We’re not really in a place to give it because we don’t like people. But they need our help, most of them know it even! ...

After my last blog post Change direction, increase speed! (or why glibc changes nothing) it really got me thinking about how can we start to fix some of this. The sad conclusion is that nothing can be fixed in the short term. Rather than trying to make up some nonsense about how to fix this, I want to explain what’s happening and why this can’t be fixed anytime soon. Let’s look at Heartbleed first. ...

The glibc issue has had me thinking. What will we learn from this? I’m pretty sure the answer is “nothing”, which then made me wonder why this is. The conclusion I came up with is we are basically the aliens from space invaders. Change direction, increase speed! While this can give the appearance of doing something, we are all very busy all the time. It’s not super useful when you really think about it. Look at Shellshock, Heartbleed, GHOST, LOGJAM, Venom, pick an issue with a fancy name. After the flurry of news stories and interviews, did anything change, or did everyone just go back to business as usual? Business as usual pretty much. ...