Securityblog

This tweet https://twitter.com/RichFelker/status/666325066838339584 Led to this thread http://marc.info/?t=144778171800001&r=1&w=2 The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It’s not, the waste of time is arguing about why trying new things is dumb. Here’s the important thing security people always screw up. The only waste of time is if you do nothing and complain about the people who are doing something. ...

Today containers are a bit like how cars used to work a long long long time ago. You couldn’t really buy a car, you had to build it yourself or find someone who could build one for you in their barn. The parts were terrible and things would break all the time. It probably ran on steam or was pulled by a horse. Containers aren’t magic. Well they are for most people. Almost all technology is basically magic for almost everyone. There are some who understand it but generally speaking, it’s complicated. People know enough to get by which is fine, but that also means you have to trust your supplier. Your car is probably magic to you. You put gas in a hole in the back, then you can press buttons, push peddles, and turn wheels to transport you places. I’m sure a lot of people at this point are running through the basics of how cars work in their heads to reassure themselves its’ not magic and they know what’s going on! ...

If you pay any attention to the news, no doubt the story of the Linux ransomware that’s making the rounds. There has been much said about the technical merits of this, but there are two things I keep wondering. Is this a singular incident, or the first of many? ** ** You could argue this either way. It might be a one off blip, it might be the first of more to come. We shouldn’t start to get worked up just yet. If there’s another one of these before the year ends I’m going to stock up on coffee for the impending long nights. ...

Anytime you do anything, no matter how small or big, there will always be three groups of people involved. How we interact with these groups can affect the outcome of our decisions and projects. If you don’t know they exist it can be detrimental to what you’re working on. If you know who they are and how to deal with them, a great deal of pain can be avoided, and you will put yourself in a better position to succeed. ...

How do we talk to the regular people? What’s going to motivate them? What matters to them? You can easily make the case that business is driven by financial rewards, but what can we say or do to get normal people to understand us, to care? Money? Privacy? Donuts? I’m not saying we’re going to turn people into experts, I’m not even suggesting they will reach a point of being slightly competent. Most people can’t fix their car, or wire their house, or fix their pipes. Some can, but most can’t. People don’t need to really know anything about security, they don’t want to, so there’s no point in us even trying. When we do try, they get confused and scared. So really this comes down to: ...

How many times have you tried to get buyin for a security idea at work, or with a client, only to have them say “no”. Even though you knew it was really important, they still made the wrong decision. We’ve all seen this more times than we can count. We usually walk away grumbling about how sorry they’ll be someday. Some of them will be, some won’t. The reason is always the same though: ...

Anytime there’s some sort of vacuum, something will appear to fill the gap. In this context we’re going to look at what’s filling the vacuum in security. There are a lot of smart people, but we’re failing horribly at getting our message out. The answer to this isn’t simple. You have to look at what’s getting attention that doesn’t deserve to get attention. Just because we know a product, service, or idea is hogwash doesn’t mean non security people know this. They have to attempt to find someone to trust, then listen to what they have to say. Unfortunately when you’re talking about extremely complex and technical problems, they listen to whoever they can understand as there’s no way they can determine who is technically more correct. They’re going to follow whoever sounds the smartest. ...

The security people are currently losing the battle to win the hearts and minds of the people. The war is far from over but it’s not currently looking good for our team. As with all problems, if there is a vacuum, something or someone end up filling it. This is happening right now in security. There are a lot of really smart security people out there. We generally know what’s wrong, and sometimes even know how to fix it, but the people we need to listen aren’t. I don’t blame them either, we’re not telling them what they need to know. ...

One the hardest things we have to do is to build trust. It’s not hard for everyone, just us specifically. It’s not in our nature. Security people tend not to trust anyone. Everything we do is based on not trusting anyone, it’s literally our job. Trust is a two way street. If you expect someone to trust you, you have to trust them to a certain degree. This is our first problem. We don’t trust anybody, for good reason often, but it’s a problem. We have to learn how to trust others so we can get them to trust us. This is of course easier said than done. Would you trust someone with your password? I wouldn’t, but a lot of people do. This is a place where they won’t understand why we don’t trust them. Of course sharing a password isn’t a great idea, but that’s not the point. ...

We can’t. You think you can, but you can’t. This reminds of the Feynman video where he’s asked how magnets work and he doesn’t explain it, he explains why he can’t explain it. Our problem is we’re generally too clever to know when to stop. There are limits to our cleverness unfortunately. I’m picking on buffer overflows in this case because they’re something that’s pretty universal throughout the security universe. Most everyone knows what they are, how they work, and we all think we could explain it to our grandma. ...