Might As Well Face It...
This weeks #fudsecfriday invited guest post is by shrdlu, an IT security manager who has held international positions in multiple institutions and is now US based. The other clue to his identity is he amuses himself at the expense of his children ("otherwise what's the point in having them?"). I'm still not convinced that narrows it down ;-).
My thanks to shrdlu for the molitov cocktail of a post...![]()
IT Security Manager
Now, many of you are probably too young to get a Pogo reference, so I'll just get to the point.
Hello, my name is shrdlu, and I'm a FUD addict.
And so are you.
Come now, do you really think that FUD is only produced by eeeevil vendors out to make a quick buck? Or do you think it's only generated by clueless media? No, folks, we're doing it to ourselves on a daily basis.
The very nature of security involves uncertainty. We all know deep down that you can never have 100% security; that sooner or later, as Richard Bejtlich is so fond of saying, prevention eventually fails. It's only a matter of time. And so rather than sitting down and waiting for the threat to come to us, we go out looking for it. Endlessly.
Emily Yoffe in Slate.com writes about ongoing research in what one scientist calls our "seeking" drive - our addictive behavior around finding nuggets of information:
We actually resemble nothing so much as those legendary lab rats that endlessly pressed a lever to give themselves a little electrical jolt to the brain. While we tap, tap away at our search engines, it appears we are stimulating the same system in our brains that scientists accidentally discovered more than 50 years ago when probing rat skulls.
A very simple example of this addictive seeking behavior can be found in the Facebook application called "Hatchlings." The player collects eggs of different colors by looking for them in the profile pages of friends also playing the game, as well as other random pages on Facebook. Once collected, the eggs hatch into various creatures matching their eggs, and can be deleted ("released into the wild") or retained by periodically feeding them -- you guessed it -- more harvested eggs. It's stupid, it's mindless ... and so far I've found 5,545 of the damned things. And as far as users go, I'm by no means the worst: the top-ranked player in my city has over 48,000 of them and the number one player globally has more than 592,000.
So if Hatchling eggs are the gateway drug, it's but a small step from there to Easter eggs in other software. And when the Easter eggs run dry, well, there are built-in Easter eggs that the developer didn't even know about, aren't there? They're called "unintended functionality," or vulnerabilities.
Take a look at this year's Black Hat schedule and count the number of talks that are NOT based on finding a vulnerability or finding an attack. Go ahead, I'll wait. It's actually kind of like hunting for a needle in a haystack ... and I promise, you'll get a dopamine rush out of it, especially if you find it.
So when pretty much every talk at every conference is about newly discovered vulnerabilities and attacks; when we treat vulnerability researchers as rock stars; when defenders are only interesting when they've actually suffered a breach; is it any wonder that we're steeped in FUD?
If there's still any doubt in your mind, try to remember the last time you said or heard someone say,"You know, our security is probably just fine. Don't worry about it."
