Friday, August 19, 2005

MetaBlame Brain Dump

A short recap of the thread to date, followed by a brain dump (which I've tried to keep sane)
  • I noticed things seeping through the filters, and worried aloud about security.
  • Doc Searls suggested it's really Mono vs Poly
  • David Berlind points out that Monoculture == Corporate standard, and starts to consider the implications, and the need for discussion
  • Zotob hit CNN, making the headlines
  • The Zotob blame game began
I want to get the discussion going again. It doesn't matter whose fault this particular worm gets assigned to, the answer is irrelevant to fixing the overall problem. What really matters is that we correct the bigger picture. (So, I'm doing a Meta-Blame game?)

Here's how I see it... and I'm more than willing to shift my views to fit the facts:
  • All 3 major platforms (Windows, Mac, and Linux) have required patches in the last year
  • It is safe to assume they all have remaining undiscovered (or undisclosed) vulnerablities
  • It is impossible to eliminate all of the bugs in any system
  • Evil is at work on new exploits, and getting better at it
  • Day Zero exploits nullify automatic updates as an effective tool
This depressing picture leads naturally to the conclusion that there isn't a single system which will remain secure over time. If we keep using variations of the same strategy, we're going to get the same results.

My social/economic view of the overall driving forces looks like this:
  • Evil people provide resources to seek out our vulnerabilities, in expectation of a return on investment (damage to infrastructure, validation of ego, extortion, etc)
  • Evil people operate a bazaar (in the lines of the Global Guerrillas theory of John Robb), which distributes knowledge, and distributes the risks
  • Offensive Tools which prove effective become commercialized (weaponized?) in this bazaar.
  • Defensive Tools which prove effective become commercialized
  • Good people also operate a bazaar, (in the lines of the Cathederal and the Bazaar theory of Eric S. Raymond)
  • Good people provide resources to defend against attacks, in expectation of a return on their investment (improved productivity, better security, validation of ego, etc.)
You can see there is a mirror-like symmetry to all of this, and information leaks both ways.

When you get to the technical arena the picture includes these elements:
  • Exploits must expend resources to search for targets (Time, Bandwidth, Risk of Exposure)
  • Once found, attacking the target is a gamble for more resources
  • The pool of targets is of finite size
  • The cost of acquisition of targets increases as time goes on
  • Not all identified targets yield success
  • Attack programs are subject to reverse-engineering, and could review their source
On the technical level, it's reasonable and necessary to assume that a perfect defense remains unavailable. It becomes quite prudent (and urgent!) to pursue strategies to reduce the return on investment for a given exploit:
  • Diversify our systems to reduce the absolute numbers of each specific vulnerability (as Doc pointed out in Mono vs Poly)
  • Utilize IDS and Honeypot systems, along with other monitors, to increase the probability of interception, and decrease the time
  • Automatic updates and scanners to block the leakage of resources from known holes eliminate the long term value of exploits as a possible resource base
On the social/economic front, the strategies include:
  • support the white-hat community to promote the constructive disclosure of flaws
  • stop the blame game which encourages vendors to hide flaws
  • community discussion and cooperation in the search for better technologies and social strategies
  • re-examination and re-evaluation of the engineering tradeoffs made in our current system designs.

No comments: