Computer Security: An Utter Failure

Apparently I'm not the only person who feels that computer security has been accomplishing relatively little, in return for a large amount of money expended.

In his breathless rant "Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security" Noam Eppel argues that one of the main reasons the security industry is failing is because it is being out-innovated. I wish it was so simple! Like most long, drawn-out, expensive disasters there are multiple causes that reinforce eachother so that the participants can feel that they're chasing a solution that's just around the corner if they only try a little harder. Eppel's completely right about every one of the points he raises, and I highly recommend his article. But he's leaving a few things out; namely that the victims of the information security industry are willing victims. Indeed, a lot of them are true believers.

Earlier this week I presented a talk at a conference, in which I described how firewall technology rapidly traded performance for integrity ("Dude! Where did my firewall go!?") and comprehensibility for marketing glitziness. But, this didn't happen in a vacuum: security products are crap, because crap is what customers want. Information security technology has become the "fad diet" of the IT industry. Normally, I dislike arguing by analogy, but the similarities between the diet industry and the information security market are unmistakable. Americans spend billions of dollars annually on pseudo-scientific patent medicines that claim "just take this and you'll lose weight!" when in fact the only way to lose weight is to let the 2nd law of thermodynamics do its magic: if you burn more than you take in, you'll get smaller. We all know the two magic cures: diet and exercise, but somehow those are the last resort, instead of the first. Information security is the same way: If you reduce the number of potential lines of attack against your systems, you'll be harder to attack. If the number of potential lines of attack is equal to zero, you'll be impossible to attack. But building low-complexity systems that are secure by design is the last resort, instead of the first. And the proof is in the pudding.

The more you spend: the worse it sucks

(Source: department of made-up "gee-wow" numbers)

What does that tell you? A sane person would look at the way information security has been evolving, and would conclude that if we had stopped doing anything in 1992, we'd have been better off. In fact, it's true. Security technologies in 1992, in some cases, were better than they are today, because today's security technologies have to deal with a wider range of more complex problems. Notice that I didn't say "attacks" - I said "problems." The attacks aren't the problem - it's the applications mix that users want to field. Instead of FTP (which sucked) we now have remote procedure call over web over SSL (which sucks unbelievably) - how can a firewall possibly provide meaningful controls over a protocol like that? Even the authors of the web-app-middleware-suite-gui-stuff don't understand how it works, it's such a plate of spaghetti. Secure that? No, thank you, I'd rather listen to The CheckPoint Song again and again until my brain melts.

So, what's really going on? As I said elsewhere, the problem is that there are many places where we can attach the blame for the information security disaster. We have:

• Vendors that unashamedly hawk shameful crap
• Customers that are comfortable being ignorant about security, so they buy crap
• Software that is crap
• Malcode writers, spammers, and spyware writers that have convinced themselves that their crap is moral
• Hackers who have established a self-justifying circular logic that encourages a market in vulnerability disclosure
• Consultants that make gigantic sums diagnosing the problem, instead of solving it
• Software that is too complex
• Customers that want software that has useless but attractive features
• Protocols that are proprietary and closed so they cannot be analyzed or improved
• Computer "science" curricula that put an emphasis on feature-building rather than engineering discipline
• Legislators that see security as an easy way to make election year brownie points with voters by passing contradictory and vague rules
• Information providers and aggregators that don't care about the consequences of selling personal data

..etc.

The point is: everyone in this game deserves a good ass-kicking . But, whenever security people look at the state of the industry, they invariably seem to latch on one of the potential blame-targets above, and they assume that, if only we could apply sufficient pressure on one key aspect of the problem, it would all be OK. This is what I call "a circular dependency of lameness" - at each point in the broken process, it's so easy to think "if I just fix it really well here it'll all be OK." But it won't. To solve a broken situation like information security, you need to attack all the pressure points, simultaneously. And that's just not going to happen because there are too many vested interests making a lot of money off of each of the problems I've listed above. Trying to get them all to stop cashing in at once is simply not going to happen.

In fact, most of the "new" products on the security landscape are intellectual re-treads of old ones that didn't work the first time we tried them: "intrusion prevention"? It'll work about as well as "network anti-virus." Meanwhile, it's 2006 and people's computers still get viruses, spyware, and trojan horses. Back in the 1970's and early 1980's we knew how to build operating systems that were rock solid and virus-proof. How long will we have to wait for someone to re-invent MULTICS with a GUI on top of it? This stuff isn't rocket science, but we're spending money at a rocket science level, and we're getting amateur hour results. It's 2006, and the "state of the art" in information security is to preach "patch! patch! patch!" And, when the propagation time of worms drops, "patch tools! patch tools! automated patching! instant patching!" Information security's response to bitter failure, in any area of endeavour, is to try the same thing that didn't work - only harder. That's not a good strategy if you're trying to knock down a brick wall with your head, and it's not a good strategy for building secure systems, either. That is a good strategy if what you're trying to do is jam the money faucet in the permanently "open" position.

I think that someday, people will look back at this time in computing history, and laugh. Whenever my buddies and I talk about the old days when we were programming on our Ohio Scientific Challengers and trying to fit our code into 8k of memory, with audio tape cassettes used as storage, we smile and laugh at how cute we were. Hopefully, in another 50 years or so, real engineers will take over and turn computing into an engineering discipline, and our descendants will all giggle at the idea of computers that had to be patched, and anti-virus, and firewalls, and so forth. I really hope that's how it plays itself out, but I won't be around to see it. But, by the time I'm 70, I won't care about information security anymore, anyhow, I'll be too busy making feature-length movies on my PlaystationXI.

mjr.
Killing Time in the lobby of the Croatia Hotel, Cavtat, Croatia
May 11 2006