A debate has erupted over the blogspace where some security insiders (Tao, EC)are saying that there is real serious exploit code sitting there waiting to be used, but "if we told you where, we'd have to kill you."
This is an age old dilemma. The outsiders (Spire) say, "tell us what it is, or we believe you are simply making it up." Or, in more serious negotiating form, "tell us where or you're buying the beers."
I have to agree with that point of view as I've seen the excuse used far too many times, from security to finance to war plans. Both inside and outside. In my experience, when I do find out the truth, the person who made the statement was more often wrong than right, or the situation was badly read, and nowhere near representative.
Then, of course, people say that they have no choice because they are under NDA. Well, we all need to eat, don't we? And we need to maintain faith and reputation for our next job, so the logic goes.
This is a trickier one. Again, I have my reservations. If a situation is a real security risk, then what ever happened to the ethics of a security professional? Are we saying that it's A-OK to claim that one is a security professional, but anything covered by an NDA doesn't count? Or that when a company operates under NDA, it's permitted to conduct practices that would ordinarily be deemed insecure?
Fundamentally, an NDA switches your entire practices from whatever you believed you were before to an agent of the company. That's the point. So you are now under the company's agenda - and if the company is not interested in security then you are no longer interested in security, even if the job is chief security blah blah. Is that harsh? Not really, most security companies are strictly interested in selling whatever sells, and they'll sell an inadequate or insecure tool with a pretty security label with no problem whatsoever. Find us a company that withdrew an insecure tool and said it was no longer serving users, and we might have a debate on this one.
At the minimum, once you've signed an NDA, you can't go around purporting to have a public opinion on issues such as disclosure if you won't disclose the things you know yourself. Or, maybe, if you chose to participate in the security practices covered under NDA, you are effectively condoning this as a security practice, so you really are making it all up as you go. So in a sense, the only value to these comments is simply as an advert for your "insideness," like the HR people used to mention as a deal breaker.
It is for these reasons that I prefer security to be conducted out in the open - conflicts like these tend to be dealt with. I've written before about how secret security policies are inevitably perverted to other agendas, and I am now wondering whether the forces of anti-security are wider than that, even.
It may be that it is simply incompatible to do security in a closed corporate environment.
Consider the last company you worked at where security was under NDA - was it really secure? Consider the last secure operating system you used - was it one of the closed ones, or one of the free open source implementations with a rabid and angry security forum? Was security just window dressing because customers liked that look, ticked that box?
Recent moves towards commercialism (by two open organisations in the browser field) seem to confirm this; the more they get closer to the commercial model, the more security baby gets thrown out with the bath water.
What do you think? Is it possible to do security in a closed environment? And how is that done? No BS please - leave out the hype vendors. Who seriously delivers security in a closed environment? And how do they overcome the conflicts?
Or, can't you say because of the NDA?
Posted by iang at August 11, 2005 06:20 PM | TrackBackThe "we all need to eat" argument implies fear that a honest approach to security will have you fired and someone else hired in your place. Those voicing such arguments are afraid, because there's nobody to stand up for them, and there are plenty to take their jobs, if they're out.
There are well-established means to combat such threats: guilds, trade associations, etc. Locksmiths have been among the first to form guilds in medieval Europe, and locksmith guilds are still alive and kicking in many parts of the world.
An information-security guild with a good (and strict) code of conduct, a well-functioning apprenticeship program, clear procedures for accepting and expelling members, would have the clout to enforce its principles and protect its members from NDAs contradicting them. After a while, it may even have enough lobbying power to affect legislation so to mandate good security where it is needed.
How about founding one?
Ha! Good response.
A guild would indeed add some sort of solution to this problem but it comes at a large cost - that of an agenda to ensure its own survival over any other interests.
Indeed, by some views, there is a guild: the Cryptography Guild has been accused variously of PKI, digsig laws, the "no-risk" crypto methodology and the ban against non-members doing crypto.
Posted by: Iang at August 12, 2005 10:51 AMWhich "two open organisations in the browser field"? Don't be such a coy maiden...
Posted by: OL at August 12, 2005 11:49 AMAny stable organization's ultimate goal is its own survival. However, when organizing people to achieve a particular goal, one needs to pick the organizational form where the survival of the organization is most compatible with the goal. If the goal is high-quality security services, corporation is definitely not the best organizational structure, as you eloquently argue in your post.
A guild, with properly defined code of conduct and formalized procedures might come a lot closer, in my opinion. Sure, guilds have their costs and downsides, and guild-like behavior can cause a lot of damage, but I believe that it can be done right.
Also, as we know, cryptography!=security. Cryptography is just one class of security measures (and there are countless others). Information security is a lot more than cryptography. First and foremost it is about analyzing and modeling threats, to come up with useful ways of countering them, in my opinion. This is much easier said than done, and requires a lot of experience (some of it in the form of recorded past case studies).
I wrote critically about a browser manufacturer a month or two back, and they recently announced the creation of their commercial arm. I didn't know about it at the time but had been told on a few occasions that things were happening internally, secretly. It helps to explain their resistence to change from a model that was well accepted by the commercial players they had been negotiating with, even when shown to result in less security for their users.
The other organisation I'm looking at is a CA which is now following sort of the same path. It's working to get some sort of audit in place. But the audit process itself is (I claim) flawed in fundamental ways, and every time we get close to the flaws, the answer is "do you want to play with the big boys or don't you?"
Both these organisations have achieved good stuff - it serves no purpose to concentrate on them in particular as what is happening there is the same as that which happens in other places, and their presence on net improves security, in both senses of the word.
Posted by: Iang at August 12, 2005 12:14 PMSure, I was just using crypto as an example because guilds had been discussed in the past.
OK, so what then would the Hallowed Guild of Financial Cryptographer's look like? How would we induct new members?
Posted by: Iang at August 12, 2005 12:53 PM