March 12, 2009
We don't fear no black swan!
Over on EC, Adam does a presentation on his new book, co-authored with Andrew Stewart. AFAICS, the basic message in the book is "security sucks, we better start again." Right, no argument there.
Curiously, he's also experimenting with Twitter in the presentations as a "silent" form of interaction (more. It is rather poignant to mix twitter and security, but I generally like these experiments. The grey hairs don't understand this new stuff, and they have to find out somehow. Somehow and sometime, the only question is whether we are the dinosours or the mammals.
Reading through the quotes (standard stuff) I came across this one, unattributed:
I was pretty dismissive of "Black Swan" hype. I stand by that, and don't think we should allow fear of a black swan out there somewhere to prevent us from studying white ones and generalizing about what we can see.
OK, we just saw the Black Swan over on the finance scene, where Wall Street is now turning into Rubble Alley. Why not on the net? Black swans are a name for those areas where our numbers are garbage and our formulas have an occasional tendency (say 1%) to blow up.
Here's why there are no black swans on the net, for my money: there is no unified approach to security. Indeed, there isn't much or anything of security. There are tiny fights by tiny schools, but these are unadopted by the majority. Although there are a million certs out there, they play no real part in the security models of the users. A million OpenPGP keys are used for collecting signatures, not for securing data. Although there are hundreds of millions of lines of security code out there, now including fresh new Vista!, they are mostly ignored or bypassed or turned off or any other of the many Kerckhoffsian modes of failure.
The vast majority of the net is insecure. We ain't got no security, we don't fear no black swan. We're about as low as we can get. If I look at the most successful security product of all time, Skype, it's showing around 10 million users right now. Facebook, Myspace, youtube, google, you name them, they *all* do an order of magnitude better than Skype's ugly duckling waddle.
Why is the state of security so dire? Well, we could ask the DHS. Now, these guys are probably authoritive in at least a negative sense, because they actually were supposed to secure the USA government infrastructure. Here's what one guy says, thanks to Todd who passed this on:
The official in charge of coordinating the U.S. government's cybersecurity operations has quit, saying the expanding control of the National Security Agency over the nation's computer security efforts poses "threats to our democratic processes."
"Even from a security standpoint," Rod Beckstrom, the head of the Department of Homeland Security's National Cyber Security Center, told United Press International, "it is unwise to hand over the security of all government networks to a single organization."
"If our founding fathers were taking part in this debate (about the future organization of the government's cybersecurity activities) there is no doubt in my mind they would support a separation of security powers among different (government) organizations, in line with their commitment to checks and balances."
In a letter to Homeland Security Secretary Janet Napolitano last week, Beckstrom said the NSA "dominates most national cyber efforts" and "effectively controls DHS cyber efforts through detailees, technology insertions and the proposed move" of the NCSC to an NSA facility at the agency's Fort Meade, Md., headquarters.
It's called "the equity debate" for reasons obscure. Basically, the mission of the NSA is to breach our security. The theory has it that the NSA did this (partly) by ensuring that our security -- the security of the entire net -- was flaky enough for them to get in. Now we all pay the price, as the somewhat slower but more incisive criminal economy takes its tax.
Quite how we get from that above NSA mission to where we are now is a rather long walk, and to be fair, the evidence is a bit scattered and tenuous. Unsurprisingly, and the above resignation does not quite "spill the beans," thus preserving the beanholder's good name. But it is certainly good to see someone come out and say, these guys are ruining the party for all of us.
Posted by iang at March 12, 2009 07:00 PM
"OK, we just saw the Black Swan over on the finance scene, where Wall Street is now turning into Rubble Alley. Why not on the net? Black swans are a name for those areas where our numbers are garbage and our formulas have an occasional tendency (say 1%) to blow up."
(sounds of alex's face blowing up like an angered cartoon character)
Ok, first, Black Swans are a name for things we don't have prior information for. Not "long tail events" (Taleb) and not uncertainty in measurements or faulty model selection (above).
Second, Really? Current financial crisis was a Black Swan? I suppose if you take Taleb's relativist re-interpretation of Black Swan, that's true for some people (at this point we should note that he's on record multiple times claiming the current crisis was not, in his not-so humble opinion, a Black Swan). But if we say that we had no prior information for real estate bubbles and financial sector insolvency, Japan says "hello".
Interestingly enough, however, we *do* have a sort of Black Swan in security, called a "zero-day". The actual vector and tactic of breach for a zero-day is something we have no prior information for. Fortunately, we do have prior information about the relative ubiquity of these "unknown unknowns". Enough for us to have our little keynotes where we say phrases with big words like "attackers are asymmetric and unpredictable" and say catchy slogans like "we have to start over".
First "black swans" do not realy fit in a well defined model. Which is why I slightly prefer,
1, Known Knowns,
2, Unknown Knowns,
3, Unknown Unknowns.
(Call it the !KU model ;)
Zero day events fall in 2 and 3 (as do black swans) however the majority of the net's woes fall well and trully in 1 and 2.
Which is a clear indicator there is something greviously wrong with our security process which I have mentioned before should be treated like a "Quality process".
For some reason we tend to treat security as a purchase process only 8(
The reason may well be that due to it being a "red queens race" technical staff do not have the time to get ahead of the game. However I feel that it is more of a failing by technical staff to understand and apreciate the business process.
Either way we need to get off of the "hamster wheel of pain" and this is not going to happen by improving a failed process.
We see coments about security and ROI as having failed or worse "counting on fingers". Which sugest that technical staff are at best playing at understanding the business process.
People talk about the CIO needing an MBA, personnaly I think any junior manager in a technical field (yes lowley team leaders that means you) should have a business diploma as a job requirment.
If nothing else it will enable us to communicate with "the man" who "cuts our cheques" at the end of the month and stop him seeing us as sunk costs or worse a dispencable waste of resources...
Finaly to clear up a misconception that has sprung up of late due to the previous political incumbrents on the hill.
The NSA has two main functions, to monitor the communications of forigners and their governments and to use their special knowledge to improve the security of US communications and it's supporting infrestructure. It was never envisaged that they would listen in to US Nationals as that would have been illegal (and probably still is).
It is the previous administration insisting that the NSA and the Telcos and other US comms organisations make available all information to the administration in the name on the "war on terror" that has led to wide scale abuse and the current perception of the NSA as an adjunct of the DHS snoopers at airports insisting on copying HDs and Flash drives as people enter the US.
I suspect the NSA apreciate the extra money but realy don't want the job as it's a task that you can only ever draw at never win (no matter what a politico might think). And is not going to win it any friends in the near future when people wake up and realise that the war was not on terror but an excuse to extend executive power beyond the legal limits and a misguided attempt at economic national security.
In reality the NSA has done a lot to help security once it realised it was to their benifit to do so. Looking at some of the Open Source initiatives with Linux security etc shows that they can and do make improvments. Another area is efficient voice encoding which the likes of Skype are dependent on.
Unfortunatly they also are involved with other dual use technology such as Carnivor, but as with a knife it's use can be good (scalple) or bad (dagger) it is ultimatly up to us to decide (if we are alowed) how it is to be used.
P.S. Iang feel free to use as you see fit.
To Clive and Alex,
Sure! Two opposing views: I am using the terminology fast and furious; my point is that we don't care much about exotica like black swans or zero days or unknown unknowns; the reason being quite simply that we haven't actually covered the white swans / N days / known knowns as yet.
You are totally correct that I have mangled the terms. I'm not that worried about the need to correct them, because even if I do get it down perfectly, I win nothing. If we're still hopeless at basic security, what's the point in understanding exotic failures?
In contrast, I am now academically interested in their definitions! Thanks for the comments!
The basic message of our book is we need to apply the scientific method and lessons from both mathematical and social sciences to information security.
The "unattributed" comment was my own. Sorry that's not more clear.
I think I generally agree, but would say not that there are no black swans, but that we're unable to comment on what color swans are except for those we've seen with our own eyes, through a haze 10 years ago.