Dailydave mailing list archives
Security Paleontology - The Jurassic Park rule
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 16 Jul 2014 16:29:55 -0400
Like many of you, I went to the theater with a child much too young and re-watched new and more awesome 3D-Jurrassic Park until they cried loudly enough to annoy the other theater-goers and wanted to leave. Because in 3D, those big dinosaur things are scary. And also that dude gets eaten while on the toilet. And, honestly, looking at a lot of the security problems my friends are dealing with on the defensive side makes me re-iterate that I'd rather be eaten, while on the toilet if necessary, by a large reptile than ever try to convince someone that "cloud security" was possible. How are you going to do anything securely in the cloud, when the core problem of performance isolation is basically just a lot of hands waving over a lot of CPU's in the basic architecture of perfidy that Seymore Cray would have cried to have even dreamed about. I know you all feel the same way about sitting through any presentations on Internet Scale Performance - except all your IO is going over a cleartext leased line through both China and Russia before coming back to you, on machines whose hypervisors are all corrupted by malware that "can't possibly exist". And, of course, what my friends often want to know about is "the root cause". You can probably see the former-Saudi-contruction-project-managers that make up a lot of Al Quada's command structure thinking the same thing. "Maybe if we just stop using cell phones so much we'll stop getting eating by the giant beasts that are hunting us?" And you can see Target's new team using that same tone of voice except in a much nicer cave somewhere in suburbia. "Hey, if we switch to whitelisting our point of sales systems, will that prevent hackers from stealing all the credit cards that people still use to buy their kids giant book bags that can double as Go Karts?" And the answer, is of course, that if you put lots of sugar in a bowl, flies will find a way to eat it. Life will find a way! It's the Jurassic Park rule, and it applies equally to credit card numbers, RSA token key information and State Department cables. The way to secure your data is not to add layers of encryption and whitelisting, but in fact, just to make it less valuable. You can see Archer <https://www.youtube.com/watch?v=8KAVZEiIjk8&feature=kp>saying "This is why we get Ants" right here, and it's not a coincidence that INNUENDO <https://www.immunitysec.com/products-innuendo.shtml>'s logo is a big ant head. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Security Paleontology - The Jurassic Park rule Dave Aitel (Jul 16)
- Re: Security Paleontology - The Jurassic Park rule Dave Aitel (Jul 17)
- Re: Security Paleontology - The Jurassic Park rule William Arbaugh (Jul 17)
- Re: Security Paleontology - The Jurassic Park rule Dennis Groves (Jul 18)
- Re: Security Paleontology - The Jurassic Park rule Wolfgang Kandek (Jul 17)
- Re: Security Paleontology - The Jurassic Park rule Rafal ( Wh1t3Rabbit) Los (Jul 18)
- Re: Security Paleontology - The Jurassic Park rule William Arbaugh (Jul 17)
- Re: Security Paleontology - The Jurassic Park rule Dave Aitel (Jul 17)