The coming Information War

[Dave Aitel <dave () immunitysec com>]

http://www.computerworld.com/printthis/2003/0,4814,88646,00.html

Slashdot linked to this today and I think it's important enough to talk about. First of all, I hate it when people who've never written an exploit go on and on about the future of internet security. 

And things like this bug me:

"""
In the case of a security reformation, this
leader would borrow from the ideas of experts who already have
reformist ideas, like SEI's Humphrey. Known as the Edward Deming of
software, he has implemented and proposed radical changes to the way
software is made. Humphrey is unsparing in his criticism of
contemporary software security. We're letting creative artists build
bridges, he says, then trying to stabilize them with unlicensed
laborers while they're collapsing.

Included in Humphrey's blueprint for a security reformation are new 
software development processes that change the governance and structure 
of software engineering to favor security. Called Team Software Process 
(TSP) and Personal Software Process (PSP), they entail a fundamental 
shift in software development practice from the regular army 
model--top-down command--to a special operations model wherein a small 
group is given objectives and let loose to fulfill them. "I want the 
technical community to become professionals," Humphrey says, "to say, 
This is how we do our job."

TSP and PSP have already been found to reduce coding errors by factors 
of up to 10 or more. Microsoft tried it and reduced bugs within a 
24,000-line program from more than 350 to about 25. """

Ok, I understand that less bugs is often better. But Microsoft hasn't 
become a monopoly by wasting a lot of money during software development. 
Without a context on cost and time to market, that paragraph doesn't 
mean anything at all. And even with that, it still doesn't mean anything 
in the context of security. If those 25 bugs are strcpy() over the stack 
or heap, then the program is exactly as secure as it was before. And 
it's not like hackers use the exact same bug-classes that Microsoft's 
security team does. In fact, they pretty much have to NOT use the same 
bug-classes. As much as the idea of "Bugs we don't know about" is fairly 
impossible for most information security professionals to understand 
("but...but...we were all patched up!"), the idea of entire bug classes 
that are unknown to the PhD's and MBAs that make up the security teams 
at most levels is fairly revolutionary.

I think it's actually EASY to legislate security into products. You just 
have to say: If you include something on a CD for money, and it has a 
security problem that could let an attacker take control of it remotely, 
the customer gets their money back.

"""

A security reformation will not take place overnight. Longstaff believes 
that even with a digital Pearl Harbor in 2008, we'll be only 20% 
reformed by 2010. Whit Diffie, Sun Microsystems' CSO, suggests a 10-year 
time frame before we should mandate zero tolerance for insecure software 
and enforce strict liability laws. Even Humphrey says, "I'm hopeful, but 
the issue is one of time." """

Whit Diffie was at a cypherpunk meeting I attended back in the day, 
along with Declan and a few other random people who happened to be in 
DC. I think it's irresponsible for someone who believes that technology 
can bring freedom to ask for such a draconian law. Do we not have enough 
laws? Has our screwed up patent system, DCMA, and Patriot act not 
convinced people that laws are not the solution?

I think that what we're seeing now is not a building towards a climactic 
Digital Pearl Harbor, but the opening salvos in an Information War that 
promises to damage and divide this country as much as the Drug War has 
in previous decades.

Dave Aitel Immunity, Inc.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave