It is increasingly disturbing to me that individuals of a certain prominence use their vexing ability to understand complex computations to scare the living heck out of the rest of us humble folks.
Recently, I was reading a bit of a presentation given by Mr. Paul Kocher of Cryptography Research, Inc., in which he stated, “Moore’s Law is driving vendors to build systems of exponentially increasing complexity without making security experts exponentially smarter to compensate. The resulting products have a minuscule chance of being extremely secure, and a large chance of being critically flawed.”
Moore’s law states that every 18 months, transistor density on silicon (and thus technological complexity) will double. At least, that’s what Mr. Moore used to think, until he was interviewed in 1997 and decided that the rate of increase was slowing down, but I digress.
So this bit of presentation gave me pause. It felt very much like I was hearing the fire and brimstone, hell and damnation sermons of the 1950s. I looked through the online archives of the publication in which Mr. Moore was quoted in May of 1997. He said, “… in about a decade, we’re going to see a distinct slowing in the rate at which the doubling occurs. I haven’t tried to estimate what the rate will be, but it might be half as fast – three years instead of eighteen months.”
So Mr. Kocher was using Mr. Moore’s theory of exponential increase in complexity, to state that vendors will build horrifically complex systems. Yet five years ago, Mr. Moore himself revised his own theory to entertain the possibility that the exponential increase is slowing down. I was also disturbed by the statement that security experts are not getting smarter in relation to the complexity. I disagree with that generalization.
Security experts are at work on the same problems the hackers are trying to exploit. How many attacks does Symantec’s lab avert before any of us even get our morning coffee? So many, that we will never know about it. There are hundreds. This diligence, coupled with the slew of security symposiums, classes and webinars, helps me to believe in our current and future security experts. They are right there with the best of the black hats. Literally, they all went to Las Vegas on the same plane for DefCon. Of course, bad things happen. Attacks will always happen. How much ‘increased assurance’ is really going to stop the mass denial-of-service canvasses?
This type of ‘fear-feeding’ as I like to call it, breeds paranoid over-expenditure, which leads of course to failed infrastructure security on a variety of levels. You scare the heck out of the corporate heads, who then bully the IT administrators to find non-existent issues, who then lobby IT directors for items they have no real current need for (or training on how to implement), and then all hell breaks loose when some absent-minded person down in marketing opens an email titled, “It’s from me your good friend!” This of course, infects the whole system, which then means that the CTO calls in that huge consultancy down the street to ‘analyze’ the enterprise infrastructure for massive security holes. Meanwhile, Doris down in marketing still doesn’t know who emailed her that very nice message, and spends many nights awake pondering who her ‘good friend’ might actually be.
It’s the morass of ill expressed proclamations that breed these digital urban legends. ‘Your enterprise will be infiltrated by the guy that lives in the bottom of the lake.’ The world of e-security will not fall apart tomorrow. Mr. Kocher stated, “The resulting products have a miniscule chance of being extremely secure, and a large chance of being critically flawed.” Miniscule is incredibly small. So what does this mean? Will companies such as Baltimore, VeriSign and RSA have an almost zero chance of providing real solutions? Are their products going to be so complex that they’ll be completely insecure? In telling us that the products will be “critically flawed,” is he saying that we will purchase deliberately unproven solutions? I have a hard time buying into that. Every version 1.0 is critically flawed. Sometimes the first to market are there specifically to say they were there first. Pretty much everyone knows that until you hit version 2.0 or onward, ghosts will appear in the bathroom mirror.
This isn’t a Robert Heinlein novel and we are not yet living the lives of THX11-38. All that the ‘future fear’ and impending doom theorists do for us, is give us another angle to consider. The problem is that too many well-meaning people are frightened. Hordes of IT admins are sent running for the aspirin. This is indeed the most interesting technological decade of all time from a security standpoint. It is also a time of wary disillusionment, with all of the fear mongers telling us that their solutions are newer, stronger, better, cooler. As my esteemed colleague Mr. Fred Rica at PricewaterhouseCoopers has said, “There will never be just one solution or silver bullet.”
I beg to differ with all the Televangelist Security Masters of today. Yes, enterprise infrastructure is complex. It’s complex by nature, and much more complex than a decade ago. We gave up on mainframes, duct tape and green screens years ago. Well not duct tape actually, but most of the 1970s technology. However, the technologists of today are not all ignorant and blind. Many, in fact, are in the process of integrating our overly complex technologies into industry standards. The technologists are taking the non-convergences away, and many networks can communicate, authenticate, and authorize, using smaller, but no less secure processes.
Yes, it is very frightening to be living in a world where people can hack into my company email and read what I am to bring to the meeting on Friday (I never should have volunteered for donut duty). I strongly believe, however, that by hiring competent people, and implementing proven measures of security throughout the company, you can stave off a huge percentage of the ‘impending attacks’. Now if you would just stop watching those televangelists at 2 a.m., you may also stave off the impending attacks to your sanity as well. I promise you, the $1.99 VPN just doesn’t look the same when it arrives in the mailbox, no matter what they tell you.
Melisa LaBancz is a San Francisco area security journalist. Traumatized by poor math skills, she is jealous of engineers.