07.03.09
Theory of Stupidivity: Guaranteed to Fail
Today’s cant on cybersecurity is news on ‘Einstein,’ the security system to be installed on all government computers to protect them from cyberspies.
“It is supposed to detect known types of cyberattacks and immediately alert the cybersecurity center,” reports the Wall Street Journal. “The problem: Like its predecessor, it still can’t detect or block sophisticated attacks that weren’t previously known, said Stewart Baker, a former senior Homeland Security Department official. Homeland Security is the only department using it so far.”
“Homeland Security Department first developed Einstein in 2003, adapting technology from a Pentagon program that monitored military networks … ” informs the WSJ.
In another manner of speaking, it uses the anti-virus software model of ‘security.’
Entrenched and solidified over decades, anti-virus software detects only malware that has already been submitted in samples and examples to its developer. That is, it can’t detect the newest attacks until someone else — hopefully not you — has been snared by them.
Over years and years, it has ensured an arms race between virus-writers and software developers, a process that is now locked in stone.
Last week, for example, an advertisement with malicious code in it threw three viruses at DD’s PC. Software caught two and I was left to net the third, which I caught when it tried to alter the system. I threw the virus into a directory I keep for unidentified malware and suspicious programs. A few days later, when the a-v software updated for the third or fourth time after the incident, it was detected. So someone, not just me, had been exposed to it and taken the time to send a sample to the company. And there were, invariably, some people who were screwed over by it.
Security expert Marcus Ranum discussed this at length some years ago in “The Six Dumbest Ideas in Computer Security.”
In essence, the Einstein software and plan for making government computers secure accumulates these ideas into one big ball. Let’s call it “The Theory of Stupidivity,” in honor of the Einstein software. Now don’t go off the rails here. The government isn’t the only guilty party. Almost everyone seems to practice most of the six dumbest ideas in computer security.
Notable among these flaws is the dumb idea Ranum called “Enumerating Badness.” It’s the definition of the anti-virus/anti-malware/anti-spyware industry.
Back in the good ol’ days when shit-happening wasn’t everywhere “security practitioners got into the habit of ‘Enumerating Badness’ — listing all the bad things that we know about. Once you list all the badness, then you can put things in place to detect it, or block it.”
“Why is ‘Enumerating Badness’ a dumb idea?” asks Ranum. “It’s a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness.”
“Enumerating Badness” goes hand in hand with “Penetrate and Patch.”
“One clear symptom that you’ve got a case of ‘Penetrate and Patch’ is when you find that your system is always vulnerable to the ‘bug of the week,” writes Ranum. “It means that you’ve put yourself in a situation where every time the hackers invent a new weapon, it works against you. Doesn’t that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind.”
Doesn’t that sound like common news from the cybersecurity beat? Rhetorical question.
Practically speaking, there’s not much hope of ‘secure by design’ anymore. And the current news about the Einstein software only underlines it.
Let’s return to the WSJ article. “Homeland Security is the only department using it so far,” it says.
This is not necessarily a bad thing. There’s really not much point in being forced into being an early adopter when something isn’t an improvement on what one already has. And is unknown in its bugs and weaknesses, and maybe worse.
Good advice could be to be ‘last in line’ for Einstein, version whatever, until everyone else has it sorted out.
In from the “Don’t blame China” desk:
In view of the current serious situation in frequent leak of secret in the secret information system, Xia Yong, director of the State Bureau of Secrecy, said on the afternoon of 22 June: China plans to enhance the encryption measures of secret information system.
He said: These measures include …
Technology will be adopted in protecting secret information system. The revised draft (of the Secrecy Law) stipulates: Secret information system should be installed with encryption facilities and equipment in accordance with the state encryption standards. Planning, building, and operating of encryption facilities and equipment should be synchronized with the secret information system. Before being put into operation, secret information system should pass the inspection of secrecy administration department at or above the city level, which sets up the system. — Xinhua News Agency, June 22
At SITREP.