April 17, 2009

Professionalism in the Security Community, Part Deux (Clever Talkers)

In this post, I will try to be clever and use the word 'clever' and its variations as much as reasonably possible. It might make me seem clever, or just obviously annoyed at the would-be clever cynics, you decide... As I've posted before, in the first installment of Professionalism, there are people (Marcus Ranum being one) who are both clever AND have a framework in which they discuss and enumerate specific arguments, definitions, etc.

This post is aimed not at them, as I don't have an issue with being clever, in fact I love to laugh and humor gets me through the day. I just have an issue with being clever as a complete substitute for real thinking. I mention no names and link to no specific articles, to avoid flame wars and to protect the guilty. :-) Here goes...

Rant Mode ON:

Dear Readers, Cyberwarriors, Those-Who-Follow-The-Cyberwar-on-"What-Is-Cyberwar," and of course Those-Who-Just-Like-Clever-Articles-About-Cyberwar:

There is a lot of discussion about cyberwar these days, which is probably a good thing, because we STILL need to figure out exactly what it is and isn't. Perhaps parallel to that effort (sigh...) we might be able to formulate a (reasonably) realistic strategy that will mitigate the effects of cyberwar on our side, allow our cyberwar practitioners to exploit the other side's networked weaknesses (war is about sides at some point, sorry) and be nimble enough to change with the speed of the network.

Cyberwar discussions are difficult for many reasons. One of them is the notion that we must not only prosecute said cyberwar properly on the strategic and tactical levels, to achieve certain results and avoid others, we must also strictly adhere, of course, to the laws of war (which ones again?) and we must be highly pundit-and-lawyer aware.

According to some, the tools and rules of cyberwar must be approved by multiple and conflicting interests, including, but not limited to: The Red Cross, John Yoo, the ACLU, Karl Rove, Katrina vanden Heuvel, EFF, current DoJ lawyers, EPIC, former DoJ lawyers (did I mention Yoo yet?), Pat Buchanan, Arianna Huffington, Ms. XXXXXXXXXXXXXX, General Jack D. Ripper, the ghost of General Curtis LeMay (via the Ouija board) and of course, the highly esteemed and indefatigable cyberwarrior, Dr. XXXXXXXXXXXXXXXXX.

See, I wasn't being TOO clever in that last paragraph, was I? OK, maybe too clever, but perhaps, and sadly so, not clever enough to qualify for the bevy of (cleverly) sarcastic and cynical articles about the supposed exploitation of the cyberwar issue by the various powers that be (are these powers 'the gummint' or 'the mainstream media' or are they think-tank thinker types?)

Apparently, some people think it's good enough to just be clever (or better yet, cynically clever), about the "cynical exploitation" alleged in their articles. These cynical mentions of cynical exploitation of cyberwar as a topic are sometimes explicit and sometimes more implicit (which is always more clever than actually being explicit).

For some people, being clever seems to be the main thing to strive for. Interestingly, some of these same people are the ones who deride FUD in the vendor space and yet fail to see the irony of their wayward ways. Are they falling into that trap of logical fallacy, you know the one that makes people think that making fun of someone or something (or both) is in and of itself the argument, or boosts the argument? Sorry folks, you can't just be clever and create an argument that's that implicit, not well articulated, or at times not even mentioned at all, strictly by means of making fun of people and concepts.

Argue by argument, not just cleverness. Derision is not discussion.

Are we trying to audition for the Daily Show correspondent position or are we talking about strategic warfare in cyberspace? Oh, both, I see...

Allow me to throw this thought-grenade onto the tinderbox of the cyberwar ABOUT cyberwar:

Being clever is great, and perhaps necessary, when discussing such amorphous topics. It is not helpful, however, to stop at being clever, to fail to continue with what you actually think cyberwar is, what it is not, and what you think is a good way to advance the discussion.

I will cleverly, but not cynically, stop now, having pointed out the clever fact that being clever about cyberwar is necessary but not sufficient to advance the discussion about cyberwar.

It is just the beginning. It might even be good to end with being clever. It is not, however, the end and should not even be the sole means to that end.

Read that as a promise that I'll discuss it further, and not rest on my clever laurels.

Rant Mode Off. Clever hammer back in toolbox. For now.

April 07, 2009

Shpantzer's Law of Endpoint Security (Grand Belated Unveiling!)

Just going through some old emails this morning and I found this little unpublished gem. Revealed to the public for the first time, right here, right now (drumroll please...)

Title: Shpantzer's Law of Endpoint Security

Body: "The security of your endpoint (hence your network) is inversely proportional to the square of the number of applications installed on the endpoint."


This was from April 28, 2007. Hey, that's two years ago! Why didn't I publish this? I guess I'm just kinda shy that way sometimes...

Basically the issue emphasized here (did I mention this was two years ago, all the way back in April of 2007?) is that application security matters, on the client side too, and not just the OS.

Browsers, PDF readers, media players, apps for presentation, email, spreadsheets, you name it. They're all individually dangerous and can add vulnerabilities really quickly when combined. I surmised that the relationship between the number of apps and security is most likely nonlinear. Inverse square sounded good at the time!

I wonder what other buried treasure is in those old emails...


April 05, 2009

Correlation is not Causation

Clever post by TheAtlantic.com blogger Megan McArdle:

"I'm forced to conclude that (the import of) Mexican lemons have improved highway safety a great deal. The vitamin C, maybe? The fragrance? Bioflavanoids?"

Read the short article, featuring a great graph, with near perfect correlation of increasing lemon imports and a reduction in US highway fatalities

A great reminder to ask the right questions about some of those problematic security surveys and studies that are being churned out at high rates with low integrity.

"What's the mechanism?" is one good question to ask.


PS I'm not partisan when it comes to information security, so McArdle's political spin is her own.