Schneier on Security
A blog covering security and security technology.
« Military Secrets for Sale in Afghanistan |
| Social Engineering a Police Officer »
April 12, 2006
What if Your Vendor Won't Sell You a Security Upgrade?
More frightening than my experience is the possibility that the company might do this to an existing customer. What good is a security product if the vendor refuses to sell you service on it? Without updates, most of these products are barely useful as doorstops.
The article demonstrates that a vendor might refuse to sell you a product, for reasons you can't understand. And that you might not get any warning of that fact. The moral is that you're not only buying a security product, you're buying a security company.
In our tests, we look at products, not companies. Things such as training, finances and corporate style don't come into it. But when it comes to buying products, our tests aren't enough. It's important to investigate all those peripheral aspects of the vendor before you sign a purchase order. I was reminded of that the hard way.
Posted on April 12, 2006 at 12:40 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Is it too early to bang the "proprietary = bad" drum? For instance, if a product is released under the terms of a DFSG-Free license, there may be no discrimination against "Fields of Endeavor".
With security software needing as frequent updates as it does, you are truly not buying software, so much as you are buying service. Always remember that.
On the other end of the spectrum, what happens when a company decides that the product you are using is "obsolete"? [Windows 9x, for instance, will no longer be supported after July 11] - much the same as when a provider goes out of business, you have to replace the product with something that is still developed and supported. Always consider that you may have to [relatively quickly in some cases] replace what you have with something new - always keep your eye on what you'll use to replace what you have. Call this a "backup plan", or "plan B". :-)
Can you be secure without an active person (or team depending on your size) devoted to just security?
I don't think you can anymore.
I don't think this has anything to do with the product being proprietary or not. Fine, they didn't release it with a license that makes them give it to anyone who asks. But the fact that they don't is simply a poor business decision.
Well, we could learn from the hackers and do what they do - patch the binary ourselves, either on disk or at runtime. If rootkit developers can use this technique to compromise security, it can just as easily be used to enhance it.
Or you pony up and buy a new peice of software that is secure. Perhaps if more people did that...
Same holds for outsourcing to a company like EDS or whoever, lack of control of the destiny of your assets can be the result.
That is ridiculous... with the right type of outsourcing you can have more control of your assets and a better focus on security.
Another thing that speaks for/against the company is how many mouths they have and how much less BS they put you through to buy the silver bullet.
Of course every security vendor's product is the solution for world hunger :)
Note that something like this situation is happening in the voting machine world. A big vendor ha filed for bankruptcy, and a bunch of local election officials are going to have to either buy new machines or run elections with no support. (Or buy support anew from some consultants.)
Check todays Dilbert it is right in line with this post.
If you want some real comedy over this, check out what's been going on over at TechDirt. They posted about this story and a bunch of comments started coming in... including some attacking the reporter of the linked story. The TechDirt folks noticed that all those comments were coming from the same IP... inside the CipherTrust domain.
These guys are looking like a real class act.
When they trying to sell you a product, they are typically trying to assure they are wealthy company and your investment is properly protected. That is complete bullshit and does not guarantee anything (for a number of obvious reasons anyone can explain further), but the suits seem to like it.
Actually "peripherial aspects" just mean nothing.
The risk to security is far more general than that perceived by limiting the view to so-called 'security products'. No doubt that tactical security of components of a companies infrastructure can be affected, but on a broader scale the security of a company in a general sense is most at risk; the ability to secure ongoing provision or support of *any* kind of service or product without being arbitrarily denied is critical. This could include leasing, insurance, utilities, IP Rights et al - all of which could be arbitrarily denied behind a facade of "standard business practice" or some other obfuscated company policy.
Specifically though, we need to get out of the habit of referring to these products as "security products/software/whatever". Companies seem to believe that owning a raft of security products results in their company being secure. Security is a mindset, an ongoing process, a way of conducting business, etc - not something that comes in a box.
Now *that* is entertaining.
Thanks, that relieved my afternoon budgeting woes with a hearty laugh.
Surely that's only one moral. It seems like another would be if the updates are important to you, negotiate a service contract.
This is an interesting problem that we deal with almost daily - we run game servers for a variety of popular PC-based titles.
Unfortunately after a year or two, most titles stop getting supported by patches. If we're lucky, we just get left with a few small bugs. If we're unlucky, we get left with gaping security holes that leave our servers open to exploit.
The only fix is for us to notify the developer (which is usually met with silence) and then shut down our servers - which leaves gamers who want to play this game online out in the cold.
I was recently involved in a bid for a security product for a major biosciences company. We were proposing to port a product to their OS of choice, but noted that the OS didn't expose APIs that would allow certain features of the product to function. We had asked the OS supplier to provide us with the API and they refused, saying that it wasn't static and that it could change at any time. We reported this to the customer and said that we could easily reverse engineer the API to provide the functionality but that we couldn't do that because we couldn't support a product that the OS maker could invalidate at any moment by changing the undocumented API.
The customer went with a solution from a competitor that was implemented using a reverse engineered API. Sometimes I wonder if they cross their fingers prior to each security patch coming from the OS vendor hoping that it doesn't destroy the installation of their security product. They put themselves between a rock and a hard place. One day a patch will come out to make their systems secure that they won't be able to apply because it will change "security product" uses and render them unable to access their systems.
many years ago, I worked for a small consultancy that used a graphical progam (pre-windovs) that drew very pretty graphs and so on directly on a plotter (the client liked them). We bought version 3.3 (figures approximate) and the right to the next upgrade.
When the next upgrade (3.7) camem we carefully upgraded, but the plotter didn't work. After some weeks, the program writers stated that 3.7 did not sopport drivers for that particular plotter. OK, we backed out to 3.3, only to find that the new data files created by 3.7 were incompatible with 3.3. Further requests for help were met with the statement that since some of our other clients were military (true), they would give us no more support on moral grounds.
Back-ups didn't help; we had to re-enter all the data created in the interim onto the last 3.3 backup.
There is a name for companies that rely too much (counsel of perfection and totally useless practically) on service support.
Surely, in any rational organisation a purchase decision is based on a number of criteria? Supplier failure is costly, especially with non-commoditized non-standardized products.
Once the technical requirements have been met, and good value identified, there is a need to perform a due diligence check on the vendor. It should not exclude buying from SMEs, start-ups, Open Source or ASPs/outsourcers without good reason.
A proper check should identify questionable morals, bad business practices, or poor financial performance which risks knock-on damage to your organisation. Intelligent procurement processes *should* take these into account, e.g.
what a pussy that writer is.
imagine that i developed a groundbreaking new automobile, the "bruce", and asked you, an auto reviewer, to check it out. half a mile into your test, i cut you off in my hummer, force you to stop, drag you out of the "bruce" and slam you into a wall. you go on to write a review saying that the "bruce" is a good product standing on its own merits.
and then, when you go looking to buy a second "bruce", i won't sell one to you, bwahahaha! that's because i know who you are and i don't like you! it didn't occur to you to just walk into the right store with fifty $100 bills, wearing a groucho mask.
Pussy? Well, I guess I've been called worse. But the problem in this case is that there are folks who really *do* want to know about Ciphertrust, and just because they've treated me shabbily doesn't mean I should take it out on their product. As my inbox has shown in the last few days, there are at least a half-dozen people who really do like the product and the company. Although some of them border on the juvenile in their defense.
The Groucho mask is a good idea, although I prefer to do it on the up-and-up. It seems that the continued refusal to take my money along with the confusion of just exactly why tells an interesting story on its own. I just wish I knew what the punchline is.
In any case, I'd circle around to Bruce's original post: this isn't about Ciphertrust, but it's about the issue of product-as-service that all security devices have turned into.
Joel, the product-as-service issue is not what struck me in this story. Rather, it's that with security products, the product *does not* speak for itself. You simply cannot evaluate a product's security by trying it out. And with closed-source products, you can't evaluate it by analyzing the product either. So your only option is to trust the vendor.
That conclusion means that the trustworthiness of the vendor is a component of the quality of a security product. If the vendor broke *your* trust during the evaluation process -- for example, by doing things on your systems that they knew you wouldn't want them to, using access that you had given them for other purposes -- then that information is relevant to the quality of the product.
I definitely agree with your conclusion. In fact I would even say that vendors who harbor sharp, helpful and well-respected engineers are more likely to get my business than one with long evaluation cycles.
I guess I am more likely to use Password Safe because Bruce is affiliated, even if remotely, with the software and I prefer Marty's intrusion detection vision to one that isn't affiliated with anyone in particular, and/or Gene's monitoring, Jose's analysis engine, etc. Maybe I'm reading too much into the role of a technical expert in the companies they work for, but on the other hand I've seen one too many startups with some brilliant engineering get gobbled up by big marketing giants who quickly spit out the talent and then push cigars, polo shirts, and squishy brains as some kind of excuse for a lack of care/vision for real security needs (like upgrades).
Maybe it's the same thing, but I say you're not just buying a security company, you're buying into a select group of people in the company who are probably the only people that share your own vision for how and when to "do the right thing". Make sure they actually have some pull or at least relevance in that company's future.
Oh, and of course I can't leave out Craig's posting service, Fyodor's scanner, Renaud's scanner, etc.
The brand is often less relevant to me than the talent (if possible to know). I guess it's like saying I'd rather bet on Richard Petty than Plymouth.
And for what it's worth, I'm always curious who built the old Apple PowerBook that revolutionized the modern keyboard layout and form-factor of our laptops (I say the Duo could be reintroduced tomorrow with new screen/guts and you wouldn't even blink). I know that they went on to design the Dell laptops afterwards, but I lost track of them after that. Maybe they retired or Apple paid them to stop helping Dell? At least the Amiga let the crew sign their name to the inside of the case...but now I'm probably just embarassing myself. Point is, don't lose the talent for the company or something like that.
This is more of a legal issue than a security one. I work in a hospital, and critical components of systems affecting patient care aren't at the mercy of the vendors. We have SLAs, code escrow, and other contracts in place to stop this from happening.
What's more concerning is that after this company shut their system down before the test was complete, Network World still went ahead and reviewed the product. They should have just dropped them off the list, why dupe the readers who may be using this magazine to compare products?
I've worked in hospitals as well and you have a good theory, but as humans we are, well...fallable. Consider a trend reported in American pharmaceutical sales for example:
"Pssst! Heard the one about the doctor and the cheerleader? Probably not. That’s because you live in Britain, where doctors work for the NHS and where cheerleading is as culturally alien as maple syrup.
For Americans, however, the tale of the man in the white coat and the girl with the pompoms is no laughing matter. Indeed, it has become a national controversy; embarrassing doctors, calling into question the ethics of a $15.7 billion (£8.9 billion) marketing business, and causing patients to worry about their prescriptions."
Here's another take on the sales strategy the "pharmers" are using to woo technical thinkers away from their technical criteria for decisions:
"Some industry critics view wholesomely sexy drug representatives as a variation on the seductive inducements like dinners, golf outings and speaking fees that pharmaceutical companies have dangled to sway doctors to their brands.
But now that federal crackdowns and the industry's self-policing have curtailed those gifts, simple one-on-one human rapport, with all its potentially uncomfortable consequences, has become more important. And in a crowded field of 90,000 drug representatives, where individual clients wield vast prescription-writing influence over patients' medication, who better than cheerleaders to sway the hearts of the nation's doctors, still mostly men. "
And the medical profession is heavily regulated already, as pointed out above...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.