Schneier on Security

Nick P • November 9, 2012 12:42 AM

He thinks offense is sexy & engineering defense isn’t. A guy at a recent Schmoocon said something similar. Let’s substitute “fun,” “cool”, “mentally engaging” and other more applicable phrases for “sexy.” Starting there, you see there’s quite a few people enjoying coming up with better protocols, languages, libraries, software, & actual systems. So the question is how to spread the word about them & get more people making them.

I think one way is to show more people what it’s about. Myself and others have accused the security defense industry of constantly reinventing the wheel: so many problems they face have been solved before & so many they create were preventable. I think it might help to have a collection of all sorts of exemplar work from the past, academic & real-world, that can inspire future security engineers.

I have a recent example. Jack Ganssle, of Embedded Muse, solicited information on dealing with stack overflows. He’s been in the industry for a while and is very knowledgeable in embedded software design. I told him 1970’s era MULTICS had a stack that flowed in reverse direction to make overflows impossible or hard. I also pointed out some academics did it on x86 Linux. He had never heard of it and thought it was a great idea. He also reminded me stack direction is often dictated by the hardware, yet Linux team worked around that. Here’s the question: we’ve been able to totally defeat the easiest attack on the stack for FOUR DECADES, but why don’t people know that?

We also need to gather the security engineering knowledge & structure it in such a way that it can be passed down to that generation. One possibility there is to divide it into common/cross-domain knowledge & knowledge for specific domains. The domains should be matched to the job function: applications, networking, intrusion detection, endpoints, OPSEC, COMSEC.

I’m a decent example of what needs to happen. (I don’t mean that in an ego-centric way.) I grew up midway between the older & newer generations of IT guys. I experienced MS-DOS, dialup, Windows, broadband, having a PCI card for everything, etc. Yet, the wisdom of the older crowd contained in their writings, projects & products didn’t elude me. I’ve pulled about every useful Lesson Learned I could out of it, combined it with modern stuff & repeatedly come up with stuff that others took years to figure out (or haven’t yet wink). It’s just that the knowledge transfer I’ve been talking about happened, some here on this blog. The wisdom of the ancients, err previous generation, pays off quite well.

I’ll also say that anyone who thinks defense research is boring is doing it wrong. It’s been an extremely interesting & challenging experience on my way to this level of knowledge/experience. I’ve learned what works, what doesn’t, why in many case, & there’s still so many challenges awaiting it’s mind-boggling. Honestly, I find the typical offense scenario to be very boring in comparison: dig through a bunch of code, find a common mistake, weaponize it, publish. Wow, that’s so easy all kinds of people are doing it, even learning from books at Barnes & Noble.

Try to make a heap overflow impossible (or close) with no observable performance impact & no rewriting loads of software. Create a DNS, PKI or whatever alternative that’s both more secure & will work in corporate environments. Create a programming language that’s very expressive & efficient, but can almost automatically prevent most implementation flaws (some close contenders there). Actually replace TCP, FTP and HTTP. 😉

Yeah, there’s plenty of sexy/clever/brilliant solutions to these problems waiting to be found. There’s also plenty of drudgery in engineering these solutions. If anything, you come out of it with the pride that your solution is untouchable compared to others or that you’ve done what seemed nearly impossible. It’s quite a feeling.