Schneier on Security

Clive Robinson • November 20, 2024 6:26 AM

@ Cybershow,

With regards moving forward.

Like you I’m aware of the effect of exponentially numbers of vulnerabilities.

At the very root of the issue is that,

“Being vulnerable is the natural state of all simple things.”

That is our building blocks are vulnerable to those that can get at them unless we arrange them correctly so that security gets built up.

There are two basic points there,

1, Mitigation by segregation.
2, Carefully engineer security in as you build.

No matter how vulnerable a system is if an attacker can not reach it then they can not exploit the vulnerability. Most living organisms do this from the cellular level up so could be called the natural model.

That is, inefficient as it might be most of the function of a living organism is to encase in protection a vulnerability that is also a benefit to the organism. Something like more than 9/10ths of an organic system of any size is in effect for “security not function” and as a result a secondary function often arises in that the grid like nature of cells implicitly gives not just structural strength but rigidity. Which as it’s highly desirable outside of a buoyant environment arises by transforming from a security layer into a structural layer on which an organism can build increasing useful function.

At some point the structural function in turn becomes a new type of security function and thus enables further complexity to develop on it. And unsurprisingly as such the cycle continues as the organism increases complexity.

There is as they say,

“A lesson to be learned here.”

And in the physical world we appear to have implicitly learned it hence we can build physical systems of immense complexity quite safely. As a walk in any number of large city “business districts” shows with ever rising skyscrapers in which no single element has the strength on it’s own thus one element supports another and so on giving strength and security to the building beyond what any individual item can give.

It’s in effect a similar trick to making physical structures of materials that are exceptional in tension but fairly useless in compression –think a rope– combined with materials that are exceptional in compression but fairly useless in tension –think sacks of dirt– the result is you can build structures like walls. This gives us “reinforced concrete” in buildings but nature got their long ago with bones and plant stems that give grasses and trees.

For some reason the “software industry” has not really progressed much beyond a,

“Sack of goo floating in a buoyant sea of highly hostile entities model.”

That is the “engineering” is not really there beyond the “keep shoveling it on” mentality.

As any one who has tried building a wall of sand knows, there is only so much you can pile up before it rolls down. But if you do not know why it can hide significant dangers from you. Because whilst sand may not be a liquid, it can in large quantities behave very much like one (see ‘soil liquefaction’ as to why it can be so dangerous).

Just about every software vulnerability at a base level has an equivalent physical vulnerability, that scientists and engineers have come up with ways to mitigate, if not make useful in the physical world. We’ve in effect already solved these physical issues, yet in the software industry the lessons are not being applied.

Thus a pertinent question might be “Why?”

The notion of “run fast and break things” with apparent childish glee might be appropriate to some mindsets but several things arise,

1, Who is going to clean up the mess?
2, Who is going to pay for it?
3, What is the probability anything actually useful will come from the wreckage?

To which the answers to the first two is “not them” and the last “very low indeed”.

But hey don’t let me,

“Spoil the party fun, the little tykes are having.”

Clive Robinson • November 23, 2024 6:57 PM

@ cybershow,

With regards,

“I think responsibility s the new frontier in cybsersecurity…”

Not just cybersecurity, we can see in other areas in life people not taking “responsibility” in effect “opens the barn doors” to all sorts of undesirable if not actual criminal activity that can harm large numbers in any given society.

Most cybercrime is actually not at all new in the methods criminals employ.

I used to do work in “high tech physical security” for a while back in the 1980’s and surveillance technology from before that to long after (consulting on it untill more recently). The thing is you see the same basic methods just changed to suit the technology and the target. The easiest to immediately see are “held for ransom” and “blackmail”, as crimes they are older than written laws, the fact we now are plagued with people doing them with “information” on “information systems” does not really change the method of the crime. Hence the old saying of,

“Sour old wine in new bottles”

Applies.

One of the things parents forever tell their children is,

“If you don’t put it away it will get broken/lost”

Or equivalent with their toys, and what parent has not muttered “If you don’t take better care of…”

Though it had upset others in the past I take the viewpoint that the “physical world” is in effect a proper subset of the “information world”. That is all methods in the physical world have an equivalent in the information world, but the information world has a few more that won’t directly map into the physical world.

An example of which is due to locality, physical crimes usually require the criminal to be in a specific place at a specific time. This makes finding them and stopping them comparatively easier than in the information world, where they could be any where and actually at a long previous time (the joy of “autonomous agents” and “time deployed payloads” that was once part of Advanced Persistent Threats APT).

Another is that the criminals do not actually need to own any physical resources beyond those of development. As the reality is they subvert the resources of others such as those targeted or intermediaries. Thus they in effect use “autonomous agents” in ways that vary from “highly targeted” to “where ever there is an open door”.

As the autonomous agent is nothing more than a “list of actions” that gets processed by the targets resources you get what is in effect,

“An infinite force multiplier”

Which turns an individual developer of such a “list of actions” into,

“An army of one, beyond reach”

As we’ve seen with previous “Worm Attacks” this can be quite devastating on a global basis.

The only reason that these attacks work is that the target systems are riddled with open doors. Worse in most cases those doors whilst open are shrouded from view to the owners, operators, and users of the systems.

This means the only “responsible action” they can take is a “general mitigation”. One such being “system segregation” or isolation in a secure space/place. Because no matter how many hidden open doors there are in the system, if an attacker can not reach out and touch them, they can not get access to exploit through them.

I can not remember when I first heard the comment that,

“To be of use a computer has to be connected.”

But whilst true, it does not mean it has to be connected “irresponsibly or vulnerably”.

Unfortunately,

“Must connect to have worth”

Appears to be a mantra of various forms, pushed by certain MBA and similar courses. It appears based on the fact that mobile phone “Short Message Service”(SMS/texts) and “Electronic Mail”(EMail) are seen as,

“Advantageous Disruptive Technologies”

That “management/marketing” were unready for as they did not see them coming… So the irresponsible reaction is in effect,

“Throw open the doors and let the goodness in without hindrance and benefit will follow.”

As those who have been around for a while know,

“Where good can come in unrestricted, so can bad, and the latter is more likely.”

Hence in modern times homeowners tend to know,

“If you leave your door unlocked burglars will make free with your property.”

It’s actually not hard to see how that can map from the physical world back into the information world, and in effect what you have to do. You just have to ensure it’s effective and not administrative which all to often happens. Hence the cartoon of a tent with a vault door on the front, or the fifty foot pole upright as a barrier (my favourite was from the 1970’s and the film “Blazing Saddles” I saw
nearly half a century ago as a teen, with the unmanned toll both in the desert, https://www.youtube.com/watch?v=SbWg-mozGsU ).