Dan Geer on Security, Monoculture, Metrics, Evolution, Etc.

Here is the text and video of Dan Geer's remarks at Source Boston 2008, basically a L0pht reunion with friends.

At the end of the day, however, we are facing a much bigger, more metaphysical question than the ones I have so far posed. That I can pose many others is of no consequence; either you are sick of them by now or you are scribbling down your own as I speak. The bigger question is this -- how much security do we want?

A world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have. At some point, real soon now, some of us security geeks will have to say that there comes a point at which safety is not safe.

Posted on May 27, 2008 at 6:23 AM • 19 Comments

Comments

SecureMay 27, 2008 7:17 AM

"A world without the possibility of crime is a world where you cannot prove you are not a criminal."

The post-9/11 world antiterror hysteria of today seems to have significantly changed our minds. It is now so deeply embedded that it seems to be taken for granted that you are guilty until you prove your innocence, while it should be the other way around.

KarenMay 27, 2008 7:26 AM

Safety already is not safe. It is intrusive. In the name of safety we have already made ourselves less free, and therefore, less safe. No one and no government can possibly remove all risk inherent in life.

Let's just remember FDR's words, "The only thing we have to fear is, fear itself." I have a nice picture that I got from Old American Century of those words superimposed over the "threat levels."

Brandioch ConnerMay 27, 2008 10:10 AM

Is "L0pht" pronounced "low fat" or "loft"? Or is there another pronunciation?

ax0nMay 27, 2008 10:34 AM

That quote is epic. Thanks for sharing. I look forward to watching the video when I am back on broadband.

ax0nMay 27, 2008 10:37 AM

Brandioch: It is pronounced "loft", however I remember my pentesting days, my project manager called l0phcrack "Low-Fat Crack" in front of a customer (long before @Stake bought them and released what is now LC5)

I just about coughed Jolt out of my nose in a client's board room.

AnonymousMay 27, 2008 10:52 AM

wow that logic reminds me of a quote:

"Reports that say that something hasn't happened are always interesting to me, because as we know, there are "known knowns"; there are things we know we know. We also know there are "known unknowns"; that is to say we know there are some things we do not know. But there are also "unknown unknowns" - the ones we don't know we don't know "

Donald Rumsfeld, 2002 (http://news.bbc.co.uk/1/hi/magazine/7121136.stm)

AnonymousMay 27, 2008 11:37 AM

Of course, you don't have to build a building strong enough to withstand air strike. The question is, are we safe enough? Will people stop their worries when it is still possible for thousands of credit card accounts to get stolen.

Another KevinMay 27, 2008 11:51 AM

In no world can you prove that you are not a criminal - owing to the philosophical impossibility of proving a negative. A world where such proof is expected is a world where all are guilty.

MarcMay 27, 2008 12:05 PM

Aren't we already there? Take "Trusted Computing". This is not about the trust you can put into your own computer. It's the trust, the content industry sets in the manufacturer of the computer, that it will never truly yours. A TC-computer is not owned by its buyer, but the manufacturer will always keeps the hands on the one key, that allows the lowest level of access.

Clive RobinsonMay 27, 2008 12:12 PM

A point that may be of interest on this.

In "English" we have the two words "safety" and "security" in many other languages the have one word to cover both ideas.

For the majority of pepole their view point is influenced not just by the way they think but by the language they think it in.

George Orwell author of 1984 realised this back in the 1930/40s. It was one of the founding ideas behind his "newspeak".

As has been noted befor in many ways our "freedoms" in all their forms only become realy apparent when they are taken away from us by fiat, force or dictate.

StanMay 27, 2008 1:47 PM

@Clive Robinson: I was going to mention that "safety" and "security" are two different things.

I agree with many of Geer's points, and I tend to be on board with a lot of his past work, but I suppose I'm one of the few that doesn't think the "biological" analogies he's been using lately really work well.

col.hector@gmail.comMay 27, 2008 2:45 PM

Hmm, very monotenous, makes it appear that this guy is just reading the speech, i.e. implies that someone else wrote it.

I prefer Bruce's speeches, they have more spirit.

derfMay 27, 2008 4:06 PM

"A world without the possibility of crime is a world where you cannot prove you are not a criminal."

Just look at the no-fly list. You have the distinct privilege of missing your flight while getting body-cavity searched because your 5 year old is on a list from which there is no way to be removed?

Space RogueMay 28, 2008 5:47 PM

Speaking of the pronunciation...

I remember being at one of the early Defcons, way before Alexis Park, someplace downtown, old skool Vegas, and having arrived a day or so early Tan and I set out for the nearest strip club. (Naturally.) Well we both had our L0pht T-shirts on and the strippers kept asking what that meant on the T-shirt. We had fun asking them what they thought it was. That was the first time I heard Low-Fat but even funnier was Lowft. Ahhh, good times, good times.

Anyway, Source Boston, Yeah "L0pht reunion and friends..." Umm Bruce, there were like _36_ other talks dude. You should swing by next year, I'm sure they would love to reserve you a podium.

- SR

Clive RobinsonMay 29, 2008 2:16 AM

@ Stan,

"I'm one of the few that doesn't think the biological analogies he's been using lately really work well"

I'm as guilty of it as Geer is infact I might have started it before him...

However you are not incorrect they do not fit comftably.

The reason I use them is due to the sad state of the "science of security".

In the short time span that covered the lives of Galilao and Newton science changed from the ancient Greek "philosophise" to the modern scientific process of "Observe hypothosise, test and measure".

Effectivly the philosophers (theorists) were joined by the "experimentalists" and each aided the other.

However to "test" requires people to not just observe but be able to demonstrate change which requires "measurment".

Currently the "science of security" lacks any real methods of measurment or to be honest any real agrement on the meaning of "terms".

Due to the "culture of blaim and liability" there is actualy very little or no quantifiable or "real data" out there to even begin the process of reliably "observe" let alone "test and measure".

Rather than actually solve the problem which would require very carefull legislation (think public health -v- medical liability) people are taking the "renasonce man" approach.

That is in the absence of real data, take existing tested and verified models from a different field of endevor and see if they explain the corelations in the little observable data available in the field of endevor you are practicing in.

Suprisingly this "borowing" often works sufficiently well to start in on the process of agreeing "mesurands" and thereby starting the process of gathering quantifiable or "real data" from which the models can be refined into theories and possibly even laws.

My "guilty as charged" use of "biological analogies" is "evolution" to explain why CCTV systems appear to (initialy only) work in crime prevention but in reality actually do not work in the longterm.

The problem as I identified is that although there are many short term studies that show CCTV works, all the (very few) long term studies I had seen showed that CCTV failed.

Although "evolution" of the criminals does explain the difference the real solution is to conduct the correct studies using common measurands over a significantly long period of time. The problem with this as sociologists will tell you is the relationship between the experiment and the observer.

However as long as there is the "political imperative" to be seen to be "doing" something considerable sums of money will continue to be wasted and the results will be at best very minimal.

And yes we will continue to take models from other fields of endevor as short term stop gap efforts to explain the correlations we see in the paucity of "real data" we have to work with, what else can we do?

BrianJune 1, 2008 9:27 AM

Some of those philosophical questions require that a person feel it is better to be something that others are not.

Being unable to prove you are not a criminal is not really important if there is no crime. The only person worried about it is the person that desperately wants to be able to claim to be something that others cannot. Perhaps I am missing the point of the question...

I am in a similar situation to this, in a way. I have never had one driving/traffic offense. However, I only get "credit" for not having one within the past seven years. Why should I not be treated better (regarded as a safer driver, better safe driving discounts, etc) than those who had one eight years ago? The standard has been set that you are expected to get traffic tickets, just not within the past seven years. There is no method for "proving" you have never had one and getting recognition for it.

FredJune 3, 2008 1:12 PM

@Col. Hector:
As Dan clearly points out at the beginning of the video, he is reading a
text to make sure that what he actually says corresponds to the
prepared text "as a service to his audience". Very reasonable, given
past history.

@Stan, @Clive Robinson:
As to the biological analogies that Dan draws, I think that:

1. Although the mechanisms and timescales may be very different, that is
not the point - it is the underlying _dynamics_ shaped by patterns of
_reward_ and _punishments_ to the stakeholders that are likely to be
reasonably similar. In other words, the analogies are perhaps somewhat
closer than we might have at first thought. Another way of pointing this
out is to say that the principal drivers are _economic_ in their nature
and can explain much of the (overall) state of cybersecurity.

2. The talk includes a number of "theological" and "philosophical"
elements. Dan needs to say these things partly to make appropriate
connections to evolutionary concepts e.g. punctuated equilibrium, thus
showing that there are _potential_ links to established background
theory. Such crises do happen - but involving very different mechanisms.
The point is that these crises engender change - i.e. change-or-die!

However, given the territory of evolutionary processses, Dan also needs
to avoid getting embroiled in the ongoing "creationist" vs
"evolutionist" debates, which I think he succeeds by acknowledging that
the debate exists but at the same time arguing how the cybersecurity
world differs. I especially like the point that insecurities and flaws
exist despite the fact that IT systems are the supposed product of
intelligent designers!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..