Schneier on Security
A blog covering security and security technology.
« Secrecy and Privacy |
| Pre-9/11 NSA Thinking »
June 27, 2013
Lessons from Biological Security
The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our immune system works because it looks for the full spectrum of invaders low-level viral infections, bacterial parasites, or virulent strains of a pandemic disease. Too often, we create security measures such as the Department of Homeland Security's BioWatch program that spend too many resources to deal specifically with a very narrow range of threats on the risk spectrum.
Advocates of full-spectrum approaches for biological and chemical weapons argue that weaponized agents are really a very small part of the risk and that we are better off developing strategies like better public-health-response systems that can deal with everything from natural mutations of viruses to lab accidents to acts of terrorism. Likewise, cyber crime is likely a small part of your digital-security risk spectrum.
A full-spectrum approach favors generalized health over specialized defenses, and redundancy over efficiency. Organisms in nature, despite being constrained by resources, have evolved multiply redundant layers of security. DNA has multiple ways to code for the same proteins so that viral parasites can't easily hack it and disrupt its structure. Multiple data-backup systems are a simple method that most sensible organizations employ, but you can get more clever than that. For example, redundancy in nature sometimes takes the form of leaving certain parts unsecure to ensure that essential parts can survive attack. Lizards easily shed their tails to predators to allow the rest of the body (with the critical reproductive machinery) to escape. There may be sacrificial systems or information you can offer up as a decoy for a cyber-predator, in which case an attack becomes an advantage, allowing your organization to see the nature of the attacker and giving you time to add further security in the critical part of your information infrastructure.
I recommend his book, Learning from the Octopus: How Secrets from Nature Can Help Us Fight Terrorist Attacks, Natural Disasters, and Disease.
Posted on June 27, 2013 at 6:34 AM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Surely good to mention the Author's name: Rafe Sagarin.
Too bad it wasn't "Learning from the squid...", huh?
Do you know a very efective firewall, being able to resist an attack based on 250millions of hits to provocate a DoS? very cheap by the way...
if you don't have one, better go right now and adquire one and get installed ASAP...
it's name is Contraceptive...
you don't want a DoS for nine months, or do you?
"DNA has multiple ways to code for the same proteins so that viral parasites can't easily hack it and disrupt its structure."
Hmm. Sounds just like organizations using multiple, random or rotating instruction sets, code implementations, protocols, etc. in their systems. Much like I've advocated here in the past (and implemented in some cases).
Another excellent article. A friend and I was discussing this sort of concept yesterday, which is the concept of mankind perverting what is reasonable by some manner of arrogance to create that which one does not see reflected in the natural world.
For me, I best tend to understand this in considering totalitarian or tyrannical cultures product of architecture as opposed to the natural beauty of the natural world's constructions -- from trees, to flowers, from clouds to mountains. In the natural world, "chaotic good" and seemingly asymmetrical beauty is the norm, whereas in the human world the more contaminated a society is the more that society tends to create structures which are perversely symmetrical to the point of being idiotically ugly.
Contrast this with the concept of tyranny - as a definition of societal corruption - with liberality - as a concept of societal healthiness.
Or contrast with a societal judgmental "way", geist, spirit -- of "judgmental" versus a society which is "merciful and non-judgmental".
Yet, if we consider - as this article does - that all things in the natural world are, in fact, incapable of corruption against "the natural order", then can we really consider we should apply this exception to our own selves -- that mankind, alone, is capable of rejecting the natural order and perverting it into "substance" which is weaker then what the natural order can provide? Or is there not some unseen purpose beyond what mankind may perceive in even their most idiotic creations?
Under these guideliness, and the articles, I would suppose, then a more perverted system would be like such the article mentions as of those creatures who live at the bottom of the sea. Simple, archaic, poorly evolved, static.
(One could ask, "entrenched against what".)
In today's society - we could consider the area of computer security, as the article does, or other areas, though the area of computer security is especially influenced by the encroachment of fascist tendencies and so innovative stagnation - we might consider that the tendency is not to "security of innovation" but rather to "security of social cohesion by the adherence to principles of social unity under primary leadership (tyranny)" versus "security in liberality, invisible, transparent, inherently secure while inherently seamless and useable".
So, the medium is the message, as usual -- or the message is beyond our typical conscious understanding of the medium. Static, poor performing security products poorly perform for a purpose.
They are not merely designed to make systems less useable, but they are also designed to poorly secure the system -- because none of that is "the message", or the ultimate point.
Rather, these sorts of systems flourish because the ultimate point is for society to separate into a dominating class (which includes the creating and enforcing security elements) and a passive class (the victims of the hacking and the victims of the lack of usability).
Congrats, Bruce, on joining the BoD of EFF. Plz make them encrypt everything!
Watched some program on how animals (raccoons here) are now having to adapt to human settlements. For instance, those that don't fear and run away from cars tended to end up w/ their guts smeared on the pavement. But they were making progress, so they can continue to raid your trash can.
Bees better hurry up too, little bugs that can bring the house down.
The biggest lesson should be that robust defense takes a lot of time to mature. But there will be many opportunities for little bugs, but the core will be well defended.
But some of the very viruses in nature actually serve a purpose to continue the cycle of life. For instance, I didn't know e.coli was used in artificial insulin production.
The biggest problem with looking towards nature for security solutions is that nature has had billions of years to evolve. For example, while it might be possible for the immune system to engage in a full-spectrum approach to disease control the evolution that has allowed that to happen is simply not possible for the single individual, organization, and probably not even nation. You can't do it; it's impossible. Imagine what your life would be like if you tried to bring into conscious awareness every nerve fiber, every immune response, every chemical that crossed a neural synapse. You would go stark raving mad.
In other words, it's OK to look at nature for inspiration but it is not a good idea to look at nature for models of implementation.
Imagine what your life would be like...
--Yeah, but it'd be pretty cool for a little; plug into the matrix. It's like trying to use a computer and the internet to do something besides fixing mistakes someone else made.
And monkeys seem to find their way into the coding process.
Open source? The authors need to look that up in the dictionary. I'm pretty sure they mean no secrets. There is no copyright in nature, and they aren't referring to the DNA/RNA code-swapping that some viruses facilitate.
'm impressed with Manuka honey, brand name Medihoney which was given to me for a large leg wound at my hospital. There is some kind of weird germ killing mechanisms in that substance that colonies of bees figured out how to protect their honey from bacteria over eons. Now, stop and take a look at something called quorum sennsing where let's imagine the bees substance blocks hives of bacteria from communicating. Sort of like blocking cell phone networks.
I'm beginning to see the world that way. Our bodies regenerate through their quorum senses. Cells working together like hives of bees. Bacteria interrupts that. The bees figured how to keep the bacteria from ganging up on their honey.
And on my leg wound.
You can go a long way into biology with those analogies.
There's a lot more to it. Look at videos of Peter Molan on Youtube explaining how Manuka honey works. Lots of different processes going on. And he doesn't completely understand it either.
That crazy John McAfee was investing in this quorum sensing technology in the jungles of Belize but then strange things happened to him which I won't try to figure out.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.