Dailydave mailing list archives
Re: I am the reason we cannot have nice things on the Internet.
From: dan () geer org
Date: Sat, 25 Oct 2014 22:17:17 -0400
Michal, Precisely as you say, anyone who cares to complain has a duty to suggest alternatives to what they are complaining about. Otherwise they are engaging in mere cant. Without in any way trying to say I have "the answer," your point in this sentence, "[I]n the world of international affairs, there are very few real rules, and very little to be gained by taking a principled stand" is exactly what I was getting at in my recent speech at Blackhat -- the entire nature of Realpolitik is precisely as you say it. (I include the minimum passage below for your inspection.) Ditto for "I think that the specific practice of stockpiling 0-days is ultimately harmful to the Internet." (Another passage follows below.) Perhaps you and I are flying in some sort of formation on these matters. As you are from what was once a Soviet satellite, are there issues of culture that lead a country into that kind of totalitarianism? More to the point, are those issues reinforced or diminished by what we now call "digital life?" --dan http://geer.tinho.net/geer.blackhat.6viii14.txt ...... As to Realpolitik .................................. Political realism of the sort I am talking about is based on four premises: . The international system is anarchic . States are the most important actors . All states within the system are unitary, rational actors . The primary concern of all states is survival This is likewise the realism of the cybersecurity situation in a global Internet. It is anarchic, and states have become the most important actors. States' investment in offensive cyber is entirely about survival in such a world. States are driven to this by the dual, simultaneous expansion of what is possible and what their citizens choose to depend on. The late Peter Bernstein, perhaps the world's foremost thinker on the topic, defined "risk" as "more things can happen than will."[PB] With technologic advance accelerating, "more things can happen than will" takes on a particularly ominous quality if your job is to ensure your citizens' survival in an anarchy where, daily, ever more things can happen than will. Realpolitik would say that under such circumstances, defense becomes irrelevant. What is relevant is either (1) offense or (2) getting out of the line of fire altogether. States that are investing in offense are being entirely rational and are likely to survive. Those of us who are backing out our remaining dependencies on digital goods and services are being entirely rational and are likely to survive. The masses who quickly depend on every new thing are effectively risk seeking, and Nevertheless, cybersecurity is all about power and only power. Realpolitik says that what cybersecurity works is right and what cybersecurity does not work is wrong and Realpolitik thus resonates with Howard's "Security will always be exactly as bad as it can possibly be while allowing everything to still function." Realpolitik says that offense routinely beating defense is right, and imagining otherwise is wrong, that those whose offense wins are right while those whose defense loses are wrong. Realpolitik says that offense's superiority means that it a utopian fantasy to believe that information can be protected from leakage, and so the counter-offense of disinformation is what we must deploy in return. Realpolitik says that sentient opponents have always been a fact of life, but never before have they been location independent and never before have they been able to recruit mercenaries who will work for free. Realpolitik says that attribution is impossible unless we deploy a unitary surveillance state. ...... As to stockpiling 0days ............................ 6. Vulnerability finding -- HEGEMONY Vulnerability finding is a job. It has been a job for something like eight years now, give or take. For a good long while, you could do vulnerability finding as a hobby and get paid in bragging rights, but finding vulnerabilities got to be too hard to do as a hobby in your spare time -- you needed to work it like a job and get paid like a job. This was the result of hard work on the part of the software suppliers including the suppliers of operating systems, but as the last of the four verities of government says, every solution has side effects. In this case, the side effect is that once vulnerability finding became a job and stopped being a bragging-rights hobby, those finding the vulnerabilities stopped sharing. If you are finding vulns for fun and fame, then the minute you find a good one you'll let everybody know just to prevent someone else finding it and beating you to the punch. If you are doing it for profit, then you don't share. That's where the side effect is -- once coin-operated vuln finders won't share, the percentage of all attacks that are zero-day attacks must rise, and it has. In a May article in The Atlantic,[BS] Bruce Schneier asked a cogent first-principles question: Are vulnerabilities in software dense or sparse? If they are sparse, then every one you find and fix meaningfully lowers the number of avenues of attack that are extant. If they are dense, then finding and fixing one more is essentially irrelevant to security and a waste of the resources spent finding it. Six-take-away-one is a 15% improvement. Six-thousand-take- away-one has no detectable value. If a couple of Texas brothers could corner the world silver market,[HB] there is no doubt that the U.S. Government could openly corner the world vulnerability market, that is we buy them all and we make them all public. Simply announce "Show us a competing bid, and we'll give you 10x." Sure, there are some who will say "I hate Americans; I sell only to Ukrainians," but because vulnerability finding is increasingly automation-assisted, the seller who won't sell to the Americans knows that his vulns can be rediscovered in due course by someone who *will* sell to the Americans who will tell everybody, thus his need to sell his product before it outdates is irresistible. This strategy's usefulness comes from two side effects: (1) that by overpaying we enlarge the talent pool of vulnerability finders and (2) that by making public every single vuln the USG buys we devalue them. Put differently, by overpaying we increase the rate of vuln finding, while by showing everyone what it is that we bought we zero out whatever stockpile of cyber weapons our adversaries have. We don't need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world's vulns and have shared that with all the affected software suppliers. But this begs Schneier's question: Are vulnerabilities sparse or dense? If they are sparse or even merely numerous, then cornering the market wins in due course. If they are dense, then all we would end up doing is increasing costs both to software suppliers now obligated to repair all the vulns a growing army of vuln researchers can find and to taxpayers. I believe that vulns are scarce enough for this to work and therefore I believe that cornering the market is the cheapest win we will ever get. Let me note, however, that my colleagues in static analysis report that they regularly see web applications greater than 2GB in size and with 20,000 variables. Such web apps can only have been written by machine and, therefore, the vulns found in them were also written by machine. Machine-powered vuln creation might change my analysis though I can't yet say in what direction. _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- I am the reason we cannot have nice things on the Internet. Dave Aitel (Oct 22)
- Re: I am the reason we cannot have nice things on the Internet. Andreas Lindh (Oct 22)
- Re: I am the reason we cannot have nice things on the Internet. Thomas Quinlan (Oct 22)
- Re: I am the reason we cannot have nice things on the Internet. Thomas Quinlan (Oct 22)
- Re: I am the reason we cannot have nice things on the Internet. Parity (Oct 28)
- Re: I am the reason we cannot have nice things on the Internet. Michal Zalewski (Oct 22)
- Re: I am the reason we cannot have nice things on the Internet. dan (Oct 28)
- Re: I am the reason we cannot have nice things on the Internet. Andreas Lindh (Oct 22)