"There are 2 kinds of InfoSec people out there... those who still believe we can build secure environments/apps and those that know it wouldn't matter anyway."
Hi everyone, first off this is going to be an ugly one because over the course of the last 2 days I've had conversations with many of you that have started out very constructive but then quickly devolved into the "oh crap, we're fu**ed" variety. Most of this is thanks to "anonymous" (I'll let him remain nameless until he cares to step out of the shadows) who has given us (and more importantly, me) some very not-so-subtle clues on why my job grows more meaningless with every tick of the clock.
If you haven't read it yet, read the mass-spam article, and pay special attention to the comments section... this is where things went downhill... rant follows
When I wake up in the morning, what gets me energized and going is knowing that I can make a positive impact on the world I live and work in. For me that means InfoSecurity has to make progress. Progress, since I like to use Medieval metaphors, is pushing the kingdom out further and further into the wild country beyondn the castle walls. This of course means one of two things - you can either build a bigger army and spread them ever-more thin, OR you can arm the redidents of your kingdom for self-defense against the hordes that lie beyond the edge of the kingdom. Translated into 2009-speak that roughly means we're tryingn to protect people from themselves... and since we can't keep spreading our already strained InfoSec resources ever-more thin... we have to teach people to defend themselves. This is where sh** really starts to break down quickly.
The problem is people just don't give a damn. They're sheeple. Like sheep... they're herded rather easily but they have things others (the "bad guys") want like social security numbers, credit card information and passwords. It wouldn't be so bad if we could just charge them the idiot tax and move on but banks and credit cards and even our government have been passing their stupidity to the rest of us who are smart enough to figure this out. How you ask? Have you seen your bank fees lately? They're skyrocketing because of the rising costs of fraud, and banks continue to "put your money back if you get your (virtual) pocket picked)" - even if it's your own fault?!
I can make my peace with people being careless with their own property but unfortunately this is a social commune - where your stupidity translates into higher interest rates, fees, and less services for me. So naturally sentiment for this is turned against the evil hackers who are out to steal our lives because they're bad. Well... what most of you that make this argument miss is that these types of things have existed in real-life for centuries and they haven't bankrupted society (yet) beacuse people eventually got wise to the schemes... usually. What's mind-boggling is that in the digital world people still fail to see how "security" matters.
How can this be any worse? The fact that companies have adopted this same moronic mentality. I can't take it anymore, I want to smash my head into a wall every time someone at a major Fortune 1,000 company tells me that they don't need to do Web App Sec because they "don't take payments over the web"... how is that the only way that security has stuck in people's minds? Forget the network security ... we've had that figured out and are now reaping diminishing returns... have been for the last ~2-3 years... web apps are the main target now, I don't need Gartner or IDC to tell me that, do you?
Then there's the PCI-DSS... and while I love all my friends who are gurus in this space (you know who you are) this has become the absolute minimum requirement now... "do you do everything on this PCI-DSS checklist?"... which is bullsh** and we all know it but it keeps the lawyers on their leashes and makes the risk people happy until something catastrophic happens (ahem... you twits at Heartland Payment Systems) and then you sue the people who audited you? Really? You shop around for the cheapest, least-intrusive PCI auditor who will give you a passing grade with the least amount of effort and you wonder why you're making headlines? Can we stop and think for just one stupid second?
Then there's the whole point of why I'm at this stage of delerium... with the best-effort I make every day (and many of you are in the same boat)... bailing water as fast as possible - saving people and companies from their own ignorance and stupidity - everything I do to protect you has already been beaten like a red-headed step-child. Twice. Except now there are scripts for beating any security measures we may have... and the basic concepts and premises we base our careers on are shot. We're bailing water from a sinking boat when the boat is already under water.
What do you do when you've forced (beaten...) your users into compliance with security policy, you have anti-malware on every desktop, locked-down admin rights, carefully filtered web ingress/egress traffic, tight firewall rules and network security devices (IPS/WAF/what_ever) and everything is fully patched... then one of your users visits a legitimate web site and within 30 seconds is trojaned with a ring-0 trojan that completely and utterly devastates the machine. Sucking down passwords, critical data and setting up cover channels into your network without even tripping Vista's built-in protective measures. Yes... I know it's possible, for a fact. Quote me.
Does it matter that there are educational programs, open-source OWASP security tools, projects and pre-built reasonably secure code modules? Does it matter that InfoSecurity is finally making headway within the corporate world? No... why?
- users are still apathetic and choose to remain that way
- companies still would rather spend precious money on upgrading firewalls and IPSes than building secure web apps
- security is not simple and usable and therefore failing the user-friendly test
- arogant developers still try to re-invent the wheel every single time
- even if we succeed... we fail because the "bad guys" are 2 steps ahead, always
We're not at any particular cross-roads in IT history...but this is as good a time as any to get off our complacent asses and make a hell of a lot of noise. Reach out to those in positions to make a difference and make your case like everything depends on it. Hey, believe me when I say I understand this situation isn't bad for business - because as crappy as the world of security gets we will all have job security forever - but at what cost?
We need to stop the advancement, we need to stop pulling back. Continuing to build better anti-automation into our social-networking sites is stupid and a waste of time. No more free bugs? Who cares... it doesn't make a damn bit of difference in the end result. Here's an idea... how about you pick a side and work towards that goal. If you're a white-hat then understand you're not doing it to make yourself rich but for the betterment and the "greater good". It's time to get over ourselves and quit acting like divas because we are clearly getting our asses handed to us out there folks...
Wake up and smell the fire burning under your feet.
Sorry it had to be said.