The Security Skeptic

This Twitter thread instigated an email thread with Mitja Kolsek
(CEO of ACROS Security, www.acrossecurity.com, @mkolsek).
We agreed that it is worth sharing because the conversation goes 
goes to the root of several problems that frustrate not only Mitja
 and me, but others as well. Enjoy and join the conversation:-)

Skeptic: If doing same things over & over expecting different results = insanity why do hackers keep breaking software to show vendors it's breakable?

Mitja: Breaking software is also a social experiment, not just scientific/technical.

Skeptic: I'd love to hear why you think so but not in 140 characters.

Mitja: The premise that "doing same things over & over expecting different results = insanity" applies to repeatable experiments, where "same thing" actually means something very close to  "identical." E.g., physics experiments or highly simplified psychological ones.

The case with breaking software to show vendors it's breakable is far from that: not a single experiment can be convincingly repeated, not even with the same hacker and the same vendor (much less the same vulnerability). Much of the outcome depends on the mood, feelings, persuasions, ethics, culture, geography, ego and many other human/social parameters, making every try quite unique.

That said, the underlying hope of these researchers (occasionally including me)  is - among other things - that they will make a small difference in how the vendor percieves their products' security. And looking back a decade or so, there has been a difference made: without it, we probably wouldn't have SDLs, bug bounties and many vendors actually trying hard to make their products secure. (IOW, without it, security would be entirely a PR thing to them, but now it's only "mostly" that :)

But closer to your point, it arguably makes little difference if one finds and demonstrates a vulnerability in MSFT, Oracle, Adobe etc. products, as these vendors have already set their policies in stone, for better or worse.

Skeptic: Well put.

I do take issue with how we are trying to make software secure. You make the point that finding and demonstrating vulnerabilities isn't contributing to making products more secure. This goes beyond vendor policies and goes to a more fundamental problems with software in general; there's no real accountability or liability in selling software that is not secure. The same is not true in medicine or manufacturing (autos for example, and certainly every electronic device that runs software exposes a vendor to greater liability from faulty electrical problems than software). It's not merely policy, it's complete lack of incentive borne from a nearly self-regulating industry.

Mitja: Indeed. I went to the Schneier vs. Ranum discussion about software liability at RSA Conference - and Schneier (pro liability) just had better arguments for my taste. Besides, as hard as I try, I cannot think of any other way to elevate software security to the point where it would be damn hard to break it. Arguably the society may not actually need that level of security (hey, we haven't been hacked out of existence yet, so why worry?) but it is obvious that more and more critical processes are being more and more exposed to SW vulnerabilities: 10 years ago, it would not be possible to remotely attack an insulin pump or a car, 10 years from now there will probably be dozens of ways for embedded software to kill or injure you every day. And if we let that software be remotely exploitable, it won't be particularly good. Though the way things are going, that software will be 10 times larger than today, remotely accessible and with the same vuln/KLOC ratio.

OTOH, liability will likely be either avoided ("This product is not intended for use in this and that way, or any way") or passed on to developers or security reviewers - and finally to insurance companies, with the cost of insurance transferred to the buyers. I wonder if this cost will be so huge that it will suffocate the industry :/

Skeptic: I also think we have reached a point where everyone wants to break software and no one wants to write good (secure) software. Part of this is the result of hype, part glamor, and part lingering adolescence (not on everyone's part, but a great many who "profess" to hack certainly). How many conferences have speakers demonstrating cool hacks? Hundreds. Why? It's easy to show off what you accomplish, as in "look how I am remotely controlling the screen of this Android phone from my PC". How many conferences have speakers demonstrate how their software is resilient against malicious insertion of invalid input, or malicious installation of executable software? I won't say "zero" but let's agree it's a small number? Why? It's not easy to demonstrate, it's not viewed as clever. This is rather sad, don't you think? History and sports history in particular are full of examples of "great defenses". That so few people are interested in the glory of a defense, the pride of producing "safe" software, or recognizing this kind of excellence with the equivalent of a vehicle safety or medical practice excellence awards is surprising... and sad.

Mitja: I absolutely agree. Adding to the effect is the fact that one can actually *prove*insecurity (and glamorously demonstrate it on stage) while it is *not possible* (not just not-easy, like you said) to really prove security in any meaningful way. We have the notion of "secure until proven broken" engraved in our industry's DNA without reasonable expectations for that to change.

And I'm really not impressed any more with on stage live hacks, however clever the minds behind them - there's just too much of it everywhere and it's more like entertainment than security. (Although it's useful for offensive purposes.) It would be nice if SW got really hard to break some day. Then I would enjoy an occasional demonstration of a live hack.

Skeptic: This was a great thread, thanks.

I may cobble it together into a blog post, would you mind? It's the kind of discussion that ought to have more visibility than merely we two.

Mitja:  Fire away, just allow me to review it if you plan on quoting me :)