When are we going to fix this mess? Part 2

By Adam Cecchetti

Continuing to expand thoughts from Part 1. 

Overall starting to use the idea that user's shift their habits about every 10 years can be useful to shifting our focus on the axis of time. We've seen this happen a few times, so is it possible to stop defending the indefensible and focus on where were going next? Yes, but it is a vast over simplification of the problem. More simply, end of life embedded routers will happily send packets on your border no matter how hard we try and wish them away.

First we need to define the problem. The problem scope is big. Just how big? Really freaking big... 

Scope Part 1 : Data As Code

Buffer overflows, cross site scripting, and SQL injection are all the same bug. They are data being interpreted as code. Anywhere the user can supply input creates the potential for a security issue. Once an attacker has a bug where user controlled data is interpreted as code it's a matter of minutes to months of work away for from full control of the affected system.

On a non-temporal axis financial and political motivation doesn't map to difficulty of exploitation. What is on the other end of that exploit running is the real motivation. 

Scope Part 2 : Gamers are Going to Game

There's two parts to this scope "the game" and "the meta-game".

Gamers Are Going to Gaming

Testing business logic and protocols for corner cases doesn't have good automation, yet. It's also happens to be something we're working on internally. Draining a bank account is just as effective if you can pose as an admin rather than dropping 0-day on all the systems to the database. Even after we fix all of the logical gaming of a system we're left with how attackers change tactics and move in graphs.

The Meta-Game

If your an attacker you want it to be 1994 forever. Little defense, no security awareness, lots of attack surface, and simple to write exploits. As one system gets hard to exploit the focus shifts to the soft underbelly of whatever popular technology that has the aforementioned qualities.

It is a side effect of defenders thinking in lists and attackers think in graphs. I've referred to this as the tear, the crack, the bit of shining light that let's the spice flow. Once the outer shell, whether made of paper or stone tears it's open season and the impact clock starts to tick. An entire subsection of the industry is dedicated to trying to detect and mitigate after the tear or what's next after that first hop. 

Scope Part 3: The fastest way to EIP/impact is bad passwords. 

Passw0rd! Upper, lower, numeric, special!  

Different one for everything! Change every 90 days! Don't remember them with a mnemonic! Hide your passwords in a vault! Not the same as the last 10 you changed every 90 days in the past!

Why all the hubub? The reason one person can edit a blog, wire transfer $1 billion USD, launch a missile, open a dam, or comment on pictures of cats is, in a perfect world, at best 16 characters long. However, it's more likely "Dan1984!"

Even when we do manage to get a large amount of random entropy involved via reasonable key generation we somehow consistently make them difficult to properly use, build on top of, or develop with.

Looking to the past to fix the future... 

In the past we have won when we have made a user's life better. In effect we've won the same way everyone else has, when we were part of solving a pain point. In some stretch of the word irony we have trojan horsed some security into people's lives when we made their lives better. 

By my account the security industry has universally made consumers lives more secure two and half times.


No one wanted to install Ethernet in their home. Enter Wifi! We gave them a NAT/firewall with their wireless network. No one cared about the firewall part even though it was really important to get right. 


Some people wanted to work and shop from home. In turn they got a cryptographic tunnel to send their credit card number and email over. No one cared about the math even though it is the foundation of all modern real security and privacy. They cared when their credit card ended up being used to buy laptops with overnight international shipping. 

Two Factor Authentication

Remembering a complex password is hard. Regrinding your level 90 WoW character is harder. As individuals realize they don't want to spend another second lifetime on rebuilding their WoW character, bank account, and lives. We're starting to make people's lives more secure with Two or Multi Factor Authentication.

Are any of these technologies without fail? Absolutely not, wifi routers are the same part of the IoT distributed time-bomb we've been constructing for the last decade, TLS libraries continue to be forged into shape, and we still can't get our banks to enable Two Factor Auth for everything we'd like them to.

In part 3 we discuss how to continue to look at security from the axis of time.