Reliable Security Information
Theory of Stupidivity: Your Guarantee of Cybersecurity Failure

Today's cant on cybersecurity is news on 'Einstein,' the security system to be installed on all government computers in order to protect them from cyberspies.


"It is supposed to detect known types of cyberattacks and immediately alert the cybersecurity center," reports the Wall Street Journal. "The problem: Like its predecessor, it still can't detect or block sophisticated attacks that weren't previously known, said Stewart Baker, a former senior Homeland Security Department official. Homeland Security is the only department using it so far."

"Homeland Security Department first developed Einstein in 2003, adapting technology from a Pentagon program that monitored military networks ... " informs the WSJ.


In another manner of speaking, it uses the anti-virus software model of 'security.'


Entrenched and solidified over decades, anti-virus software detects only malware that has already been submitted in samples and examples to its developer. That is, by definition, it can't detect the newest attacks until someone else -- hopefully not you -- has been snared by them.


Over years and years, it has inspired, accelerated and ensured an arms race between virus-writers and software developers, a process that is now locked in stone.


Last week, for example, an advertisement with malicious code in it threw three viruses at DD's PC. Software caught two and I was left to net the third, which I caught when it tried to alter the system. I threw the virus into a directory I keep for unidentified malware and suspicious programs. A few days later, when the a-v software updated for the third or fourth time after the incident, it was detected. So someone, not just me, had been exposed to it and taken the time to send a sample to the company. And there were, invariably, some people who were screwed over by it.


Security expert Marcus Ranum discussed this at length some years ago in "The Six Dumbest Ideas in Computer Security."


In essence, the Einstein system and plan for making government computers secure accumulates these ideas into one big ball. Let's call it "The Theory of Stupidivity," in honor of the Einstein name. Now don't go off the rails here. The government isn't the only guilty party. Almost everyone seems to practice most of the six dumbest ideas in computer security.


Notable among these flaws is the dumb idea Ranum called "Enumerating Badness." It's the definition of the anti-virus/anti-malware/anti-spyware industry.


Back in the good ol' days when s----happening wasn't everywhere "security practitioners got into the habit of 'Enumerating Badness' -- listing all the bad things that we know about. Once you list all the badness, then you can put things in place to detect it, or block it."


"Why is 'Enumerating Badness' a dumb idea?" asked Ranum. "It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness."


"Enumerating Badness" goes hand in hand with "Penetrate and Patch."


"One clear symptom that you've got a case of 'Penetrate and Patch' is when you find that your system is always vulnerable to the 'bug of the week," wrote Ranum. "It means that you've put yourself in a situation where every time the hackers invent a new weapon, it works against you. Doesn't that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind."


Does that sound like common news from the cybersecurity beat? Rhetorical question.


Practically speaking, there's not much hope of 'secure by design' anymore. And the current news about the Einstein system only underlines it.


Let's return to the WSJ article. "Homeland Security is the only department using it so far," it says.


This is not necessarily a bad thing. There's really not much point in being forced into being an early adopter when something isn't an improvement on what one already has. And is unknown in its bugs and weaknesses, and maybe worse.


Good advice could be to be 'last in line' for Einstein, version whatever, until everyone else has it sorted out.




In other matters this week:


"Jack Goldsmith, a professor at Harvard Law School who was an assistant attorney general from 2003 to 2004, is writing a book on cyberwar," threatened a by-line on the op-ed pages of the NY Times.


Goldsmith, a lawyer from the Bush administration awarded a pass from the left for his tell-all book on the 'terror presidency', joins other famous ex-government officials, who as soon as they've finished with their cash-ins, refashion themselves as seers of the techno-future and set about writing tomes which are part thriller, part warning, containing multitudes of allegedly new-fangled plots and actions against the country.


The most notable example is Richard A. Clarke. Clarke got into writing security warning techno-thrillers. His first, entitled "The Scorpion's Gate," was a success. The second, "Breakpoint," dealt with cyberterrorism and sank without much trace.


For the Times, Goldsmith emitted a bit of a teaser, casting himself as one of the new electronic Pearl Harbor men, a species in no short supply.


Goldsmith has newly discovered cybersecurity. For the Times, his opinion piece furnished the standard cliches and sincere hand-wringing concern about the menacing nature of it and what must be done. Just like the ten thousand or so before him over the last fifteen years.


In the first graf of the opinion piece, we get the China-did-it meme. Federal law now mandates it be inserted in every opinion piece on cyberwar


"Our economy, energy supply, means of transportation and military defenses are dependent on vast, interconnected computer and telecommunications networks ... In the last few months it has been reported that Chinese network operations have found their way into American electricity grids, and computer spies have broken into the Pentagon's Joint Strike Fighter project," it reads.


"The government should jump-start [cybersecurity] education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network," Goldsmith opines.


Good idea. Require licensing and vetting for everyone's home and business desktop PC or refuse entry to the net. First step: Close down all the unregulated PC departments in consumer electronics stores like BestBuy. Second step: Decertify and refuse connection to all desktop and laptop PCs in use at public schools and at universities. Third step: Disallow all connection to the Internet by DSL, cable modem, wireless or dial-up from private residences, apartments and Internet cafes until all PCs are declared sanitized and impervious to penetration. Fourth: Raid and take out of business all big ISPs unable to guarantee their customers to be computer virus free. Last: Immediately put those damn kids always launching scripted UDP floods in jail.


Just pulling your leg.




George Smith also blogs here.


 
Subscribe to SitRep:
GlobalSecurity.org SitRep RSS Feed GlobalSecurity.org SitRep ATOM Feed