Bug Hunters, Security Bug Hunters and Monkeys – Oh My
September 28, 2008
Linus Torvalds, yes – that Linus – the guy that started the Linux movement back in the day, went on a rant this summer on the gmane.linux.kernel forum. I have been meaning to write about this for a while now but kept getting sidetracked.
Here is just one point that he made. “I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.”
I am guessing that he got a significant amount of flame mail about that one.
But I want to address his main point which, after extrapolating the monkeys from the equation, is something like this. Security vulnerabilities are just a subset of all the other kinds of software bugs that exist. Why do we treat them as special cases? Should we treat them as special cases? Linus says, “It makes “heroes” out of security people, as if the people who don’t just fix normal bugs aren’t as important […] I don’t think some spectacular security hole should be glorified or cared about as being any more “special” than a random spectacular crash due to bad locking.”
Fair enough; especially in the open-source world where a good bulk of the programming is done by volunteers who do it for free. Surely the gear head who spent hours of his own personal time fixing the bad locking issue is just as important as the white hat who closed that nasty little buffer overflow problem on his own time.
I get it Linus. I am willing to show a little love for the standard gear heads out there. Hell, I think all of the gear heads deserve their own Miller Beer Commercial.
But (and you knew there was going to be a “but”, didn’t you?), does it really hurt us that much to dedicate some resources to only finding the security issues? In terms of impact, the two kinds of issues aren’t even in the same ballpark. The locking problem prevents you from using your application; that is a nuisance. The buffer overflow problem may cause you to unwittingly open up your entire network to some unsavory individuals who most likely associate with monkeys; that is bad – really bad.
Don’t get me wrong. I understand Linus’ frustration. In terms of arrogance, all of the security programmers that I know (and a bunch of them that work for me) are chalk full of that arrogance stuff. That’s what I like about them, but they can be a little hard to take sometimes and the OpenBSD guys that Linus was complaining about have that going on in spades. But their shenanigans kind of remind me of that old George C. Scott movie entitled Patton. General Omar Bradley, played by Karl Malden, was describing Patton to an aide. He said something like, “Give Patton a Newspaper headline and he is good for another 60 miles of German territory.”
Well, the OpsnBSD guys and most of the security bug hunters out there are just like Patton; a little arrogant (ok, ok, significantly arrogant), but give them a little credit and they rush back to their little dark caves illuminated by the flickering monitor and find just one more security bug. And I love them for it.
So Linus, when those arrogant little SOBs start to get under your skin, just call me. We will head over to the local drinking hole, grab a cold beer and salute the gear heads of the world. But this time, you have to sit next to the monkeys.
Bad Assumptions
August 24, 2008
I hate it when my assumptions are wrong, and boy, was I wrong this week.
When the Russians rolled their tanks into Georgia last week, I assumed, as did most of my colleagues, that the Russians were the aggressors. After all, they were the evil empire weren’t they? Even though they got their backsides spanked when they lost the Cold War, it wouldn’t take much to push them over the edge again and get them back to their old evil ways. Right? Right?
Unfortunately, this was not the case at all.
It turns out that the Russians didn’t just wantonly launch an attack against Georgia. They were responding to aggression from the Georgians. That’s right. We originally thought that the distributed denial of service (DDoS) attacks that originated from Russia and Ukraine and were launched at Georgia were a precursor to the physical attacks and maybe even encouraged by the Russian government. In reality, the DDoS attacks were a protest against the Georgians bombing Ossetia. Stop! Go back and read that last sentence again. That is not a typo. For reasons that are too complicated to get into here (Kimberly Zenz, our Russian analyst, will write more detail for the WTR next week) the Georgians were bombing Ossetia after repeated warnings by the Russian government to stop. So, the Russians rolled their tanks.
You can argue that the Russian response was too much if you want to, but you can’t argue that they were not provoked. I was so ready to believe my base assumptions (Russia = E V I L E M P I R E) that it didn’t even occur to me that Russia might have had a real reason for going to war. You may not agree with it, but they had one. It reminds me of what the Great Samuel Jackson said in the movie “Long Kiss Goodnight”: “Everyone knows, when you make an assumption, you make an ass out of ‘u’ and ‘umption.’” You go, Sammy!
Galileo vs Newton: Smack Down at Story Town
August 24, 2008
You all know that I am a big Podcast fan (Mainly because I have two hours of drive time each day). I recently listened to one that I think directly applies to how we at iDefense go about our business.
The Podcast is called Radio Lab and the particular episode is called “Tell Me A Story“. You can get it off of iTunes and listen to it with your MP3 player.
This particular episode talks about the importance of telling stories when you attempt to describe a complex thing. Let’s face it. Everything we do here at iDefense is an attempt to describe complex things. The featured Podcast speaker, Robert Krulwich, talks about how scientists don’t particularly like to “dumb down” their material for the average Joe. Scientists figure that if this Joe guy is too dumb to understand the content, then he doesn’t deserve to hear about it either. Sir Isaac Newton was one of these scientists. When he published his famous book describing Calculus (The Philosophiæ Naturalis Principia Mathematica – Mathematical Principles of Natural Philosophy), he purposely wrote it so that only the most advanced mathematical minds could understand what he was talking about (maybe five total in the entire world at the time). Newton didn’t want to deal with ankle biters who didn’t understand the larger picture so he excluded them from the discussion.
Krulwich disagrees with this approach and so do I. Far be it from me to disagree with the great Sir Isaac Newton, but Krulwich offers up another famous scientist who comes from a different school of thought: Galileo. When Galileo wrote his famous book proving that the planets do not orbit around the earth but instead the Earth orbits around the sun (Istoria e dimostrazioni intorno alle machie solari – Account and Evidence of the Sun Spots), he wrote it in Italian not Latin. The target audience was the average Joe (or in this case, the average Tony). And that’s how he got into so much trouble with the church back then. The Church did not like Galileo contradicting their explanation of how the universe worked especially in a language that Tony could understand. The Church knew that Tony might actually learn something.
And that is the point isn’t it? With all these complex things popping up in security world, we can either elect to exclude the average Tony or to try to include him. At iDefense, we do our best to include. Sometimes we fail, but most times we get it right. When we do get it right, it is beauty to behold. It is like Galileo tagging us to enter the wrestling ring after he has softened up his opponent. We climb to the top of the ropes and leap through the air putting the Smack Down on Sir Isaac Newton. The crowd goes wild. Again. Chalk one up for the Tony’s of the world.
Hello world!
May 23, 2008
Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!
