on the total failure of information security

Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn’t smack of an extremist and very dramatic “I’m not here to listen to rebuttals” tone, then I don’t know what would.

I held my comments, and instead wanted to hear Noam’s follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, “Racism is bad, yeah, let’s all get violently upset that racism is bad!” and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.

Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, “How can we fix this?” he offers, “Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback.” Honestly, this sounded half like he was going to use other people’s suggestions to formulate his own; Shady.

Sadly, the follow-up I had hoped for was not to be.

Instead, Noam’s follow-up consisted of some “Yay, people agree with me!” at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail…). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don’t all have those, but maybe not quite so useless and attention-pleading).

I am overall disappointed with this approach. I don’t argue that the general feeling of Noam’s article is wrong. I think we do have problems and issues, although I’m not sure we have a total failure. I had much more to say about the article, but I don’t feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:

1) You can’t use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.

2) Noam’s expectations may not be reasonable as he implies that people should feel safe doing “normal and common” stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.

3) I wonder what state we’d be in if we didn’t have what security we do have now?

4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.

2 thoughts on “on the total failure of information security

  1. Hello LonerVamp,
    Thank you for your comments on my article.
    The second article posted was “Community Comments & Feedback to Security Absurdity Article” which highlighted some of the feedback from the article – both positive and negative. It was not however Part Two which will offer potential solutions. This is why you did not find the solutions you expected.
    You wrote, “Noam’s expectations may not be reasonable as he implies that people should feel safe doing “normal and common” stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets?”
    Walking around a really bad neighborhood with $100 bills sticking out of your pocket is no ones idea of safe behavior. I had written:
    “My idea of security is that a user should be free to conduct, “normal and common” activities and not have to expect that he/she will be a victim of crime. If a man parks his expensive car in a bad neighborhood in the middle of the night and leaves it unlocked with the windows rolled down and with a $100 bill on the dashboard of the car, then that is irresponsible behavior and it is likely a crime will happen. However, if the man carries out what is considered normal activities – i.e., parks in the daytime on a busy street and locks it with a good security system – then that is normal and common behavior and a crime should not be expected. Today, computer users can use their computers for, “normal and common” activities – such as reading email, browsing the web, using instant messaging, searching for and downloading a screen saver – and still easily fall victim to viruses, trojans, and spyware. Leading anti-virus companies have an 80-percent miss rate, and malware is so prevalent and invasive that occasionally products are shipped straight from vendors which contain viruses and spyware!”
    Thanks for your comments!

  2. Sweet, thanks for the reply!
    “It was not however Part Two which will offer potential solutions. This is why you did not find the solutions you expected.”
    In that case, I’ll do as I did for the past year, pretty much withold my comments until I see that next part. 🙂

Comments are closed.