Just about a year ago Noam Eppel released a paper that got posted pretty much everywhere and got lots of people in the security ranks talking. The paper was titled Security Absurdity: The Complete, Unquestionable, and Total Failure of Information Security. If that title didn’t smack of an extremist and very dramatic “I’m not here to listen to rebuttals” tone, then I don’t know what would.
I held my comments, and instead wanted to hear Noam’s follow-up article on what can be done to fix this. I really felt the first article was simply a dramatic flailing of arms and statistics on how everything is wrong; a device to get people all up in a lather and frothing at the mouth by saying something obvious and ignoring any real forward movement. I could make claims like, “Racism is bad, yeah, let’s all get violently upset that racism is bad!” and keep fanning those flames without actually doing anything to combat racism. Lots of Feel Good, not a lot of Forward Movement.
Noam promised in that article he would collect responses and combine those responses with a follow-up article on how to solve the issues. Under the header, “How can we fix this?” he offers, “Part Two of this article will contain a list of what we must do to address our current failure. It will incorporate your commends and feedback.” Honestly, this sounded half like he was going to use other people’s suggestions to formulate his own; Shady.
Sadly, the follow-up I had hoped for was not to be.
Instead, Noam’s follow-up consisted of some “Yay, people agree with me!” at the start, and then dogged down into the mud to simply argue at people who offered up some skepticism or disagreement with him. Basically, rather than fostering discussion, he quelled it by attacking the discussion to defend his vague position. He also offered no suggestions or solutions beyond a few weak moments in the first paper (2 factor authentication for gmail and hotmail…). This whole exercise seemed very self-serving and kinda like a cathartic rant session (not that we don’t all have those, but maybe not quite so useless and attention-pleading).
I am overall disappointed with this approach. I don’t argue that the general feeling of Noam’s article is wrong. I think we do have problems and issues, although I’m not sure we have a total failure. I had much more to say about the article, but I don’t feel it worthwhile so will just let this little anniversary end with the bullet form of what some of my points would have been:
1) You can’t use stats to measure something that is as a whole growing; you have to wait for a platuea to get meaninful stats, or perhaps ratios.
2) Noam’s expectations may not be reasonable as he implies that people should feel safe doing “normal and common” stuff online. Kinda like I should feel safe walking around a really bad neighborhood with $100 bills sticking out of my pockets? I wonder what reality Noam is envisioning in regards to information security utopias? We need to define this better if we have any hope of moving arbitrarily forward.
3) I wonder what state we’d be in if we didn’t have what security we do have now?
4) It might help to look at security and nature (Arms Race? evolution?) throughout history. It might give Noam some more perspective on reasonable expectations in security.