I had posted about the article from Tim Wilson (DarkReading) giving a blitz of opinion from Peter Tippett, but deleted the post. I got the link from Rothman, and now I see (as I catch up with the news) Hoff posted as well. Shit, I guess I will repost, especially as I can fully empathize with Hoff’s feelings “flip-flopping between violent agreement and incredulous eye-rolling from one paragraph to the next.” I also deleted my post because I really had no idea who Peter Tippett is.
Tippett compared vulnerability research with automobile safety research. “If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver,” he said. “It isn’t very likely, but it’s possible.
“If I disclose that vulnerability, shouldn’t the automaker put in some sort of arrow deflection device to patch the problem? And then other researchers may find similar vulnerabilities in other makes and models,” Tippett continued. “And because it’s potentially fatal to the driver, I rate it as ‘critical.’ There’s a lot of attention and effort there, but it isn’t really helping auto safety very much.”
I sometimes use such analogies myself, but I think it is important to not lean too heavily on such analogies. The analogy above ignores the ease and efficiency of digital attacks. This analogy would be more accurate if I could shoot many arrows randomly, build arrow-firing machines in any place I want, and recruit others who can easily build and deploy such devices. If this occurred with the efficiency, impersonality, and ease of a digital attack, you bet it might be a concern for Ford. Likewise, such arrow attacks may impact just the drivers and a few nearby cars; a data disclosure or cyber attack could affects hundreds or thousands, for years.
I also took exception with that might be a problem with condensing Tippett to a few hundred words, or might mean Tippett needs to do a little soul-searching on how he wants to approach security.
But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. “In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000,” he said. “But what did you really gain by implementing them? He only needed one.”
versus
Tippett also suggested that many security pros waste time trying to buy or invent defenses that are 100 percent secure. “If a product can be cracked, it’s sometimes thrown out and considered useless,” he observed. “But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don’t have to be perfect to be helpful in your defense.”
What the hell is he trying to conclude here? I could be reading more than he is intending, but hopefully he just wants to say we need to think more about the value of these measures. It just struck me as odd that he takes two rather opposing positions there. Both approaches don’t secure 100%, but in one case he questions the value and in the other condones it.
“The analogy above ignores the ease and efficiency of digital attacks. This analogy would be more accurate if I could shoot many arrows randomly, build arrow-firing machines in any place I want, and recruit others who can easily build and deploy such devices. If this occurred with the efficiency, impersonality, and ease of a digital attack, you bet it might be a concern for Ford.”
not to be contrary or anything, but if you go to these extremes, are you not changing it to an analogy that demonstrates the 3% of vulnerabilities he’s saying actually do get exploited as opposed to the 97% that don’t?
i think what he was getting at is that most vulnerabilities are as obscure and pointless to worry about as shooting arrows through the tops of cars… only 3% exploited suggests you need a better reason to worry about a vulnerability than just because it’s there…
“It just struck me as odd that he takes two rather opposing positions there. Both approaches don’t secure 100%, but in one case he questions the value and in the other condones it.”
well, to be fair, in one of those cases the value appears to be basically zero…