I missed this discussionary topic from Rich at Securosis the other week. I’m likely a bit late to join the convo, but I wanted to post a link here and throw some reactions. Rich basically proffered the idea of allowing a regulated agency to isolate or clean compromised systems (i.e. from threatening the safety/security of others).
Read his post and the comments for starters. Below, I’ll try to be brief and bulleted.
1. Safety and security. There is a big difference between those two terms. The firefighters in Rich’s opening analogy deal with safety. I have no argument that a firefighter can break into my burning house and further trash it in the interest of public or personal safety. But when it comes to security, we have a different topic, especially when security is ephemeral and fights with privacy. It is usually very clear when safety is impacted and far less clear when security is impacted and to what degree.
2. Is cybersecurity that dire an issue? We security geeks often act like an unpatched system spewing spam is the worst thing in the world, but is it? Sure, we don’t like it, but how does that weigh with other issues I bring up below, or with our privacy? We are really nothing as a free country without being able to protect our privacy to a degree.
3. Mistakes or corporate vs individual. Let’s say we have compromised systems and an agency is mandated to go in and burn the books at 451 deg…err…clean the system or shun that network node from the rest of the internet (isolation). What if that was a Google data center? Or Mom’s Crab Shack? or my home system? It won’t take but a handful of mistakes before this breaks down. And what if that were a false positive?
4. Agendas. I hate to be a pessimist sometimes, but we can’t even go to war without half the general public speaking up about agendas (right or wrong). And things don’t get better with smaller incidents (pork barrels?), they just get less exposed. “Gosh, I don’t know how my opponent’s campaign office got raided like that!” “Gosh, just go easy on that large company that employs a huge number of my constituents…” “Gosh, my district has an *epidemic* of compromised systems; we need to declare a cyber emergency and get more funding!”
5. IPS. One argument that still surfaces about IPS is their ability to suddenly shun false positives. In practice, it is difficult to do, but in theory, an attacker (or mistaken configuration!) can trigger an IPS to fire blocking protections and shun legit servers or networks. Remember SWATing? Eve calls 911 and gives Vince’s address so SWAT raids Vince’s house. Oops! This is very similar to the “mistakes” bullet above.
6. Potentiality. What if a system is potentially vulnerable to an attack? The debate on being proactive once “active” is allowed becomes muddier, and dangerous. ThoughtCrime, FutureCrime?
6. The Slope. We move very big steps closer to questioning the integrity of our Operating Systems. Should we proactively shun every Windows box not behing a network/firewall device? Why not just shun every non-perfect OS? We do like to batter and bash groups like Microsoft for their system’s insecurities, but let’s face it, such a product will never be perfect. Especially as a consumer product. I don’t like the road such actions move us towards.
7. Nothing to hide. Want to instantly drive a privacy advocate or even most hackers crazy? Utter the phrase, “Well, innocent people have nothing to hide.” If you still hold that argument aloft, I’m sorry in advance for your ignorance or tragic upbringing. I’d rather be surrounded by Mac zealots proclaiming their OS 100% secure…
8. Get off my systems. As an individual or a corporate entity, I would not be happy about someone being able to arbitrarily control my systems, even to “fix” them or “save” others. More on this on a follow-up post…
At the end of the comments, “Rob” posted what I think sums up my feelings, “I don’t like disagreeing with Rich, but I’d rather have a million botnets active on the internet than sacrifice the tiny remaining legal barriers to police invading my computers.”