Wanted to follow up on a few things from yesterday. First, to an extent, I owe Mr. Atwood an apology. I still stick by everything I said yesterday but I think the tone was wrong. The truth is, while I still think his post was ridiculous, it wasn't completely without merit and any idea with merit deserves to be treated fairly and with an open mind. So to the extent that I didn't do that I'm sorry.
Another point from yesterday comes from the comments to Mr. Atwood's post. The commenter wrote...
Jeff hit idea #2 of the six dumbest ideas in computer security: http://www.ranum.com/security/computer_security/editorials/dumb/ and I totally agree. It is just a scaling issue.
The link leads to an article by Marcus Ranum who claims to be "a renowned expert on security design and implementation" who was "the implementor of the first commercial firewall" (he spelled implementer wrong not me). For the record, I don't know if those claims are true or not and the reason I put them in quotes was only because I couldn't find any verification for them aside from Wikipedia.
Anyway, in a post entitled "The Six Dumbest Ideas in Computer Security" he lays out "idea #2" for us...
Why is "Enumerating Badness" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness. In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:
- Remote Control Trojans
- Exploits that involve executing pre-installed code that you don't use regularly
Thanks to all the marketing hype around disclosing and announcing vulnerabilities, there are (according to some industry analysts) between 200 and 700 new pieces of Badness hitting the Internet every month. Not only is "Enumerating Badness" a dumb idea, it's gotten dumber during the few minutes of your time you've bequeathed me by reading this article.
The basic flaw in Mr Ranum's theory is that he's living in the 80s where every application was on the desktop and every communication was 1-to-1 over a modem. The web allows people to use applications that their administrators wouldn't have even dreamed of and it allows them to do it in packets that are often encrypted.
More to the point everyone's addiction to the web keeps administrators from blocking most sites outright. I would love to live in a world where I could specify what sites users were allowed to visit and block all the rest but that isn't the world we live in.
Given that fact I'd argue that web data, specifically secure web data, can't be enumerated. This leads me to Mr Ranum's next point...
Now, your typical IT executive, when I discuss this concept with him or her, will stand up and say something like, "That sounds great, but our enterprise network is really complicated. Knowing about all the different apps that we rely on would be impossible! What you're saying sounds reasonable until you think about it and realize how absurd it is!" To which I respond, "How can you call yourself a 'Chief Technology Officer' if you have no idea what your technology is doing?" A CTO isn't going to know detail about every application on the network, but if you haven't got a vague idea what's going on it's impossible to do capacity planning, disaster planning, security planning, or virtually any of the things in a CTO's charter.
Well, I don't think CTO's are saying they don't know what different apps they rely on I think what they are saying is that they can't limit what web apps a user uses to only the ones that are business related. Everyone in most companies, including senior management, uses the web for their personal use at this point and most of that usage is over their corporate network.
Anyway, I've already spent far too much time on this. I don't know why it annoyed me so much but I think it has something to do with the prevalent attitude in the blogosphere that "we're right and everyone else is an idiot". So Jeff Atwood can contradict decades of conventional wisdom with no real explanation as to why he thinks almost every other security expert in the world is either an idiot or a liar and no one questions it. When people do that without even acknowledging how crazy their idea sounds it makes it seem like the blogosphere isn't a place for serious debate and that annoys me.