Because I'm all about the "good enough."

Thursday, September 25, 2014

Shock treatment.

Another day, another bug ... although this one is pretty juicy. One of the most accessible primers on the Bash Bug is on Troy Hunt's blog.

As many are explaining, one of the biggest problems with this #shellshock vulnerability is that it's in part of the Unix and Linux operating systems -- which means it's everywhere, particularly in things that were built decades ago and in things that were never meant to be updated. There will be a lot of hand-wringing over this one.

But I think I have a way to address it.

It's a worn-out analogy, but bear with me here. Windows in buildings. Now, we know glass is fragile to different extents, depending on how it's made. Imagine that we had hundreds or thousands of "glass researchers" who published things like this:
"Say, did you know that a 5-pound rock can break this kind of glass?" 
Whereupon business owners and homeowners say: 
"Oh jeez, okay, I guess we'd better upgrade the glass in our windows." 
Researchers:
"Say, did you know that a 10-pound rock can break this kind of glass?" 
Business- and homeowners:
"Sigh ... all right ... it's going to be expensive, but we'll upgrade." 
Researchers:
"Say, did you know that if you tap on a corner of the glass right over here that it'll break?" 
Business- and homeowners:
" ... " 
Researchers:
"Say, did you --" 
Business- and homeowners:
"WILL YOU FOR CHRISSESAKE GET A LIFE??"

Yes, glass is fragile. So is IT. We all know that. And we don't expect everyone in the world to have the same level of physical security that, say, bank vaults do.

If there's a rash of burglaries in a neighborhood, we don't blame the residents for not having upgraded to the Latest and Greatest Glass.* No, we go after the perps.

Without falling too much into the tactical-vest camp, I think we ought to invest more money and time into defending the Internet as a whole, by improving our ability to tag, find and neutralize prosecute attackers. Right now, the offerings in the security industry are heavily on the enterprise side -- because after all, especially in the case of the finservs, that's where the money is. There are some vendors who are trying to address critical infrastructure, automotive and health care, which are three areas where people can and eventually will die as a result of software breaches. But we shouldn't wait until that happens to go on the offensive. We need a lot more investment in Internet law enforcement.

This is a case where expecting the world at large to defend itself against an infinite number of attacks just doesn't make sense.



*If you think it's cheap to patch, you haven't worked in a real enterprise.