[Dailydave] Security Paleontology - The Jurassic Park rule

Dave Aitel dave at immunityinc.com
Wed Jul 16 16:29:55 EDT 2014 

Like many of you, I went to the theater with a child much too young and
re-watched new and more awesome 3D-Jurrassic Park until they cried
loudly enough to annoy the other theater-goers and wanted to leave.
Because in 3D, those big dinosaur things are scary. And also that dude
gets eaten while on the toilet.

And, honestly, looking at a lot of the security problems my friends are
dealing with  on the defensive side makes me re-iterate that I'd rather
be eaten, while on the toilet if necessary, by a large reptile than ever
try to convince someone that "cloud security" was possible. How are you
going to do anything securely in the cloud, when the core problem of
performance isolation is basically just a lot of hands waving over a lot
of CPU's in the basic architecture of perfidy that Seymore Cray would
have cried to have even dreamed about.

I know you all feel the same way about sitting through any presentations
on Internet Scale Performance - except all your IO is going over a
cleartext leased line through both China and Russia before coming back
to you, on machines whose hypervisors are all corrupted by malware that
"can't possibly exist".

And, of course, what my friends often want to know about is "the root
cause".  You can probably see the
former-Saudi-contruction-project-managers that make up a lot of Al
Quada's command structure thinking the same thing. "Maybe if we just
stop using cell phones so much we'll stop getting eating by the giant
beasts that are hunting us?" And you can see Target's new team using
that same tone of voice except in a much nicer cave somewhere in
suburbia. "Hey, if we switch to whitelisting our point of sales systems,
will that prevent hackers from stealing all the credit cards that people
still use to buy their kids giant book bags that can double as Go Karts?"

And the answer, is of course, that if you put lots of sugar in a bowl,
flies will find a way to eat it.  Life will find a way! It's the
Jurassic Park rule, and it applies equally to credit card numbers,  RSA
token key information and State Department cables. The way to secure
your data is not to add layers of encryption and whitelisting, but in
fact, just to make it less valuable. You can see Archer
<https://www.youtube.com/watch?v=8KAVZEiIjk8&feature=kp>saying "This is
why we get Ants" right here, and it's not a coincidence that INNUENDO
<https://www.immunitysec.com/products-innuendo.shtml>'s logo is a big
ant head.

-dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140716/6255942e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140716/6255942e/attachment.sig>

More information about the Dailydave mailing list