[Dailydave] First RSAC 2015 Note

[Michal Zalewski]

> As an offensive technique, power analysis is quite useful (which is why
> NSA boxes filter their power supplies). As a defensive technique it is
> entirely useless. If all a malware writer has to do is add
> (sleep(rand()); into their code a couple places to defeat your
> detection, then you probably shouldn't build a whole company based on
> the hope that they won't someday do that.

Antivirus companies had a good run for the past ~20 years, and many of
the most successful multi-billion-dollar post-AV businesses embrace a
functionally similar approach - just mentioning APT and cloud-based
machine learning a bit more. Analyzing power consumption doesn't
offend my sensibilities more than divination from binary signatures or
syscall patterns.

The success of the "enumerating badness" approach to security is
probably unparalleled by anything else the industry had to offer in a
very long time. So, I'm not sure if your "probably shouldn't" is a
valid concern.

One could lament so much money and resources being tied up on
solutions that will probably not stop an interesting victim from
getting owned, but then, what would? The only thing that probably
works well is hiring a top-notch security team and giving them
sweeping powers - but good candidates are in extremely short supply
and are hard to tell apart from quacks.

/mz