<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">
<div>I got a bunch of replies that said this:<br>
"""<br>
Dave, enjoyed reading your rant, but I don't understand your
punchline on securing data --"but in fact, just to make it less
valuable" - how do you do make data less valuable?</div>
"""<br>
<br>
So to bring us back to how you do this, let 's take a quick look
at credit cards and Target, which are the best example of an "If
you collect it, hackers will come" information security strategy.
What Target really wants is not Chip and Pin (or worse, Chip and
Sign), but a transactional system that is only good ONE TIME and
to ONE PERSON. What they want is something where I say "On this
day please pay Target 11.50 USD" and then cryptographically sign
it. This is actually not that hard to do in the age of smart
phones and Google wallet. <br>
<br>
If you steal a bunch of those signed blobs, NOBODY CARES. They are
useful only to Target and only for that one day. I guess you could
datamine them and find out I bought a toothbrush that rotates
because I'm a sucker for such things, but that's it. We don't as
a society have to fund a giant team of FBI and SS agents to hunt
down teenagers in Eastern Europe (those headlines where we crow
about arresting some teenager are embarrassing to everyone
involved).<br>
<br>
In RSA's case you have to wonder why they have the key material
for their SecureID tokens in a DB of any kind at all? Just delete
that stuff as you create it. Instead of collecting data, how about
NOT collecting data? Wysopal likes to go on about "security
technical debt", which is essentially when you are building a
system and you don't consider security and later you have assess,
retrofit, or junk the entire system (this is the credit card
system from A to Z in a nutshell). Honestly, this is something
M&A people really should take into consideration a lot earlier
in their valuation process.<br>
<br>
But there is also a technical debt associated with collecting any
kind of large database of information. This is counter-intuitive
because having lots of information is a very valuable thing for a
corporation or Government agency! But it is also a huge liability,
and so building these databases should be undertaken with caution.
If you haven't asked "How can I make this database valueless to
anyone but me?" then you have already failed at information
security and you are left to worry about IT security instead.<br>
<br>
-dave<br>
<br>
<br>
<br>
On 7/16/2014 4:29 PM, Dave Aitel wrote:<br>
</div>
<blockquote cite="mid:53C6E0C3.2030903@immunityinc.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Like many of you, I went to the theater with a child much too
young and re-watched new and more awesome 3D-Jurrassic Park until
they cried loudly enough to annoy the other theater-goers and
wanted to leave. Because in 3D, those big dinosaur things are
scary. And also that dude gets eaten while on the toilet. <br>
<br>
And, honestly, looking at a lot of the security problems my
friends are dealing with on the defensive side makes me
re-iterate that I'd rather be eaten, while on the toilet if
necessary, by a large reptile than ever try to convince someone
that "cloud security" was possible. How are you going to do
anything securely in the cloud, when the core problem of
performance isolation is basically just a lot of hands waving over
a lot of CPU's in the basic architecture of perfidy that Seymore
Cray would have cried to have even dreamed about. <br>
<br>
I know you all feel the same way about sitting through any
presentations on Internet Scale Performance - except all your IO
is going over a cleartext leased line through both China and
Russia before coming back to you, on machines whose hypervisors
are all corrupted by malware that "can't possibly exist". <br>
<br>
And, of course, what my friends often want to know about is "the
root cause". You can probably see the
former-Saudi-contruction-project-managers that make up a lot of Al
Quada's command structure thinking the same thing. "Maybe if we
just stop using cell phones so much we'll stop getting eating by
the giant beasts that are hunting us?" And you can see Target's
new team using that same tone of voice except in a much nicer cave
somewhere in suburbia. "Hey, if we switch to whitelisting our
point of sales systems, will that prevent hackers from stealing
all the credit cards that people still use to buy their kids giant
book bags that can double as Go Karts?"<br>
<br>
And the answer, is of course, that if you put lots of sugar in a
bowl, flies will find a way to eat it. Life will find a way! It's
the Jurassic Park rule, and it applies equally to credit card
numbers, RSA token key information and State Department cables.
The way to secure your data is not to add layers of encryption and
whitelisting, but in fact, just to make it less valuable. You can
see <a moz-do-not-send="true"
href="https://www.youtube.com/watch?v=8KAVZEiIjk8&feature=kp">Archer
</a>saying "This is why we get Ants" right here, and it's not a
coincidence that <a moz-do-not-send="true"
href="https://www.immunitysec.com/products-innuendo.shtml">INNUENDO</a>'s
logo is a big ant head. <br>
<br>
-dave<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Dailydave mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a>
<a class="moz-txt-link-freetext" href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a>
</pre>
</blockquote>
<br>
</body>
</html>