Friday, February 1, 2008

11 Deceptive Truths We Think We Agree To

Okay, I'm really annoyed by Rich Mogul's "11 Truths We Hate To Admit". Basically, it's a list of trolls that have popped up in the last few years. I'm surprised he didn't add "the IDS is dead" or "the firewall is dead". Following is my responses to his "truths":

"1. Signature based desktop antivirus is an addiction, not effective security." This is one of the more offensive trolls. It's right up there with "the IDS is dead" and "the firewall is dead". Statements like this make sweeping assumptions about what you're trying to protect and what tools you're using to protect those assets. Sadly, signature-based anti-virus actually has the best ROI.

"2. The bad guys beat us because they're agnostic and we're religious. Complete and utter BS. The bad guys are in the lead because they're doing the majority of the research. It's a bad analogy to start because if the good guys were to ever "win", every bad guy would be either dead or in jail. Mebbe it's better to call it the "game of life"?

"3. Antitrust concerns force Microsoft to weaken security." Hahahahahahahahahahahahahahahahahahahahahahahahahaha...!!! Yeah, keep believing that Microsoft would give something away for free if they hadn't been sued in the past. Troll!!

"4. Vendors are like politicians - they lie to use because we ask them to." Wow. Uh, can I sell you something? Troll!

"5. We're terrible at talking to, or understanding, those that fund us." Uh, speak for yourself. Obviously, a good chunk of us understand "business-eese". Otherwise, the "industry" would have died of atrophy years ago.

"6. Security researchers need to grow up." Obviously Mr. Mogull has never seen someone else's name tacked onto his work, had his work denigrated in mainstream press, or was ever under attack from an organization that refused to believe that their product was ever anything other than perfectly secure. Troll!

"7. Security companies make more money when there are more incidents." True somewhat. However, Mr. Mogull seems to have missed the mark by claiming that the fastest way to grow a security market is to have a product ready when a massive exploit hits. It's a fallacy. The actual fastest way is to have a good marketing plan ready for when the next big exploit hits. You can go a lot further with a superb marketing plan and a crappy product than you can with a superb product and a crappy marketing plan. The day the day-stopping painful exploit occurs is when the lawyers make the most money. Followed by vendors as companies abandon certain products for others, followed by insurance companies as companies attempt to transfer the risk (look it up in your CISSP books) of future exploits. The security companies are somwhere after that.

"8. Network security is the result of a mistake, not an industry worth perpetuating." Either a troll or a cry for help. Network security is a need arising out of the fact that your company has a competitor. Ideally, life would be serene and no one would feel the need to steal your secrets. In the real world, someone sees some sort of profit (financial, emotional, relational) in breaking into your systems and changing something. Mr. Mogull's argument only holds water if you believe that somewhere out there, utopie exists.

"9. Disclosure is dead." WTF?!! Given their druthers, companies don't disclose sh#t. This is a massive troll that suffers from the wide-ranging, yet slowly moving pendulum of "accepted practice". Hint: a number of recent laws now require "disclosure" yet there's been a number of law suits which have forced limited disclosure of vulnerabilities and exploits.

"10. Momentum will destroy us, until it doesn't." Uh, huh? Innovation is a marketing practice. Operationalization is a marketing term (okay, vague rationalization for an irrational decision). The entire paragraph is basically a gripe that neither our employers nor the bad guys have remained static. Whiney troll!

"11. We can't fail." Mebbe as a whole. However, individual security companies fail often. They sometimes "take their customers with them". Just as the bad guys will never "win the war" (face it, it isn't a "war" where people die from every port scan), neither will the good guys. A much better analogy is to view it as a competion, where your goal is to "keep up".