[fc-discuss] Financial Cryptography Update: Is Security Compatible with Commerciality?

iang@iang.org iang@iang.org
Fri, 12 Aug 2005 11:12:33 +0100 (BST) 

 Financial Cryptography Update: Is Security Compatible with Commerciality? 

                            August 12, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000531.html



------------------------------------------------------------------------

A debate has erupted over the blogspace where some security _insiders_
are saying that there is real serious exploit code sitting there
waiting to be used, but "if we told you where, we'd have to kill you."

http://taosecurity.blogspot.com/2005/08/more-mildly-condescending-comme
nts.html

This is an age old dilemma.  The _outsiders_ say, "tell us what it is,
or we believe you are simply making it up.

http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/mr_sh
ostack_tea.html

I have to agree with that point of view as I've seen the excuse used
far too many times, from security to finance to war plans.  Both inside
and outside.  In my experience, when I do find out the truth, the
person who made the statement was more often wrong than right, or the
situation was badly read, and nowhere near representative.

Then, of course, people say that they have no choice because they are
under NDA.  Well, we all need to eat, don't we?  And we need to
maintain faith and reputation for our next job, so the logic goes.

This is a trickier one.  Again, I have my reservations.  If a situation
is a real security risk, then what ever happened to the ethics of a
security professional?	Are we saying that it's A-OK to claim that one
is a security professional, but anything covered by an NDA doesn't
count?	Or that when a company operates under NDA, it's permitted to
conduct practices that would ordinarily be deemed insecure?

Fundamentally, an NDA switches your entire practices from whatever you
believed you were before to an agent of the company.  That's the point.
 So you are now under the company's agenda - and if the company is not
interested in security then you are no longer interested in security,
even if the job is chief security blah blah.  Is that harsh?  Not
really, most security companies are strictly interested in selling
whatever sells, and they'll sell an inadequate or insecure tool with a
pretty security label with no problem whatsoever.  Find us a company
that withdrew an insecure tool and said it was no longer serving users,
and we might have a debate on this one.

At the minimum, once you've signed an NDA, you can't go around
purporting to have a public opinion on issues such as disclosure if you
won't disclose the things you know yourself.  Or, maybe, if you chose
to participate in the security practices covered under NDA, you are
effectively condoning this as a security practice, so you really are
making it all up as you go.  So in a sense, the only value to these
comments is simply as an advert for your "insideness," like the HR
people used to mention as a deal breaker.

It is for these reasons that I prefer security to be conducted out in
the open - conflicts like these tend to be dealt with.	I've written
before about how secret security policies are inevitably perverted to
other agendas, and I am now wondering whether the forces of
anti-security are wider than that, even.

It may be that it is simply incompatible  to do security in a closed
corporate environment.

Consider the last company you worked at where security was under NDA -
was it really secure?  Consider the last secure operating system you
used - was it one of the closed ones, or one of the free open source
implementations with a rabid and angry security forum?	Was security
just window dressing because customers liked that look, ticked that
box?

Recent moves towards commercialism (by two open organisations in the
browser field) seem to confirm this;  the more they get closer to the
commercial model, the more security baby gets thrown out with the bath
water.

What do you think?  Is it possible to do security in a closed
environment?  And how is that done?  No BS please - leave out the hype
vendors.  Who seriously delivers security in a closed environment?  And
how do they overcome the conflicts?

Or, can't you say because of the NDA?

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/