Home page logo

dailydave logo Dailydave mailing list archives

Security Paleontology - The Jurassic Park rule
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 16 Jul 2014 16:29:55 -0400

Like many of you, I went to the theater with a child much too young and
re-watched new and more awesome 3D-Jurrassic Park until they cried
loudly enough to annoy the other theater-goers and wanted to leave.
Because in 3D, those big dinosaur things are scary. And also that dude
gets eaten while on the toilet.

And, honestly, looking at a lot of the security problems my friends are
dealing with  on the defensive side makes me re-iterate that I'd rather
be eaten, while on the toilet if necessary, by a large reptile than ever
try to convince someone that "cloud security" was possible. How are you
going to do anything securely in the cloud, when the core problem of
performance isolation is basically just a lot of hands waving over a lot
of CPU's in the basic architecture of perfidy that Seymore Cray would
have cried to have even dreamed about.

I know you all feel the same way about sitting through any presentations
on Internet Scale Performance - except all your IO is going over a
cleartext leased line through both China and Russia before coming back
to you, on machines whose hypervisors are all corrupted by malware that
"can't possibly exist".

And, of course, what my friends often want to know about is "the root
cause".  You can probably see the
former-Saudi-contruction-project-managers that make up a lot of Al
Quada's command structure thinking the same thing. "Maybe if we just
stop using cell phones so much we'll stop getting eating by the giant
beasts that are hunting us?" And you can see Target's new team using
that same tone of voice except in a much nicer cave somewhere in
suburbia. "Hey, if we switch to whitelisting our point of sales systems,
will that prevent hackers from stealing all the credit cards that people
still use to buy their kids giant book bags that can double as Go Karts?"

And the answer, is of course, that if you put lots of sugar in a bowl,
flies will find a way to eat it.  Life will find a way! It's the
Jurassic Park rule, and it applies equally to credit card numbers,  RSA
token key information and State Department cables. The way to secure
your data is not to add layers of encryption and whitelisting, but in
fact, just to make it less valuable. You can see Archer
<https://www.youtube.com/watch?v=8KAVZEiIjk8&feature=kp>saying "This is
why we get Ants" right here, and it's not a coincidence that INNUENDO
<https://www.immunitysec.com/products-innuendo.shtml>'s logo is a big
ant head.


Attachment: signature.asc
Description: OpenPGP digital signature

Dailydave mailing list
Dailydave () lists immunityinc com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]