One time at Security Camp…

It’s been a while since I’ve put a post up here at ye olde bloge and despite the recommendation of many, I think it’s time to break the silence.

2009 was one heck of a year. 2010 is going to be ‘same as before, but with feeling!’

Lets just review shall we?

2009 was largely a year of quiet but invasive changes to the status quo. Very few of the sacred tenets of the faith were questioned. The most ‘innovative’ work done by the security industry was really just rehashing the basic functionality of the first firewalls – attempting to control the data flowing in and out of an organization.

How’d that work out?

Yeah.

A complete farce.

Organizations “followed guidance” and found themselves repeatedly pantsed by a combination of self-serving prevarication on the exact letter of the regulation or requirement and plain old humans are meatpuppets. Millions of dollars were expended on security products that fail to achieve the marketeering screed. Millions of identities were put into the public domain for purposes nefarious and benign. Tens of millions of productive hours were lost to ineffective or paradoxical attempts at security.

The entire basis of most organization’s security controls is “lock them down, restrict their accesses”. And yet the twin harbingers of our bright new future – Social Networking and The Cloud (insert orchestral music and angels singing) are almost entirely predicated on the reverse notion – that openness and truthfulness will lead to success. There seems to be no rational way to place the bright new future into the framework of the past.

What did we do about it?

We got IRrational baby! The organizations tried to embrace both realities and developed a strange passive-aggressive schizoid approach to the whole world. Permitted social networkers. Private clouds. Data Loss Prevention appliances. “Facebook for the Enterprise.” What the $&^*&$!

Again – we’re doing insane things and somehow hoping for a different outcome. It’s amazing what repeated blows to the head will do to a standing corpse. The zombie still wants brains.

Prognostication: Is 2010 going to change anything at all?

I don’t really know. I know that some things are going to be trending upward though – if you thought the noise was loud before, just hold on.

• There will be more hysterical shrieking from the security vendors that the only way to save yourself is to buy more of their (finely granulated) products, and those products will continue to (a) not do what the marketing slick says, (b) be shipped with insecure defaults, (c) use self-signed certificates for the optional HTTPS management pages.
• PCI, PCI, PCI, PCI and more PCI. Yes, it’s a 12 step program to enlightenment – the kind of enlightenment that would’ve been useful in 1998. The Payment Card Industry has no interest in fixing the actual problem – they just want to pass the expense of their antiquated and rickety pile of 16-digit shit down onto the people least likely to be able to patch around their insanity. Oh, and the actual problem? It’s (I think) only a couple of things, but they are foundational and therefore VERY difficult and VERY expensive to change. Part one: the fundamental exchange nature of the cardholder-merchant-bank-cardcompany is based on the systems first developed in the 50s – it was adequate for the volumes of the times. It’s inadequate now. Credit cards are only partly “real time”. As much as it pains me to say it, even Interac does a better job of real time payment cards. Part two: The card companies and banks have been hiding the true cost of fraud for so long that it’s become an untellable truth. They’ve set themselves up as the defacto currency of the world and they cannot afford to risk that in favour of informing the public that the reason the prime rate is under 1% and the credit card rate is still 17.5% is because they need the money to cover the fraud loss. Fixing the system *should* reduce the fraud problem, but no one outside of the card companies actually knows the true extent of the problem and no one can make the ROI decision. I have a feeling that the perpetuation of a broken system is still marginally more profitable for the card companies than the repaired system would be.
• Twitter, Facebook, that other cool thing being developed right now. The exposition of our lives in the public arena will continue. American-based cultures are promiscuous in a way that is at odds with their proclamations. We’ll all know the intimate details of each other’s lives. Especially the parts that we don’t care about and the parts that we care about for no rational reason.
• Cloud. I have no words other than “those who fail to study history are doomed to repeat it.” In what way is “the Cloud” any different than Service Bureaus in 1966? That’s right. The Cloud comes with squirrels.
• Excessive CYBERDOUCHERY. We’re still not going to have a major SCADA incident that makes the press. There will be upwards of 10 critical incidents, but they’ll be superduperseekrit for a long time. The installed base is both too large and has too much momentum in the wrong direction. The smart meters that are being installed today are already broken. And no one cares. It’s more important to show forward progress (even if it’s heading in the wrong direction) than it is to do a good job of anything at all.

There’s probably more but I’m guessing that the people reading this are part of the choir, not part of the problem.

Can I count on you to make a resolution to work HARD to stop any of the above?

Image CC-byncsa courtesy of the author who didn’t include the pic of Dave Lewis in a cell at the above noted prison