asking attackers for constructive solutions

Posted on by michael

I read nCircle’s Andrew Storms’ blog post, “Rethinking Black Hat: Building, Rather Than Breaking, Security,” and felt like joining the discussion. Essentially, Andrew is saying:

Think back to the [Black Hat] talks you attended and ask yourself how many of them promoted constructive ideas? I’m glad to know that just about every mobile device platform is broken at some level. It’s no big surprise that there are problems with crypto, networking, every OS and even the smart grid…

But let’s push ourselves to take that extra step forward and think about how we can also fix what’s broke. Wouldn’t it be interesting if future Black Hat briefings also had to include one or more ideas on how to fix the root of the problems being shown?

I’m not sure I agree with this, on a few levels.

First, the big one: Playing defense is draining. Playing defense involves policies, processes, politicking, covering all angles, and essentially playing a much longer-term game than an attacker. This is draining and timesoul-consuming. While I wouldn’t say offense and defense should be divorced with a hard line in the middle, I totally understand when an attacker can point out a weakness but himself has a weakness in effectively describing how to do proper defense against same attack. I get it, totally.

Second, the media coverage of problems is a huge driver. It’s true, the regular ol’ media picks up on the sensational moments where XYZ are broken, and that gets eyeballs. However, solution ABC gets next to nothing because, well, it’s boring. Which one is going to have a chance to drive attention, budget, action, and awareness? Including outside the hardcore geek circles. I’d argue that if solutions were so interesting, they’d have been done in many of these products and technologies and developments from the start. Doing things securely is still (and I’d argue always will be) an afterthought, so poking out insecurity in a sensational way is a state of normalcy, to me.

Third, look out for post-con highs (or lows, in the case of security!). It’s great to come out of a con-type of gathering encensed with all sorts of great ideas. For hacking cons, it’s easy to come out of them feeling like everything is fucked. I guess I look at that as a sort of healthy state of things. Insecurity isn’t going away. Even the lockpick industry doesn’t try to make unbreakable locks (ok, minus marketing spiels and executive dreams), but instead try to increase the time-to-pick metrics. Andrew certainly knows this, so isn’t much of a point for me.

I really do get Andrew’s point, and I would even agree for the most part that it would be nice if attackers also offered constructive information on how to do things better, but I don’t think I’d ever actually call anything out for it and even voice that concern much at all, for fear of devaluing upsetting the current equilibrium between offense and defense. Granted, there are counter-point to my points, certainly…I may be playing a bit of a devil’s advocate here. 🙂

As a last point that I even hesitate to bring up, but really have to since it’s like a little itch poking at the back of my brain on this topic, I would not want to stifle the exposure of problems under the heavy foot of, “be constructive.”

There are 2 scenarios in mind for this:

Situation 1
Employee: “Hey boss, I see a problem with this application here where it doesn’t validate people properly.”
Boss: “That’s nice. It’s now your problem to fix, go to it!”
Employee: *sigh* “…next time I’ll just shut up.”

Situation 2
Employee: “Hey, your application doesn’t validate people properly. I can break it by doing blah.”
Developer: “It’s fine. Prove to me you can do that and that that is bad.”
Employee: *sigh* “…next time I’ll just dump this to full-disclosure and let you handle your own research.”

In either case, our approach to insecurity or issues can have a huge impact on how researchers (or those who point out problems) may become dis-incented to say anything at all. I agree when a boss wants optimism and solutions, but I disagree when said boss dismisses an issue when the messenger has no solution of his own.

(There’s a sub-point in here somewhere about a non-expert consuming information about how technology X is broken, and then wanting the solutions handed out to them when maybe they’re not the appropriate audience or consumer of such information. Sadly, I don’t know how to articulate that on short notice without offending or being extremely confusing… For instance, I might hear that CDMA is broken, and I might decry that the presenter should give solutions, when I only want that because *I* don’t have the solutions either…)