Original URL: http://www.theregister.co.uk/2003/10/28/security_muddle_better_than_fuddle/

Security muddle better than FUDdle

Meanwhile, in the real world...

By George Smith

Posted in Security, 28th October 2003 09:18 GMT

Whether it's a student slipping contraband past airport metal detectors, or a researcher modeling an unstoppable computer virus - demonstrations just don't do justice to the real state of security, writes SecurityFocus columnist George Smith.

Look at a photo of Nathaniel Heatwole, the student who performed pro bono security testing on Southwest Airlines. Neat and freshly-scrubbed, he's a good fellow at Guilford College, the winner of a cash award for ham radio broadcasters -- a white-hat hacker trying to make air travel safer.

Not only did Heatwole push box-cutters and other items symbolically meant to appear menacing through airport security, he also showed that the sharing of information isn't so hot. Heatwole warned the Transportation Security Administration about his work in e-mail. The TSA, however, receives 5,700 e-mails a day. In the electronic blizzard, the notification was missed for weeks.

This play has repeated itself in every aspect of physical and electronic security for as long as I've written about the subject. Anyone who has followed the public history of computer intrusion will find the Heatwole case reminiscent of things they have either had to deal with personally or learned of through schooling and the media.

Sending Heatwole to trial is a waste of time. No one was threatened or put in danger, and even the agency that received the black eye, the TSA, didn't have its leaders or employees personally singled out for embarrassment. There was no inconvenience or economic loss. Heatwole has even been reticent with the media, so even if an aim was to be showy, he's been low-key about it.

However, do such things improve security?

After years of thinking about the subject and witnessing similar cases weekly, my gut feeling is they don't. Despite good intent, and even with attention paid, Heatwole will not make security better on the airlines. There are too many carry-on bags to screen with the degree of discernment required to catch everything, and the airlines won't have any customers if they're required to strip search them or nail the bathrooms shut on all flights.

In parallel, it's my hunch that the nation is saturated with news and alarms about security. From gaffes at the national labs, to the Government Accounting Office's stream of reports on poor computer security in various agencies, to Bret McDanel who warned co-workers at his former employer that their e-mail was compromised and had to spend sixteen months in prison before justice finally realized he had done no wrong, the word is always present. Security is too porous, people are screwing up, procedures are rotten, problems are going to be exploited and the house of cards is destined to collapse.

Maybe it's all true.

However, in the rush to publicize that which must be fixed right away the story poorly told is that the infrastructure is managed and kept stable by a just-in-time come-as-you-are workforce. And as a practice -- even though this looks wobbly -- globally and over time, it works.

In the past, I've called this laissez faire computer security, but that's not entirely accurate. It doesn't give nearly enough credit to the people who daily keep their bailiwicks running, clean up after the mistakes of others and work collegially across borders to put out whatever electronic fire must be put out.

Such tenacity and resilience cannot be measured in government reports, although the cost of their overtime labor is always said to be crippling during computer virus outbreaks or surges in the emergency application of serial Microsoft patches. One could just as well discount such alleged expense with the argument that the people are always engaged in productive work, and that we'd see the real cost of network insecurities only if the entire fix-it crew were to permanently disappear all at once.

And the Nathaniel Heatwoles of security, while doing their spot test things, cannot give us an idea about the survivability of a system that during crisis is critically dependent upon people. There's an obvious difference between the galvanizing effect of hiding boxcutters in the bathroom and actually coming out of the watercloset brandishing them. Similarly, describing how a virus can evade anti-virus updates and circle the globe in a flash doesn't really describe its fight vs. people-with-networks and the probable outcome as it transpires.

The challenge to security men and women is to separate being part of a process that is ostensibly about security, but without hope of bettering it, from the thankless work of combining ingenuity with the networked world's equivalents of spit and bailing wire. Should you be a showman if you think no one is paying attention? How effective is sowing suspicion and fear of things to come as a security tool? Or is getting pretty good at just gettin' by fine?

Whatever the answer over the next few years, it'll have to do.

Copyright © SecurityFocus

George Smith is a Senior Fellow at GlobalSecurity.org, a defense affairs think tank and public information group. He also edits the Crypt Newsletter and has written extensively on viruses, the genesis of techno-legends and the impact of both on society.