Romanticizing Bugs Will Lead to Death of Information Security

Too much focus on vulnerabilities and their impact is leading information security into a slow death.

Romanticizing Bugs Will Lead to Death of Information Security

Speaking in the keynote address at 44CON in London, security researcher Don A. Bailey said that while “we’re getting good at reducing problems and addressing problems, information security is dying a death it has earned.”

Focusing on bugs and vulnerabilities, Bailey said that his initial perception of information security was about reducing risk for consumers, but that perception was “so off base as all we do is talk about bugs but we are blind to what they mean and are composed of.

“We see new technology coming out, the punditry reel starts spinning with a cool new 'whatever' and we ignore technology and where it comes from and how it is sold and what manufacturing looks like, and we ignore the engineers that put effort into building the technology.”

Calling the concept “bug fetishizing’, Bailey pointed at the Blueborne vulnerability, which has received fresh attention this week after Microsoft issued a patch for it. Bailey argued that while the bug is massive, it has been around for a while and it is super easy to remediate it.

“People use it to raise money and we see it in the community all the time and not only by start-ups, but to raise money creating an environment in how cool a vulnerability is,” he said.

“I get a bit tired of hearing about these issues over and over as there is nothing new about Bluetooth vulnerabilities, it is the same old crap as we found a couple of years ago. This is nothing new and not pushing things forward.”

Bailey highlighted what he called the “romantic nature of bugs” and their “reproduction”, saying that we “see vulnerabilities in the wild and they are reproduced a million times” which is not reducing vulnerabilities in any way.

He also said that we are taking extremely small issues and blowing them up, and also focus more on intricate vulnerabilities than the defenses against them.

“Finding bugs that are useful is a great thing, but doing something with it is another thing; we want real models in information security and IoT that we can resolve.”

Bailey concluded by saying that information security is in a worse state than 10 years ago, and 10 years ago there were probably 10 consultancies and now, only a few organizations are doing groundbreaking research.

“Companies say specialize in information security but outsource for skills and don’t feel like paying someone for expertise when they can hire, with reputable universities pumping out graduates with information security degrees. It is true we need more people but who needs them: consultancies who break ground, or companies who need more people – a fraction of a % are doing groundbreaking research and that is why information security is dying.”

Recommended

Iran blocks encrypted messaging apps amid nationwide protests

For the past six days, citizens have taken to the streets across Iran, protesting government oppression and the rising cost of goods. Video broadcasts from the country have shown increasingly intense clashes between protesters and riot police, with as many as 21 people estimated to have died since the protests began. But a complex fight ...

Bitcoin Exchange Has Been Forced to Close After Second Cyber-Attack

A South Korean Bitcoin exchange has been forced to close after suffering another major cyber-attack. Youbit claimed it was “very sorry” but has filed for bankruptcy after it suffered the cyber-attack, less than eight months after the first. In a statement in Korean on its homepage the firm said it had lost 17% of its ...

It is difficult for the FBI to crack most smartphone encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers. Wray will testify at the House Judiciary Committee ...

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers. The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people. Deceased suspect Devin Kelley’s mobile phone is now in the ...

暂无评论

发表评论

您的电子邮件地址不会被公开,必填项已用*标注。

This site uses Akismet to reduce spam. Learn how your comment data is processed.