innismir.net

David Rice wrote a response about my last post regarding a Secure Software Reality Check and makes some good points.

But people’s “wants” do not exist in a vacuum. The “wants” live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the “want” of a big vehicle is promoted in the U.S. while inhibiting the ”need” for low-emissions subcompacts.

I don’t disagree with the idea of people’s wants not living in a vacuum. The ads on TV demonstrate otherwise. However, most people’s wants live within their own bubbles. For example, While don’t give a crap about torque, horsepower, etc, I do give a damn about 4 wheel drive due to my winter commute down some crazy back roads to the commuter rail. One of my other wants is downright “strange” when compared to the mainstream: I am one of the few people who look for cars with a smaller central console due to my other hobbies, which is a pretty strange “want” to have when you look at the mainstream, but it makes perfect sense within my bubble.

In other words, it makes more sense from a buyer’s perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to “buy big” would gradually ebb. So the “want” for a big vehicle would be partially transformed into a new “want” for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this “want” would be more aligned with the “need” for reducing the social and environmental costs (known as negative externalities) of car ownership.

I disagree with the current gas prices “reward” buying a larger vehicle. They simply allow for buying a larger vehicle. Do consumers by a Hummer when a Impala would suffice? I’d be stupid to suggest that they don’t. But by creating an external force (i.e. a tax) in order to to “discourage” certain “behaviors” you’re doing nothing to stop the “want” you’re just trying to force people to do something they don’t want to do. You’re treating the symptom (low MPG cars) rather then treating the disease (bad driving habits).

What does this have to do with secure software you may ask?

In the context of software then, there is no incentive to reduce “vulnerability emissions” by software manufacturers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want “big” software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for “big” software, software manufacturers are happy to supply it. There is no incentive to do otherwise.

There is an incentive to do otherwise and I think this is where the MPG analogy breaks down. Every so often Microsoft has some major bug that gets exploited enough that it makes the news cycle. Microsoft’s response to this has been nothing more then a “Whoops! Our Bad. We have a patch.” They then wash their hands of it. This is the equivalent to Ford Motor Company dealing with the Cruise Control issue back in 2003 with “Whoops! Our Bad. We’ll replace it.” However, their are now multiple class action lawsuits from people who were affected by this problem. Why does Microsoft get away scot free yet Ford has to pay the piper? I think one of the reasons is because people haven’t realized that they can make money off of software defects and the other is that people haven’t made a connection yet between physical loss and virtual loss.

Aunt Ethel and Uncle Mortimer, while they don’t give a crap about how many critical bugs their operating system had this month, they do care if their computer gets owned. What needs to be done by us as a  community is teaching them that B is directly related to A. If people start understanding that because some coder at Microsoft didn’t check his buffer size correctly their credit card numbers are now floating around Romania, we’ll start seeing people crying bloody murder. The sooner they do that, the sooner we’ll get vendors who take security seriously, and the sooner that happens, the sooner we’ll all be better off. No laws needed.

Chris Wysopal, aka “Weld Pond” wrote about the recent DDoS attacks against South Korea and the root cause being that we have an insecure software ecosystem. Chris is spot on with this statement and he brings up an interesting analogy:

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is exactly the same with computer security. We talk a lot about “securing cyberspace” and the government pushes lofty goals about treating our “digital infrastructure… as a strategic national asset” but the it’s exactly the same. Most people don’t want to have secure software. They want to have their Bonzi Buddy and their 3D Dancing Pigs on their website. The software has a horrible security track record? It requires tons of security settings to be disabled on the computer? Your entire HR system uses Microsoft Access as a back end? Who cares?

Chris is right. We need to make EVERYTHING secure. Every operating system, every application, every library. This is nowhere near an easy fix. Ideally we need to start the software industry at tabula rasa and start everything from scratch. It is possible: Just look at OpenBSD. However, we are not going to be able to convince anyone to start taking these steps until we start making a gigantic culture change starting from the ground up. Aunt Ethel and Uncle Mortimer need to start understanding that they are doomed in the current environment and start demanding their software be secure. Companies need to stop dealing with vendors that have repeated security problems. In house staff need to be trained in secure computing practices. Computer science students need to be taught about secure coding methods. This needs to be EPIC. However, until then, we are all going to be stuck on the hamster wheel of pain by dealing with massive botnets, scrambling to patch zero day vulnerabilities, and holding our breath waiting for the next “big one.”

How do we make it so we can escape? I have no clue and I doubt anyone else does either. The only thing I could see possibly breaking us out is everything going up in a giant cloud of smoke. All the cyberwar pundits are correct and we have a massive attack on our infrastructure. Blackouts! ATMs Jackpotting! Computers turning into Bombs! Dogs and cats, living together! Mass Hysteria! Only then will we learn the error of our ways!

Of course the pessimistic side of me says that we’ll still want our Bonzi Buddy and 3D dancing pigs.

(On a tangent, did you know Weld Pond was 43? I feel old now.)

I am a big fan of Prelude IDS to correlate reports from my honeypot/nepenthes/snort setup at my house. One of the things that was quite repetitive was finding the locations of IPs. So, I sat down and coded up a patch that grafted GeoIP onto Prelude’s Prewikka web interface. After a bit of effort figuring out Python and the template engine, I ended up with this:

Of course, my patch doesn’t blur out the names like the screenshot, but it does add the spiffy little flags to show you what countries are attacking you.

You will need:

• A working GeoIP installation
• The GeoIP Python module
• A set of flag icons in PNG format. I recommend FamFamFam’s icons
• My patch
• Prewikka 0.9.14 source tree.

The GeoIP libraries are available from the link above. Installing them is pretty straightforward. Once that is done, untar the Prewikka tarball and apply the patch for Prewikka in the source directory. Then install as normal.

Unzip the flags archive somewhere on your system. Move the contents “png” directory to your web root under the folder “/images/flags”. You may need to make an adjustment to your Apache installation if Prewikka is running in the root web directory like I had to. I made an alias in my Apache configuration pointing /images/ back over to /var/www/images.

Alias /images/ /var/www/images/

With any luck, it should work. As always, your mileage may vary.

Share and enjoy!