Shostack + Friends Blog Archive


Bush, Socrates, and Information Security

“Wherin links between a number of disparate ideas are put forth for the amusement of our readers”

Orcinus talks about one of Bush’s answers to a question in last night’s debate.* (I thought Bush did surprisingly well, but think that Kerry still came out slightly ahead. Both, depressingly, still want to spend my money on their own pet projects, and fail to offer bold responses to the challenges we face.)

The questioner — seemingly a middle-class homemaker — simply wanted to know if Bush could admit to having made mistakes. After all, most of us ordinary humans make them too, but we also tend to be acutely aware of them. That Bush was incapable of giving her a straight answer was incredibly revealing.

Socrates used to go around in search of a wise man, questioning everyone he met. Bush’s answer (read the whole answer at Orciunus) was “historians will look back and say.” That’s not the answer of a man who looks back and evaluates what he’s done. Looking back and evaluating your choices is a key part of making better decisions in the future. The ability and willingness to doubt and question as you’re making a decision is a good one. You need to know when to stop and make a decision, but you also need to know how and when to analyze.

On the other hand, I’ve gone through media training, and that’s one of those questions that nearly requires either a dodge or a facile answer. Clinton might have been able to word-smith his way through it.

Information security has a number of long-standing camps. One is the mathematicians who want to prove theorems about systems, and thus state their security. Another is the empiricists, who try to set up experiments which can invalidate a system’s security claims. It should come as no shock that I think the work of the empiricists is more useful. Cryptography is a sometimes exception to this, where it would be nice to have some proofs, but we can’t even show P=NP, so, its a ways away.

I don’t think that the math camp has stepped back enough to self-analyze. The empiricist camp does so regularly. I’ll use as examples two papers by Eric Rescorla: “Is Finding Security Holes a Good Idea?” and “Time to Patch, Revisited.” The latter is an examination of work (not yet online) that I did in collaboration with the team at Immunix, including Crispin Cowan and Steve Beattie. Eric points up that we needed more data to arrive at the conclusions we did, which is fair enough. (The main point of the paper, which is that patch management is a risk management game, stands, and I stand by it.) The Finding Holes paper questions one of the underlying claims of the full disclosure camp: That finding and fixing holes will eventually result in more secure software.

*UPDATE: I wrote this mostly on Saturday, but was searching for links to Rescorla’s papers.
Update 2: Rescorla kindly put his TTP work online, now linked above.