On smelly goats, unicorns, and FUD
In a pithy post, Anton Chuvakin uses colorful metaphors as caricatures for our debate:
Q: If you ride a smelly, ugly goat along the road and then meet a handsome stranger who promises to give you a new ride: a beautiful unicorn that can fly, teleport, butt enemies with its horn and doesn’t need any cleaning, should you take it?
A: No! Unicorns are mythical creatures. Please keep your goat for now 🙂
This sort of rhetorical tactic is popular among slimy politicians, to wit: “If you vote against my bill, you are voting in favor of mass rape of barn yard animals, and taking food out of the mouths of starving babies.”
There’s a real message here. Anton is saying that the New School and/or risk management approach is impossible in principle and therefore is folly at all levels, like the quest for perpetual motion machines or large-scale time travel. He is skeptical to an extreme.
At the risk of extending Anton’s metaphor too far, I’ll point out that unicorns (of some sort) are not impossible in principle, only non-existent in recent times. As evidence of their potential existance, I offer Tsintaosaurus spinorhinus, a real dinosaur found in China. I found this artist’s impression of the dinosaur, nicknamed “the Unicorn Dinosaur” because it has some elements in common with the mythical unicorn (“the traditional unicorn also has a billy-goat beard, a lion’s tail, and cloven hooves—these distinguish it from a horse”.)
Moral: just because something doesn’t exist right now doesn’t mean it’s impossible. Back to the real debate…
No one is seriously advocating NewSchool or Risk Management as having magical properties, or claim that they are perfect or fully formed. I, for one, have been very vocal and public about the unsolved research problems . I welcome and encourage skepticism. It may turn out that certain approaches or methods are indeed impossible or infeasable. Fine. Let’s find that out. But there is no value in debates that are based on caricature and strawmen.
Those of us who advocate new methods are arguing that the current “smelly” methods just perpetuate the problem of poor security, even if you get periodic “wins” through FUD and other tactics. We are arguing that the new methods are more promising, in spite of their current difficulties and unsolved problems.
I’ll close with my own colorful metaphor: FUD and similar tactics are like peeing in a swimming pool. They may make you feel good at the moment and you may get away with it for a while, but if enough people do it, eventually everyone is swimming in piss. There’s a great book called The Self-Defeating Organization that describes this process and how it is one pattern (among many) that leads to downward spiral in organization performance.
[Update: From past communications, I believe that Anton has most objections to “the risk management approach” rather than the “New School approach”. They overlap somewhat, but aren’t identical. See Adam’s comment, below.]