Profile picture
, 20 tweets, 3 min read
The latest XKCD is near-and-dear to my heart. It's a conversation that replays frequently in infosec/cybersecurity -- on both sides, non-techies trying to avoid security, and non-techies trying to impose security.
The Crown Sterling Affair is a great example: it's just perpetual motion cryptography. When they finally demonstrated their "invention" cracking 256-bit RSA keys it ended up doing so just as fast as everybody else cracking RSA keys -- apparently using existing code.
Computer science is littered with perpetual-motion problems, such as building your own cryptography, compressing random data, and defeating exponential complexity.
Sometimes very smart people can create what appears to be perpetual motion. Quantum cryptography is one example. But it's not breaking physical limits, it's just that many people are ignorant where those limits are.
When I created BlackICE, I had experts claim I lied, because it could possibly be that fast. Computers have a limit of around 100,000 interrupts per second, so therefore it was impossible to process traffic at 1,000,000 packets per second.
Yes, but whereas standard operating systems drivers (Windows, Linux, etc.) processed one packet per interrupt, we processed hundreds or even thousands of packets per interrupt. That was one of the unique innovations: custom hardware drivers for Windows and Linux.
This is now standard. All operating systems process multiple packets per interrupt, such as Linux NAPI. There are also drivers like PFRING and DPDK that shows custom drivers doing this in user-mode like BlackICE did.
Anyway, this thread is about cybersecurity. Whenever people don't want to do a thing, they convince themselves that the threat is only "theoretical". It leads to perpetual-motion like conversations where it's impossible to convince them the threat is "practical".
SQL injection is a great example. It's been the most common way of hacking websites for 20 years, and the reason it works is FREAKIN' OBVIOUS. Yet, the general knowledge of programmers is so bad that the obvious threat isn't so obvious to them -- perpetual-motion level.
Another is "disclosure". There is a vast belief out there that disclosing vulnerabilities is bad, and that security researchers are unethical for doing so. We've had experience since 1800s showing otherwise, and particularly acute experience since the 1980s on the Internet.
Sure, smart people are also on all sides of the disclosure debate, I'm not talking about them. Instead, I'm talking about the dumb people who can't see the bigger-picture. They can only see the immediate effects and are convinced hackers are practicing witchcraft.
But there are equal problems on the other side of security: non-techies who insist that everything needs to be more secure. A prime example of this is everything written by Richard Clarke (former cybersecurity czar under Bush).
Any idiot can get on a soapbox and proclaim that things need to be secure, and that organizations who spend less on cybersecurity than on free coffee for employees deserves to be hack. It doesn't take any technical expertise at all, which is why such charlatans are so common.
Talking to security enthusiasts is as tiresome as talking to perpetual-motion enthusiasts. Draft regulation that congressional critters has been painful to read, and there is no way of talking to them, explaining why it's crazy stupid.
I mean, "coudn't" not "could".
Experts are often wrong -- especially in cybersecurity. After all, in cybersecurity, the consequences aren't due to things that can be modeled with math, like failure due to wear-and-tear, but due to psychology of hackers, whether they will exploit that wide open hole.
But this doesn't mean the ignorant like Richard Clarke are right. He's been predicting an imminent Cyber-9/11 since, well, 9/11. Despite being wrong for 20 years he's still hailed as an "expert" on the issue.
But even if a Cyber-9/11 event happens it still doesn't mean he deserves credit. He's provided no technical insight to the problem, only insisting we must take it "seriously" rather than help on what, actually, should be done.
BTW, a Cyber-9/11 won't happen. I say this as a pentester who has broken into the power grid multiple times. Yes, it's easy for hackers to black out a city. It's infeasible to black out the entire country.
Other countries have centralized power grids, ours is incredibly diverse. I could blackout Ukraine from one point, but there is no single point of control (or failure) in the United States, not even close.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Pumpkin' Spice Rob 🎃

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @ErrataRob see all

Profile picture
Pumpkin' Spice Rob 🎃
@ErrataRob
Uh, if it's one thing, ONE THING, that we want the world hearing us chant is criticism of our leaders. It's what America has that's missing in places like Russia and China. What America stands for is freedom, and the most important freedom is criticizing political leaders.
Yes, we need more civility in our political debates. You should stop your toxic behavior toward Trump supporters. They are wrong, but they are still reasonable, good people. But toward Trump himself, or Obama, or President Bernie, booing is just fine and encouraged.
I mean, if booing in inappropriate, then so is cheering. You could be arguing for respectful silence. But every much that booing Trump offends his supporters, cheering Trump would offend his opponents.
Read 4 tweets
Profile picture
Pumpkin' Spice Rob 🎃
@ErrataRob
Infosec is full of bad analogies. The absolute worse is "technical debt". People think it's a good analogy for communicating with "business types", but it isn't, because techies don't understand "debt". Techies think debt is bad, business types think debt is good.
Techies think that debt is something that must be repaid. Business types understand that debt should never be repaid, and really, cannot be repaid. Techies think they are justifying why something needs to be fixed, when in fact they are explaining why it never needs to be fixed.
I mention this because of this HackerNews item which, yet again, misunderstands "technical debt".
news.ycombinator.com/item?id=213663…
Read 11 tweets
Profile picture
Pumpkin' Spice Rob 🎃
@ErrataRob
Yes, the Internet should make us question our existing notions of nation state sovereignty. Is the nation state something that has total (as in totalitarian) control over subjects? Or does the state derive its (limited) powers from the consent of the governed?
In the case of religion, we decided upon a separation of "church" and "state", that it was best not to mix the two. In other words, the Catholic hierarchy is something completely divorced from the ability of the state to regulate it.
In contrast, in China, the government is in control over who is the official Dalai Lama. No aspect of society is beyond state control.
Read 5 tweets

Related threads

Profile picture
SueletteD
@SueletteD
2/16 Silencing expert voices in the cybersecurity discussion space is a
strategy for weakness not strength, as any Red Team expert would tell
you. #CyberCon #CensorCon
3/16 The @CyberGovAU removed me from the #AISA #CyberCon speakers list
8 days b4 the event. Reason: my talk content was 'incongruent' w/ the
largest cybersec conf in AU. Yet they had not seen my talk content yet.
#CensorCon #cyber #infosec #cybersecurity #informationsecurity
4/16 #CyberCon removed me from the speakers list based on my talk title
alone. I'm not the only speaker removed: @Thomas_Drake1 was also disinvited. Others
told to alter format. #CensorCon #cyber #infosec #cybersecurity #informationsecurity
Read 16 tweets
Profile picture
Sergio Caltagirone
@cnoanalysis
A thread about #journalism and #infosec/#cybersecurity.

I hear ALL the time from executives who read about infosec issues in the news and want to know more. Journalists are the most important part of the education and information component of #cybersecurity.
I consider journalists part of #infosec - not outside of it. They serve their purpose like a Firewall admin serves theirs for the larger #cybersecurity space. I've never met a malicious journalist, not saying they're out there but, almost all have good intentions.
Most journalists have a non-technical background. This is changing but it is still the case. Just like many of #infosec who came from a non-traditional background and joined our space we need to be supportive and mentor them.
Read 5 tweets
Profile picture
SecurityGuill 🌐
@Guillaume_Lpl
This thread includes all my #infographics so far, they present different terms related to Information Security 🔐

It's an easy way to learn new things 📖 I hope it will be useful to the community. RT appreciated 🌐

Follow me @Guillaume_Lpl for more about #infosec #cybersecurity
What is a Botnet & How ti works?
Follow me @Guillaume_Lpl for more about #infosec #cybersecurity #dataprivacy #ITsecurity #technology
What is a Bug Bounty?
Follow me @Guillaume_Lpl for more about #infosec #cybersecurity #dataprivacy #ITsecurity #technology
Read 29 tweets
Profile picture
Guillaume 🛡 | Infosec 💻
@Guillaume_Lpl
Thread updated of my infograhics : To make things more convenient and to help beginners in #infosec , I decided to regroup my #infographics with this tweet ! #Cybersecurity #Startups #IoT #ITsecurity #Security #tools
Some good tools useful in Infosec : by @Guillaume_Lpl #infosec #cybersecurity #Infographic
Some good tools for Mobile APP Security Testing : by @Guillaume_Lpl #infosec #cybersecurity #Infographic
Read 13 tweets
Profile picture
Dave Manchester
@dredeyedick
Speaking of which: #Equifax #EquifaxDataBreach #MustSee cc .@mikko .@matthew_d_green .@schneierblog .@th3j35t3r #WTF
3/ "You Make Money off This ScrewUp": - @SenWarren To #Equifax CEO #MalFeasance #NonFeasance #FiduciaryBreach
4/ .@SenFranken Attempts to Pry Some Answers from #Equifax CEO #AltGovDaily #IndivisibleTimes #WHPDaily
Read 18 tweets
Profile picture
Dave Manchester
@dredeyedick
1/ Reach Out to Congress. Tell Them What You Think.
➡️Members of Congress | InsideGov members-of-congress.insidegov.com/?utm_source=tw… #PuertoRico #Indivisible
2/ Reach Out to Congress. Tell Them What You Think.
➡️Contacting Congress - Instantly contactingcongress.org #PuertoRico #Indivisible
3/ Find Out Who Donates To Your Member of Congress. Who do they Represent?
➡️VoteSmart - Click "Funding" Folder votesmart.org
Read 15 tweets

Trending hashtags

#SCL #writer #DataBreach #Technology #CyberSecurity #APT #CyberCon #cybersecurity #Tesla #team #PuertoRico #Beijing #soybeans #dataprivacy #sharemondays #Pork #SyrianInvasion #POTUS #ThreatIntelligence #MOF #Earlier #Assad #icssecurity #tradewar #TradeWar
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!