The latest XKCD is near-and-dear to my heart. It's a conversation that replays frequently in infosec/cybersecurity -- on both sides, non-techies trying to avoid security, and non-techies trying to impose security.
The Crown Sterling Affair is a great example: it's just perpetual motion cryptography. When they finally demonstrated their "invention" cracking 256-bit RSA keys it ended up doing so just as fast as everybody else cracking RSA keys -- apparently using existing code.
Computer science is littered with perpetual-motion problems, such as building your own cryptography, compressing random data, and defeating exponential complexity.
Sometimes very smart people can create what appears to be perpetual motion. Quantum cryptography is one example. But it's not breaking physical limits, it's just that many people are ignorant where those limits are.
When I created BlackICE, I had experts claim I lied, because it could possibly be that fast. Computers have a limit of around 100,000 interrupts per second, so therefore it was impossible to process traffic at 1,000,000 packets per second.
Yes, but whereas standard operating systems drivers (Windows, Linux, etc.) processed one packet per interrupt, we processed hundreds or even thousands of packets per interrupt. That was one of the unique innovations: custom hardware drivers for Windows and Linux.
This is now standard. All operating systems process multiple packets per interrupt, such as Linux NAPI. There are also drivers like PFRING and DPDK that shows custom drivers doing this in user-mode like BlackICE did.
Anyway, this thread is about cybersecurity. Whenever people don't want to do a thing, they convince themselves that the threat is only "theoretical". It leads to perpetual-motion like conversations where it's impossible to convince them the threat is "practical".
SQL injection is a great example. It's been the most common way of hacking websites for 20 years, and the reason it works is FREAKIN' OBVIOUS. Yet, the general knowledge of programmers is so bad that the obvious threat isn't so obvious to them -- perpetual-motion level.
Another is "disclosure". There is a vast belief out there that disclosing vulnerabilities is bad, and that security researchers are unethical for doing so. We've had experience since 1800s showing otherwise, and particularly acute experience since the 1980s on the Internet.
Sure, smart people are also on all sides of the disclosure debate, I'm not talking about them. Instead, I'm talking about the dumb people who can't see the bigger-picture. They can only see the immediate effects and are convinced hackers are practicing witchcraft.
But there are equal problems on the other side of security: non-techies who insist that everything needs to be more secure. A prime example of this is everything written by Richard Clarke (former cybersecurity czar under Bush).
Any idiot can get on a soapbox and proclaim that things need to be secure, and that organizations who spend less on cybersecurity than on free coffee for employees deserves to be hack. It doesn't take any technical expertise at all, which is why such charlatans are so common.
Talking to security enthusiasts is as tiresome as talking to perpetual-motion enthusiasts. Draft regulation that congressional critters has been painful to read, and there is no way of talking to them, explaining why it's crazy stupid.
I mean, "coudn't" not "could".
Experts are often wrong -- especially in cybersecurity. After all, in cybersecurity, the consequences aren't due to things that can be modeled with math, like failure due to wear-and-tear, but due to psychology of hackers, whether they will exploit that wide open hole.
But this doesn't mean the ignorant like Richard Clarke are right. He's been predicting an imminent Cyber-9/11 since, well, 9/11. Despite being wrong for 20 years he's still hailed as an "expert" on the issue.
But even if a Cyber-9/11 event happens it still doesn't mean he deserves credit. He's provided no technical insight to the problem, only insisting we must take it "seriously" rather than help on what, actually, should be done.
BTW, a Cyber-9/11 won't happen. I say this as a pentester who has broken into the power grid multiple times. Yes, it's easy for hackers to black out a city. It's infeasible to black out the entire country.
Other countries have centralized power grids, ours is incredibly diverse. I could blackout Ukraine from one point, but there is no single point of control (or failure) in the United States, not even close.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Pumpkin' Spice Rob 🎃

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!