Security in Serious Fun
In case you keep track of our tweets, you may have noticed that we approach the topic of security humorously sometimes, and because there is a lot of potential for misunderstanding we’d like to explain why we do this. It’s not all about who scores the best puns. It has a serious background, and it helps to keep a minimum distance to problems you are dealing with.
Security has a strong link to the agenda of a person, a group, a company or a nation. Consider a fatal flaw in a major software package. The typical actors connected to this bug are the group/person who found it, the group/person who published it (not necessarily the same as the discoverers), the developers of the software (could be a community or a company or both), the mythical 0-day hunters (real or imaginary), the users/clients, possibly journalists reporting about it and everyone tied to the actors mentioned (law enforcement, more media, whole governments, politics, etc.). In an ideal world everyone would be glad to hear about the flaw and be interested in fixing it (with the execption of the 0-day hunters and their customers, of course). The ideal world paradigm allows for full disclosure provided you forget about the group that is interesting in using the flaw for evil purposes (that’s the meaning of ideal).
Then the agendas come marching in. Suddenly the security researchers need a good publication for their reputation. The developers may like to downplay the impact, reputation applies as reason, too. Vendors could be stretched to their capacity and can’t provide a fix in time (or may have simply no interest in fixing anything). Some journalists just need a good story, so they add some facts a.k.a. mind candy (what the GUI people call eye candy, only with less pastels). Some groups may try to use the flaw as leverage and add a bit of armageddon such as Digital Pearl Harbour to it. The users are confused, angry, disappointed or a combination thereof, so they might do anything (the last part also applies to the mythical 0-day hunters). There are a lot of variations possible, depending on which actors you add. For our own peace of mind we left politics out of the example (we will have plenty of talk about „cyber politics“ at DeepSec 2012 if you look at our agenda).
This is exactly where humour can help you to understand what’s going on. It provides a safe distance to look at problems and to demystify the story distorted by the many agendas at work. Mind you, we do not claim that all security related publications and news are riddled with personal agendas. It’s just that some extra smoke and mirrors are easy to add since we deal with arcane magic few really understand. Consider the use of cyber, virtual, cloud and many other words in connection with otherwise well-defined items or procedures.
We encourage everyone to take an in-depth look behind the scenes and to really see the core of the problems everyone keeps talking about. And please be careful about messengers of doom, death and destruction.