Infosec vs the FUD Machine

Print Friendly, PDF & Email

The rains of autumn have arrived in force here in Atlanta, and along with it a bit of introspection about the state of our craft and how it's seen by the rest of the world.

I’d like to say that things have changed this year, with Heartbleed, Shellshock, and earlier today Sandworm having their own logos and the security community as an ad-hoc marketing team. I’d like to say that it used to be about vulnerabilities, the risk they expose, the understanding that it took to find them, and the hoops that we’ll have to jump through to practically exploit them. But, as annoyed as I am by the 24-hour news format that the business of security has become, I can’t objectively say that it hasn’t always been this way.

Thinking back I can remember the release of Back Orifice (or perhaps its followup BO2k) being released at Defcon by a masked cDc member surrounded by press and the whole thing being streamed to my home by way of ZDtv (side note, I’d love to find a picture of that event but my searches came up empty, if you have one, share). The media circus and confusion around CodeRed and Nimda haven’t changed very much. Software artifacts and the people who create them are still looked at and reported on with a mixture of fascination and fear. Fertile ground for hype and FUD to grow.

Incentives to feed the hype machine are everywhere, whether it's reporters generating clicks on their articles, research teams bolstering their thought leadership positions, or practitioners justifying a bigger budget for next year. Immature binary risk models that categorize things as either secure or not are easy for technical people to gravitate to and lead to information security being seen as “hit” driven to those inside and outside of it.

This isn’t to say that some things things are not “hair on fire” broken, and this year has seen some of those, but for the most part life goes on. All non-trivial bits of software are likely to be broken in some way, but that doesn’t mean everyday needs to be spent trying to outrun the bear.

Screen Shot 2014-10-14 at 4.10.08 PMSpeak a language of containment, separation of concerns, forensics, and the like. Save the warnings about the sky falling for the times it actually is. It's an uphill battle, and others might not pay attention to you as much as first, but they won’t have a negative visceral retraction every time you walk into their office either.

Scroll to top
Tweet
Share
Share