Like we really needed this.

Hacker’s Blog

August 15, 2007

Rational Security: Security Innovation?

Filed under: Philosophy,Security — Hacker @ 8:50 am

Some people think that they are the lunatic fringe. Mr Hoff states: Nobody really believes that security can be innovative, do they? I do.

The next thing we’ll be hearing is that rational security = security innovation or to simplify: Rational = Innovation. What could be further from lunacy?

Quite simply, in a changing environment it is irrational not to innovate. It is obvious that security is a changing environment. When was the last time the threats were consistent over time?

Now some would have you believe that constant change is itself irrational and therefore any response to it must necessarily be also. In Mathematics, 1 / 3 is rational while the square root of 3 is irrational. Both cannot be represented in decimal form by a finite number of digits, but with one third the digits repeat.

Consistency makes being rational easy. The hard work of working out a solution only needs to be performed once. Then a simple lookup can occur. To make consistency a requirement for rationality reduces rationality to automata. Not much use being rational then.

Innovation does not mean anything goes. New techniques must work to be innovative. Innovation is also not randomly trying new things. That’s luck. Innovation must be rational.

Therefore real security must be innovative.

For one to accept innovation the new ideas must be rationalized, otherwise they are seen as just random gibberish. The seven deadly sins of problem solving referred to by Hoff are all ways that keep us from being able to accept new ideas. This applies whether the solution is ours or someone else’s. (Many who lack self-confidence invert the Not Invented Here rule).

The most important aspect being innovative or to accepting innovation is that it takes time for our brains to adjust. If someone has just presented something to you that sounded rational, but doesn’t sit well in your gut, then that is when it is apparent that more time is needed. Given time, one should be able to either accept the new idea, or determine where the flawed assumption was buried. Often this type of rationalization is a background process, and “sleeping on it” is a perfectly valid approach.

It seems that people keep buying new security technology, so by their actions they must believe that innovation is necessary for security. Mr. Hoff isn’t so much presenting a new approach to security as explaining how the accepted approach is not well understood. The reality is that just about everybody believes that security can be innovative, they just don’t know it.

It is also critical to remember that if the solution doesn’t seem to fit, perhaps the problem was defined wrong. That explains why router ACLs are not acceptable network security tools 99.9% of the time.

• • •
Like we really needed this.