Monday, December 9, 2013

Attack Surface concluded

First off, I'd like to apologize for the low quality essays I've been pumping out lately. Being busy with other things isn't an excuse. It's true I am busy with other things, but I usually at least re-read the first draft (hardly ever get beyond a first draft), and so the essay does have my fully attention when I craft it.

Going back and reading them, I'm embarrassed. Not only is the prose not very coherent, there are those annoying angry digressions and rants that, quite frankly, I thought were cute. And that cutesy bit of foul-mouthed prancing around adds nothing to the narrative - similar to the annoying digressions and diversions in a Quentin Tarantino film.

I use that reference because I saw Django Unchained over weekend, as it finally made it onto the shelves of my local socialist book depository.

What did I think? Eh. It was occasionally entertaining. My problem with Tarantino is he engages me, and then loses me. Since he just makes movies, I can ignore the cutesy little prancing digressions he throws in, knowing that eventually he will get back to the actual narration of the movie. But these digressions add nothing to the plot, or explain or enhance the characters, or alter the mood in any way. It's just Tarantino wanking off, and I'm beyond annoyed with it, and so just let my attention skim past it to the next good bit.

So, there was a controversy when this movie came out, right? The movie was branded racist because a white director made use of the n-word entirely too much. Well, maybe he should have used the c-word. In fact, I think want to see the word "bully" replaced with the c-word. "Bully" just doesn't have any impact. However, if instead of saying "You big bully!" you said "You cunt!" that would produce the desired psychological effect, and really be more to the point.

In any case, Tarantino suggested, in the opening minutes, that his movie was an homage to spaghetti westerns, what with the opening music, quick and annoying camera panning and angles, and the brief cameo of the original Django, but it was soon apparent that was the extent of the homage.

If it was a homage to any movie, I would have picked the original Michael Wilson and Rod Serling scripted "Planet of the Apes". No, think about it. Here Django is playing the part of Charlton Heston's Taylor, an alien stranded on a planet infested with brutish, stupid, violent creatures. They object to his very existence, and, even when he proves to be superior to the apes, they still treat him as less than ape. Sound familiar? The difference, of course, is that Tarantino wanted to be cute, so there is a lot of gratuitous violence and broad, clumsy characterizations. But you get the idea.

Speaking of the Planet of the Apes, I would note two news items. The first one observes that language may predate humans. No surprise to me. Very sophisticated tools, and so by inference the use of language to instruct in the making of such tools, existed prior to H. sap. Jared Diamond has often been cited language as the reason for the The Great Leap Forward some 40,000 years ago, when apparently human culture really took off.

As I've noted before, Diamond (like most popularizers) is mostly full of shit, and language is overrated. Meaning 1) the evidence is incomplete, lots of the artifacts probably existed long before the hypothesized "Great Leap", you just got to dig better, and 2) language in and of itself is easily acquired and used by some pretty stupid people, so I think something else much more sophisticated was going on to explain the Great Leap, if it did indeed occur.

The second new item sheds a bit more light on the Denisovans, who, it would seem, have entered the picture as part of the many hominids that existed prior to, and probably contemporaneous with, H. sap. It's starting to look like, with all the different hominids around, that some 200-400,000 years ago, it was a lot like Middle Earth, with ogres and trolls and elves and hobbits and dwarves running around. Which, of course, begs the question "Are we Mordor?"

And speaking of Mordor (and going by just the movies mind you, since I never the read books) doesn't it seem rather silly for Sauron to fashion these rings of power, in turn controlled by the One Ring, hand them out to the various races of Middle Earth, who basically can't wait to greedily and lustfully slip them on their fingers, and thus become enthralled and enslaved by the will of Sauron... and then, after crafting together a very clever and subtle and devilish plan of enslaving the whole world with basically zero effort, Sauron goes all neolithic, wastes enormous amounts of blood and treasure, builds up and maintains vast armies to engage in primitive genocide, rapine, slaughter, and pillage to achieve ends in the most expensive manner possible?

Does this strike anyone else as fucking stupid? It reminds of the behaviors we got from the likes of Hitler and Hirohito. Actually taking physical land and killing off opposing tribes is so... Stone Age, man! Why not try gunboat diplomacy, virtual empire, political and cultural dominance, hegemony? Works as well or better and with decidedly less effort since, if you craft it seductively, people want to be enslaved by you!  

Look at social media!

And so, here we are back at attack surfaces. The big problem, as I said before, with attack surfaces is that your own resources are turned against you. And, of course, since you make these resources available for a reason, this is why they are vulnerable. As such, according to game theory, your best bet is a dynamic defense. With software, or all other kinds of ware (since, inevitably, All is Information, and Information is Physical), it's a tossup between security and usability. One can, after all, shift an attack surface, make it a moving target (as Life does, as the smarter humans do).

But, the problem there is you want your resources to be usable (and without all that change and revamping and documenting and updating). Not only that, but if you shift your surface, you may suppress old attacks, but you inevitably invite new attacks. What to do?

Well, modularity and redundancy come to mind. Modularity gives you the advantage of resource stability, with only minor tweaks and changes to some components. Redundancy is also a nice feature, as, if you find one resource stria or lamina compromised, you swap over and continue on.

(Examples of the former: combination locks, antigens, etc. ) (Examples of the latter: The HoChi Minh trail).

Well, you can see where this is going right? It begs the question is there an optimal moving target defense strategy? Short answer? No. And forget about game theory for the answer.

Longer answer? Yes, but annoyingly, it requires cooperation with the attacker.

See above.


  1. So, I put them all together in a text file and read them from end-to-end. Still couldn't quite fathom the gist of the provocation for this particular random walk. Sooo..., just a couple of observations. I've done technical security as my primary vocation for 25 years and I've never heard the term "attack surface", I found a Carnegie Mellon paper from 2004 focused on Microshizzles and Bizzles stuff, and I gathered from that that it was some faux academic fluff funded by the DoD which was in the process of scrapping certified secure design so that it could use off-the-shelf Microshizzles and Bizzles in applications formerly reserved for certified trusted computing environments.

    I have done DITSCAP certifications of computing environments, and I did one not too much prior to the publication of that paper. I'm not sure that attack surfaces have caught on in the intervening 9 years.

    The marketing term du jour in the security world is SIEM - for security information and event management. Basically, dump syslogs from multiple environments into a common database, make these searchable and script alerts and other pattern recognizing responses in conjunction with the same. I'm guessing that SIEM is the "cooperation" with the attacker default to which many practitioners have fallen due to their inability to obtain widespread and enduring cooperation from either colleagues or vendors in the lost ancient art of "hardening" systems against attack.

    It takes an old school security master to maintain the discipline of systematic hardening of systems and network elements so as to absolutely minimize if not outright eliminate attack vectors which taken in the aggregate comprise the neologistic attack surface.

    SIEM is degeneracy in pursuit of dollars...,

    1. Yeah, this one lacked an underlying central theme, and so ended more or less chasing itself in ever-diminishing circles, or ever-expanding outward tangents. I suppose, were I to pick a theme, it would be the old evolutionary arms race theme and the need to avoid a static defense. As I've never done nuttin' with the software aspect, and wasn't sure how prevalent or relevant the term was, I tried to avoid the cyber angle, and stick to Life. But I did like the sound of it at least. In any case, now I have to bitch about my insurance company.