I’m periodically struck by now much security research and development is sold by scare talk (fear, uncertainty, and death). Unless you go over the top, you don’t get the news articles, the congressional hearings, or the money. There was a recent video going around that showed security researchers messing with a SCADA system and blowing up a power substation (in a lab) using techniques that are generally known in the community. This got congressional hearings going.
A couple years back, I saw a local researcher present simulation results that showed how two or three simultaneous errors (squirrels, trees, or terrorists) could take down the greater Chicago-land power grid. But simulation results don’t make the news. Real explosions do.
I was talking with a former colleague last week about trusted OS results from a couple decades back that were strongly worded and controversial at the time. He cynically said that the researcher in question made his statements as controversial as possible to ensure that he got attention and thus funding.
In both of these cases, raising attention through showmanship brought broader attention to valid security concerns. So I suppose the ends justify the means. It is just how the game is played.
In any case, while pulling together my network security notes for the semester, I was struck by the amount of FUD in my notes. However, I think much of the concern there is valid. Or perhaps better stated, the concern is chronic. With the IP infrastructure, our problems are chronic. We can incrementally try to make our part of the world better, but ultimately there will be infections, attacks out there. There is a shared resource out there, and by sharing we are exposing ourselves to the threat. Like getting lice by sharing a hair brush.
Perhaps we could just switch over to a newly designed, better network infrastructure. But it isn’t going to happen. Not anytime soon anyway. Still waiting for IPv6 ten years later. Even in that case, there would be threats. With the shared network, you are at the mercy of the least prepared or least savvy connected entity.
No deep observation here really. Just noting that the biological analogies fit here with respect to chronic infectious diseases.