Cenzic 232 Patent
Paid Advertising
web application security lab

Hill-Billies: A Case Study

34 posts until the endů Oh, and happy Monday. It’s time for a little story.

Once upon a time there were some hill-billies living in the deep south. They had virtually nothing. They made their moonshine, and lived the most meager of lifestyles. They were in deep poverty. They made do with their hooch and stories. They worked hard - 8 hours per day at the local sweatshop, but they were happy enough. Then one day, an advocate for minimum wage increase saw what the hill-billies were living in and how they were living their lives. It made the advocate angry and they went to go fight the local sweatshop to increase their wages. The advocate wanted to make sweeping changes and would use the hill-billies as a case study on how much a little extra money can improve someone’s living standard to further the advocate’s cause.

Eventually, after intense scrutiny, the sweatshop realized that they had indeed been paying too little for any decent standard of living and decided to give all their minimum wage workers a rate increase, which included our friends the hill-billies. So now you’re thinking to yourself, the hill-billies got a home-loan or used the money to pay for school or something else productive, right? No… what happened was that the hill billies had always been happy with what they had, and the increase in money allowed them to stop working as much and make the same amount. They continued to make their moonshine and lived happily within their means…

The moral of the story is that about a year ago I reached an inflection point in my career of 15 years in security. I realized that with every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again (think firewalls and tunneling over port 80). It feels like we’ve been battling to protect people, but the people don’t want to be protected if it means changing. They’re happy with the status quo. Of course, there’s always fear of the unknown, and fear of insecurity is a key driver of spending (think anti-virus). One thing’s for sure though, you can’t change the nature of the hill-billies, so why are we trying? Our only path to success is empowering people to do what they want, without getting in the way. The words “No” and “Can’t” have to leave our vocabulary when it comes to what consumers and developers and companies want to do. Now, the trick is: how do we build security that no one notices is there?

17 Responses to “Hill-Billies: A Case Study”

  1. Greg Says:

    The metaphor you use is sure hardcore neo-liberal propaganda. New world order much?

  2. Angel One Says:

    The mental “risk thermostat” has been discussed before, and it’s very true:

    http://www.schneier.com/blog/archives/2009/08/risk_intuition.html

    http://www.amazon.com/Risk-John-Adams/dp/1857280687/ref=sr_1_1?ie=UTF8&s=books&qid=1246306830&sr=8-1

    And yes, good security must be transparent. I couldn’t have said it better myself.

  3. DrPizza Says:

    I don’t think it’s so much that people aren’t willing to make changes, but rather they’re not willing to make their computers less useful or convenient. “different” is tolerable; “worse” and “harder” are not.

    If security is a greater obstacle to users than it is to attackers–and firewalls that place tight restrictions on outbound traffic are often that–then it is not surprising that the users seek to bypass them.

    It’s similar to the iOS effect–we have users welcoming substantial security flaws, because it allows them to remove the restrictions that Apple has placed on the platform. I think aligning attacker and end-user interests in this way is probably a bad thing (if nothing else, I don’t think it’s good that there’s now a kind of perception that security flaws are desirable and/or useful), but I can understand why users want to defeat the security of their phones.

  4. Sasha van den Heetkamp Says:

    Sounds a bit like Bruce Schneier’s epiphany in Secrets & Lies, where he changed his whole mind on the idea of security and started a company that monitors traffic by real people, because he realized that security cannot be solved with software, only by physical humans. It’s also the least obtrusive. It’s the only book on security I would ever recommend to anyone. It changed my thinking too when I read it years ago.

  5. Alex Says:

    Is it even possible to build security that no one notices is there? How can we authenticate identities without the users noticing that we’re doing it? The simple username/password system is horribly vulnerable, but even that is too much of an obstruction for many people.

  6. RSnake Says:

    @Greg - uh, no, I just thought it was a funny story. Relax.

    @DrPizza - great insights! I agree… different is tolerable (even if migration is very slow) compared to worse, which will almost never be tolerated.

    @Sasha - That is also one of my favorite books on the topic as well. A definite must read after you’ve bludgeoned yourself in the head with Applied Cryptography.

    @Alex - Perhaps building the authentication into hardware or software would remove that barrier. I’d rather not make any specific recommendations here though, because it’s more about the philosophy, not the point solutions.

  7. mokum Says:

    Issue is, we often do not provide real security in the first place, only placebos:” Firewalls? Only to ‘hide’ the weak crap behind it. AV? Same. IDS? Go figure.

  8. RSnake Says:

    @mokum - You’re absolutely right about that in a lot of cases. In fact, I know one giant retailer that doesn’t use a single firewall on their external interface. There’s no point since the webservers only have webserver ports open externally on that interface. Loadbalancers do the rest.

    But Firewalls do a lot more than just just block ports too if you know what you’re doing, so I’ll have to disagree slightly in that we definitely use one in front of our site and it’s not just to stop inbound port-scans or hacking other ports that are open (which none are in the case of ha.ckers.org anyway), but I get your point.

  9. Johan Says:

    Good post, I’m facing the same problem on my websites I want ppl to be able to do anything they want on my website, except when they want to fuck it up. Captcha’s mean less visitors, no captcha’s means more bots,

    You don’t want ppl to find out how save a site is unless they try to break it.

    I know a guy who changed every tag, id and class on his website on each session, changing css rules with it, just so that users don’t see any differents but bots couldn’t figure out where where to look for specific stuff, (in the end it was a click-bot that ‘penetrated it’

    Still, good example of ‘invisible’ security.. or a try at it.

  10. moebius Says:

    No one would notice the security changes if there weren’t any security advisors. In other words, if security wasn’t a profitable business, everything would be more secure.

  11. LonerVamp Says:

    I agree with your analogy only insofar as people are somewhat reasonable.

    For instance. I’m driving along. I want to drive through this intersection up ahead even though the light is green. I hate you for insisting that I stop at a red light. Yes, I know speeding through it is risky. But I want to anyway. I’ll gamble!

    Now, you could argue that city planners could make a bypass either around or over that naughty road that needs to have a stoplight on it that is sometimes red when I approach. But is it reasonable for me to expect to never stop while driving? Really, it’s not.

    Another way is the classic “give ‘em the pickle” example. If someone at a restaurant asks for an extra pickle, give it to them! But this approach ignores the situation where people are unreasonable. Say instead of asking for a pickle, I ask for a new television of I’ll be pissed and spread lies about the business. That’s unreasonable and an abuse of the good will of the principle.

    I agree with your point, but not to an extent that the customer/user is always right. Likewise, users can equally game the system where you decide never to say no and instead enable or make security transparent, just like asking for unreasonable pickles.

    At some point security *has* to be the bumpers in the bowling alley gutters, and some bowling balls are just not thrown straight…

  12. LonerVamp Says:

    Just as a quick follow-up, security should be reasonable as well. Blocking all web browsing inside the company is not really reasonable. Blocking all social networking may also not be reasonable from a security perspective (more of an HR issue there). Disallowing HTML-enabled email may not be reasonable…and so on.

    I think us geeks tend to approach security as a black and white proposition. It is either secure or it is a fail. We’re still coming around to the idea that security is an art; it’s creative, subjective, not quite as clear as our 1s and 0s in the code. Especially when we start balancing users/convenience against security/risk.

  13. Johan Says:

    @LonerVamp,

    I have to agree with you there, I do see a website as either secure or not secure, the only gray I reconize is that no security is 100%, making the ‘maximum’ security almost black (or white, depending how you wish to see it)

    There is no ‘in between’ for me, which, I’ll admit, might be wrong thinking, then again, it does help me to push myself into making a website ‘even more secure’ without any chance from the users point of view, of course

  14. llvllatrix Says:

    I’ve been thinking about how this sort of resistance to change plays out in the long run (at least from what I’ve seen). Lets say your end users get hooked on a nice piece of software and all is right with the world.

    New security requirements come in that break the software and your security team has three options; trash the business process, fix the software or find a replacement. The first option rarely happens; in my experience the process is either there for a reason or the security/IT team doesn’t have the political clout to get it done.

    The second option is only as good as the vendor’s willingness to fix security problems. It also helps if your vendor’s still in business.

    The third option can go one of many ways, but lets say you get past the effort of convincing management, users, accounting, perform your data conversion, getting the new software installed, hardened, pen tested and finally you retrain your users. It’s now a year later and new security requirements come in…

    Who’s fault is this? As far as I can tell, it’s not the security teams because you’ve basically asked them to do an impossible job. It’s not the users because any significant change in their software means losses in efficiency that they’re accountable for.

    Am I going nuts or is this problem a legitimate concern?

  15. AppSec Says:

    @LonerVamp, Johan: Security is black/white when given an acceptable level of risk and asset protection.

    Sure, a corporation might not want to block employees from the Internet, but they may very well have a segment of machines they want off the Internet and thus segregate that LAN/VLAN. Thus users on those machines will not be able to access the Internet.

    You’ve either met that security within the accepted level of risk or you haven’t.

  16. Sasha van den Heetkamp Says:

    For those who were at the birth of the Internet or just after it in the BBS era, noticed one thing; The amount of servers. the net was just like a small town, where people leave their doors unlocked (think Telnet) that changed when the population of servers increased e.g. a city where everyone locks their door. And now everyone needs to lock their door because the net has become a gigantic city where anonymity is key. This has more analogies to population control in societies as well, the more people there are, the less secure they tend to feel. I think groups have a certain natural limit, and everyone in such a group has a concatenated group, but still it remains a small society where people know each other. You can expand this to states, countries, and eventually the world as a whole. Somewhere along those lines, some people are not in your group and therefore don’t have the social bond you have to your group. This invariably will lead to theft, compromise and the reason that every door has to be locked because we lost overview on our and other groups or more anthropomorphically: clans that rival. So one solution is to reduce groups, but that isn’t feasible at all. the Internet is global. Although I see value in blocking all Asian servers, because I cannot read Chinese nor Japanese nor Arabic nor have I been inclined to visit such website in that language. So policies might be an option in some cases. Blocking countries or continents do work sometimes. But I hear you, you think well we could use a proxy. True.But eventually we could sort out all open proxies in our continent and block them too. Remember that in the days of BBS servers were hacked too, but usually only for gathering information, not to small servers down and wreak havoc. Still many servers in that age kept those doors open, such as telnet. But guess what. Most important information was not kept on those servers. just like you don’ carry all your important information with you when you go shopping groceries. You keep certain items in storage at a bank, or at home, and this decreases the risk when you get mugged on the way to the grocery store. I think that we all made the mistake in pulling up servers and dump every bit of our information on it. That is our main problem today, everything about sits in predictable on-line database, often everything about us in one database, instead of decentralized data. Computer users such as the hillbillies are oblivious to the fact that everything on their PC might be stolen one day, they keep their credit-cards, cash, photo’s, bank statements, letters, and other private data on one machine and expect it to be safe from Cyber muggers. Some understand the problem, and distribute their information in off-line data containers such as hard-disks and flash sticks, exactly as you would do when you go on vacation: you put 20$ in your pocket, 200$ in safekeeping and 50$ in a wallet around your neck or sock. So in the end it boils down to common sense, the on-line world isn’t any different that the off-line world.
    ;)

  17. Sasha van den Heetkamp Says:

    Apologies for the huge text :)

    But I guess it really is up to the Hillbilly. One day he gets mugged, and maybe learns a lesson; not to use the ATM at 3:00 AM. (Or not to download that free virus scanner executable that popped up in his/her browser) Common sense would indicate that that wasn’t a clever idea from the beginning. Still people do it and get robbed all day. No real difference from the real world we live in. We can’t protect such people, nor should we aim for such goal because it’s unrealistic, and only leads to a society where Big Brother keeps an eye on you, of course: in your best interest.