nCircle.com >> 360 Security

« Responsibility and Disclosure | Main | SCADAGard SIG To Be Established »

Is Security Boring?

I've been doing paid security work for roughly 4 years now, and had an interest in it since my dad built our first Apple ][+. I'm starting to wonder if I've seen it all. I'm referring to archetypal scenarios of course; I fully realize you can never 'step in the same river twice'. Having said that, anyone who has enjoyed a few good Danish Christmas dinners knows that even though every rice pudding is a little different, there's not alot of room for significant variation :)

Technology changes, there's new attacks, new defenses... but is that really true? Personally all this stuff I'm seeing seems to be variations on a few basic themes. People implement it, other people attack it. Buffer Overflows *big yawn* shellcode *yawn* Crappy Software *yawn* lazy users *yawn* Businesses making hardware and software for money and skimping on security *yawn*. Crypto created, crypto broken *yawn* fuzzing *yawn* IPS and firewalls *yawn* automated exploit frameworks *yawn*... Viruses, worms and trojans *super big yawn*...

Sometimes I think it's like being a cop... at first you're all excited to be making a difference. You're going to save lives, make the world a safer place. Fast forward 10 years later, and you're probably well jaded after busting the same junkies 1000 times, the same person that beats his family and never learns, the same thieves that keep getting in trouble. In short, people rarely learn and they keep making the same mistakes.

Security is starting to look the same way. Sure, every now and then something comes out that sounds new and revolutionary... but there's *always* a precedent to some kind of attack in the past. There's nothing truly, radically new. Maybe with all the younger folks coming into the field, being exposed to computers and doing security stuff, it all seems new to them and so they think they're doing something incredible. And I suppose they are, but that doesn't mean it's new. Stop re-inveting the wheels guys, and know your history or you're doomed to repeat it.

Perhaps the field is maturing and that's why we're not seeing anything truly, radically new. I will make a bet that in the next several months, no one out there will be able to produce, and show to me, anything 'truly, radically new' - I'm confident that I'll be able to show you where and when someone has touched on this before, and if I can't do that, why what you're showing me is nothing more than a variation on a theme already extant.

Posted on June 19, 2006 10:09 AM |

Comments (1)

weev:

There are people like Marshall Beddoe automating reverse engineering with groundbreaking search algorithms. There are countless developments in onion routing and communications obfuscation. There are countless new tools that allow agile hackers to manipulate the hearts and minds of men in ways previously unknown.

If we abstract all vulnerabilities, we can categorize them into four distinct categories. Naturally all attacks will have something similar in these four categories. But the reason why you feel there is nothing new in security is that you are simply not doing anything innovative.

Posted by weev | July 6, 2006 6:40 PM

Posted on July 6, 2006 18:40

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on June 19, 2006 10:09 AM.

The previous post in this blog was Responsibility and Disclosure.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]