Any sufficiently advanced technology is indistinguishable from magic – Arthur C. Clarke
This weekend was the first Defcon I attended, and if I had to summarize what I learned, it would be two-fold. One, any sense of security we feel in life is a lie. Second, for some of the things the speakers were doing, I might as well have been attending a magic seminar.
It felt like a progressive learning experience beginning at showing me all the ways my current security is worthless, and then showing how to completely bypass my security regardless of how strong it is. The first thought that popped into my head at the end of the last talk was that I might as well just leave my door unlocked and take off all network security, and least then I’d be living in reality. But then I remembered back to my very first job. It was a summer job at Target, and upon hire the head security guard gave the new batch of employees the standard security talk. What stuck out in my mind even then, was when he said that there is no way that they will be able to prevent shoplifting from the store. It’s going to happen. But their goal was to instead provide more security than the Walmart across the street so that all the shoplifters would go there instead. You don’t need to out run the bear, just the person you are with.
But even still, its a sobering experience to have your mediocrity presented to you in a PowerPoint presentation every hour on the hour. I didn’t learn new techniques so much as I gained a newfound motivation for not winding up on the Wall of Sheep, a list projected on a screen that listed user names and passwords from people in the surrounding networks. Security is an impossible task, so I think I better get started on it now.
There is no such thing as 100% secure. Doors, locks, firewalls, passwords and the like only keep out the opponents with poor motivation or lack of imagination.
The fundamental problem remains that defenders must remain vigilante 24/7 on all fronts while an attacker need only exploit a single point of failure to succeed.
Richard Bejtlich who taught the TCP/IP Weapons class I attended at Blackhat had a good blogpost on the subject recently:
http://taosecurity.blogspot.com/2008/08/more-threat-reduction-not-just.html
“Recently I attended a briefing were a computer crimes agent from the FBI made the following point:
Your job is vulnerability reduction. Our job is threat reduction.
In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats. Therefore, we cannot independently influence the threat portion of the risk equation. We can play with the asset and vulnerability aspects, but that leaves the adversary free to continue attacking until they succeed.”