Yesterday, the web was abuzz with news about a paper released at the 2008 Chaos Communication Congress. This paper details an attack against the SSL certificates that web browsers and other software use to verify and encrypt communication between client and server. Some of my younger security industry friends were feverishly announcing that the attack “breaks the Internet”. Old security hands like Bruce Schneier and John Viega said, respectively, “[t]his isn’t a big deal” and “there is little to worry about”. Which is it?
Over lunch, I commiserated with a coworker at Twitter about this odd event, as it’s a prime of example of why he and I no longer work in information security.
Much of the tech world is obsessed with engaging in macho pissing contests, but no part more so than computer security. In the case of yesterday’s announcement, the researchers in question were more concerned with their ability to present their findings at a popular hacker conference than with guaranteeing the safety of the Internet. Why else would they put the organizations they disclosed their findings to under NDA and not consult the authorities on the most widely-deployed SSL implementations Building reputations and managing PR is the order of the day.
This culture of one-upsmanship doesn’t mean that computer security is a stagnant discipline. It does, however, mean that the people who choose a path of humility about their work don’t get the rewards - financial and otherwise - that they deserve. This is a shame, and it’s to the detriment of digital security as a whole. My coworker suggested that an academic, peer-reviewed approach to security research would ultimately be more beneficial to the Internet community as a whole. I don’t have the authority to comment, but I do feel that most anything else would be an improvement on the traveling hacker conference circus we have today.
Secondarily, I don’t work in information security because of the technologies that have become prevalent in the industry. Not that I have any particular talent in them, but both exploit development and reverse engineering are all about Windows, and have been for several years. Working with Windows day in and day out is a mind-numbing prospect, even if the theoretical payoff is control of 90% of the computers on Earth. Application-level attacks are mostly about the web, and honestly, I’m deathly bored of the client-side web.
These reasons are a big part of why I’ve ended up working in the “under-the-hood” part of web application development for the past two years, even though I spent most of my adolescence dreaming of getting paid to hack. Interestingly, I’m not alone. I’ve met a number of ex-security people who’ve ended up building high-performance systems for the web. It’s still a pissing contest, of course, but a much less public one, and with much less of an agenda.
Someday, I expect I’ll come back to information security. Despite the politics, it’s compelling, high-impact work. I hope, though, that the field’s culture has changed by that time. I’m not holding my breath.
Addendum, Jan 17, 2009: Two of the people involved with the SSL hack replied to me about this post via email. Alex Sotirov said:
“We already have an academic, peer-reviewed approach to security and it is not working. Academic papers about the problems with MD5 collisions have been published since 2004. The exact same attack that we did was described in an academic paper in 2007, but even this was not enough to get the CAs to discontinue using MD5.
When we got up on stage and presented our real rogue CA certificate, the CAs were finally forced to do what they should have done years ago. Verisign stopped using SHA-1 just 5 hours after the talk.
I am not disputing that this is a pissing contest and that my personal motivation to do this work is far from altruistic, however the result is that the Internet is a safer place today than it was on Dec 29.”
Jake Appelbaum had this to say:
“[W]e were actually working towards making the internet safer; we weren’t harming anyone and that harm reduction is a large part of how we planned our release. We informed the relevant parties and we didn’t release anything that could harm anyone. The information to do the chosen prefix attack had been public since 2007.”
Both are smart guys, and they know the security world far better than I do. It sounds like they had the best of intentions, along with their professional interests, in mind.