There was a lot of discussion this RSA about if vendors should be accountable for the security of their software. This is a very difficult question to answer, but I think we need to ask another more basic question - specifically, should vendors be accountable for the accuracy of their marketing statements? As consumers, we need to be very careful – sometimes even vendors selling a product do not understand the implications of certain marketing statements. This is not always due to greed or malice (although unfortunately sometimes it is) - usually it is due to the desire to express the good points of a new technology.
To paraphrase one comment I heard on the show floor of RSA, "My IDS will stop new categories of attacks without requiring a signature update." Why can't this statement be true? Let's assume for a moment that it is true. Because "new categories of attacks" are categories of attacks that (by definition) have not been discovered yet - since they have not yet been discovered, the IDS would have to somehow know the difference between "undesirable" effects and "permissible" effects for every given packet that it sees - such systems are possible - in fact, this is how "heuristic" AV scanning works. For example, one "new category of attack" might only affect systems that have a particular hostname or that run a particular service - since an IDS vendor can't know about every possible new attack vector ahead of time (if they could, they'd be in business as an oracle rather than a technologist,) the IDS system would have to actually execute all incoming requests against an identical target for which the attack is targeted. So why can't a vendor actually have virtual hosts that account for all the system configurations on your network and make desireable/permissable decisions "on the fly" like heuristic AV does on a single host? Since every machine instance is different (even identical operating system instances are in different states when run on different machines and at different points in time) and we can't exclude any software on the machine as a possible target of attack, we would need to record and analyze the whole target machine; aside from performance issues, logistical issues (associated with keeping every image current,) and architecture issues (having a virtual hardware image of every architecture on our network,) the space issues alone would limit us. If, for example, we had 1000 machines on the network each running WinXP, we would need about 3 terabytes of storage for the virtual images alone.
In another context, I had a conversation with a CEO of a security company who told me, "My software fundamentally changes the way SSL functions on both the client and the server side, but it doesn't require you to download any new software on either end." This statement is technologically impossible - machines do not "automatically" change their behavior to do new things... SSL behaves according to the rules of SSL and not according to the rules of telnet. SSL has been programmed to function a particular way, and if we want to change it to behave in a different way that has not been accounted for by the implementer, we have to install new software. When I pressed the individual who made this statement, he conceded that some new software was required (he attempted to counter that it didn't really count as new software because it was an ActiveX control.)
I think as consumers we need to be sure to discuss with vendors ahead of time exactly what we think we are getting from a product and compare it with what they think they are supplying. If the two don’t match, the best time to find that out is before a sale and not after. "Before the sale" discovery of a disconnect leads to more repeat business for the vendor and a happy purchase on the customer’s part – "after the sale" discovery leads to dissatisfied customers and less future business for vendors. As Diana very succinctly put it, "vendor hype benefits no one" and acts to the detriment of all; in fact, the long-term consequences of inaccurate statements are worse for the vendor than they are for the customer (the customer loses out just once, but the vendor loses once for each sale made this way.)
Posted by Ed at February 20, 2005 04:18 PM