Tuesday, August 21, 2007

"Real" security people just don't get it.

Black Hat, DefCon, CCC and yet another pile of news about the largely theoretical from really smart people, bah! Virtual this, hyper that, advanced counter-rotating BS.

Out here in the real world of small business, things are different. We struggle with security battles that most "experts" think were won years ago- and the problem is not that we are behind as much as the "experts" and vendors (and a big chunk of the IT press) are out of touch. They might as well be academics. (My view of smart people is summarized in my first post).

Look kids, remote code execution in user space, followed by privilege escalation and eventual total compromise with an "undetectable" rootkit isn't that impressive in a world where you can guess half of the passwords (if they even have passwords). Sure, I can sniff your car's keyless locking and ignition system's RFID and steal your car- but if the keys are in the ignition of every other car in the parking lot, I'm just showing off. And wasting time.

Don't think this is a big deal? According to the US Small Business Administration [PDF], a little over half of all private sector jobs are in small business and small businesses have generated between 60 and 80 percent of all net new jobs created annually in the past decade. That is a bunch of people(58.6 million in '04) in a bunch (26.7 million plus) of little companies- which means a really big (and growing) bunch of computers. Unfortunately, the pressures on small business are great- about a third are gone in the first two years and over half don't make four years. That means IT budgets are very tight, and security is considered a luxury by many. These systems are often no better protected or maintained than home systems, yet have valuable business data on them. And yet, we still need simple, reliable and secure systems- and we still won't have them. But we do have theoretical arguments about theoretical vulnerabilities and exploits.

At least I'm not bitter about it.