Wednesday, January 19, 2011

In Defense of FUD

That’s right, I’m defending FUD. Yes, I mean Fear, Uncertainty, and Doubt. That kind of FUD. And I’m here to defend it.

FUD is under unjust and unreasonable attack. Not from people who decry its use, but from some vendors, consultants, analysts, politicians, pundits, and regulators. Yes, they use FUD to sell their products, services, ideologies, whatever- but that is only the beginning of the problem. Things really turn ugly with the promises these folks make: if you will just buy what they are selling they will deliver you from FUD and bestow upon you BCC (Bravery, Certainty, and Confidence). And Confidence is the right word, because this is a con game. If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve. People don’t work that way, and we shouldn’t. Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert.

I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face. And that is healthy. If you find yourself confronted by someone whose promises are absolute, you need to be very careful (I generally either flee, or mess with their tiny little brains, buying is not an option). We want to feel safe and certain, that is why there is a “security” industry- but if we are honest, the real goal is to reduce the chances of something bad happening down to an acceptable level. We are never completely “safe”, and anyone who claims that what they are selling can change this fact is a charlatan.

Some of the most dangerous sources of inflated FUD and unreasonable BCC are organizations and agencies pushing their various certification and compliance agendas. Compliance with a standard, even a professed “security” standard, does not make you secure. A new set of letters after your name doesn’t change the world. These things *might* move you forward, but they won’t *solve* your troubles- keep that in mind when spending time and money on them.

That’s it. I’ll take a manageable dose of FUD over any blind BCC any day. And you should, too.




The Security Skeptic said...

Don't blur the lines.

You are absolutely spot on when you mention that it's important to distinguish making people aware and uncomfortable once they are aware so that they are alert and respond. The folks you alert have the opportunity to benefit from your actions.

This is IMO different from dispensing F U & D for ulterior purposes or self-gain. If you manipulate statistics or call attention to an outlying issue solely to cause you to buy my product, then you're a FUDster. There is too much of the latter and too little of the former among security vendors.

Tell prospective customers what your product does. Admit what it can't do. Give a credible cost/benefit or risk assessment. Trust that the customer will make an informed choice and the customer will most often trust you.

kurt wismer said...

i tend to agree that this post is mischaracterizing what FUD is.

yes, there are legitimate reasons to experience fear. yes, there is inherent uncertainty in the universe. yes, a certain amount of doubt is not only reasonable but even helpful.

when someone spreads FUD they are artificially and arbitrarily amplifying our experience of those things.

revealing a real threat that we don't have the tools to protect ourselves against heightens our fear and makes us more uncertain and doubtful about our ability to remain safe - but such a revelation is not FUD.

Jack Daniel said...

You guys are, of course, correct that what we traditionally call "FUD" is a bad thing, and widely used/abused.

I am just trying to make two points:
one about the claims of certainty made about the promised solutions sold to us by the FUG-mongers; and the second about the the reality of our environments- which are often truly uncertain and doubtful.

Thanks for the comments

Shack said...

Jack, did you see my post on this?

I agree with you - there is a healthy way to use this. And WAY too much bandwagon-jumping within the security community, on this and in general.


kurt wismer said...

@jack daniel:
i think the problem i have is simply this - while fear, uncertainty, and doubt are natural things, FUD is an artificial human construct, and conflating the natural with the artificial is confusing.

Dominique said...

Did you see that Security Scoreboard ( got some funding (and myself as the cherry on the cake) today? End user reviews of real experiences with security tools. We have a long way to go, but the mission is to keep vendors honest ... with the help of the community. And people like yourself!

Andrew van der Stock said...

So you're saying you'd like to have your bridges designed and verified by folks without a B.Eng after their name, or have your eyes operated on by someone who got their qualifications two for the price of one from the University of Hard Knocks?


The security industry is full of cowboys and con artists. It's time to weed them out, not give the folks who want the status quo to continue a chance to mock things that are known good. I'm sick to death of SQL injection and XSS.

You are not helping by trashing the things like standards, compliance, and certifications that can let us easily tell the Ligatts from the Schneiers of this world.

Some certifications aren't worth the toilet paper they're printed on, some standards are hilarious, and some compliance regimes had no chance of working (SOX anyone?) when venal grubby fingers got into the compliance pie. It doesn't mean ALL standards, compliance programs and certifications are bad.

We know what works and we've documented that body of knowledge for about 10 years now. Some folks have adopted that advice, and it works if you use it ... properly.

Checklists are not wrong. See airline safety. You are more likely to be struck by lightning whilst trying to pick a 4 leaf clover in the middle of a terrorist attack than die on a plane.

What IS wrong is giving a checklist to an unqualified person, or giving a powerful tool to someone who expects unicorns, ponies and drug free urine to spray out in rainbows just because they managed to point a tool at their production website.

FUD is basically ambulance chasing for getting action or money today through fear, not understanding. It is not a long term business strategy and only works as long as chicken little is in the house. Worse still, it's a reputation killer for our industry as it tarnishes us all.

Jack Daniel said...

Andrew, I think you completely missed the point. I am not defending the stereotypical use of FUD, and am attacking the fraudulent certainty offered as an alternative, and saying a little doubt is a good thing.

As far as your other points, we can play if you want. I did not attack certifications, checklists, degrees, etc. (at least in this post). Those all have their place, even if they are often misapplied to infosec. The Romans didn't have a B.Eng, but Leon Moisseiff had a Civil Engineering degree- not that that has anything to do with this post...