LCA: Bruce Schneier on the two sides of security

Bruce's key point is that we need to rethink how we try to achieve security, though it took a while to explain just why that is. Security, he says, has two components:

• The feeling of security: that which helps us to sleep well at night.

• The reality of security: whether we are, in fact, secure.

These two aspects of the problem are entirely separate from each other, but they both have to be addressed if our security goals are to be achieved.

Security is always a set of tradeoffs which we are all making every day. As an example, consider that, in all likelihood, nobody in the audience was wearing a bulletproof vest. It's not that the vests do not work; instead, nobody feels that the cost of wearing a bulletproof vest is justified given the risk. On a bigger scale, the answer to the question of how to prevent more 9/11-like attacks is clear: ban all aircraft. In fact, that was done in the US for a few days after those attacks, but, in the longer term, that is not a tradeoff that people are willing to make.

So the fundamental question for any security tradeoff is: is it worth it? As it happens, we are quite bad at making that decision. We tend to respond to feelings rather than reality. Spectacular risks drive us more than everyday risks. We fear the strange over the familiar and the personified (think Osama bin Laden) over the anonymous. Involuntary risks are seen as being bigger than those entered into voluntarily. In the end, evolution has equipped us quite well for making tradeoffs in the small communities we lived in many, many thousands of years ago. We are less well equipped for the world we live in now.

Since we respond to feelings more than reality, there are strong economic incentives for solutions which address feelings. The result is snake-oil products and security theater. Sometimes people notice that they are being sold bad security (later Bruce mentioned a US survey which indicated that the Transportation Security Agency is now less trusted than the taxation agency), but, all too often, they don't. They have a poor understanding of the risks and the costs involved, and there are plenty of people with strong interests in confusing the issue.

The security market is a lemons market, one where buyers and sellers have asymmetric access to information. Economic research shows that, in such markets, the bad products tend to drive the good ones out of the market. There is no easy way to evaluate the work which has gone into the creation of a truly secure product, so buyers respond to other, less reliable signals. Things like price, sales claims, or the Gartner Group. These signals are sloppy and prone to manipulation. When security is outsourced to outside agencies - governments, say - the problem gets even worse.

In the business world, information eventually brings some order to a lemons market. As businesses learn about what really works, access to information evens out - though there is always a problem with very rare, high-cost events where information is not available. In the individual world, though, it is much harder, because fear plays a much bigger role.

The fact of the matter is that fear is wired deeply into how we work - it is a result of a very old part of our brain. As humans, we have the ability to override our fears when reason indicates that we should, but it is a hard thing to do. The default state is that fear rules. So this is Bruce's core point: the feelings matter. All that security theater out there is not entirely stupid; any security solution must address the fears that people feel. We must address both aspects of security.

The problem is where the feeling of security and the reality of security diverge from each other. If only feelings are addressed, security has not really been achieved. If only the reality of security is addressed, people feel insecure and may make bad decisions. Either way, the full problem has not been solved. Addressing this all-too-common problem is hard, though; Bruce knows of no better way than the spreading of good information.

Your editor's perspective follows - nothing from this point on was said during the talk. It seems that he has a point here. Consider some common situations in the free software world:

• A large number of security updates from a distributor may be an indication that the reality of security is being achieved: problems are being found and fixed before they are exploited. But all those updates can undermine the feeling of security. The seemingly endless stream of Wireshark updates is a case in point; most of these problems are found through proactive auditing by the developers and have never been exploited by the Bad Guys. But the feeling of insecurity associated with Wireshark can be strong. This feeling can push users toward other software which, while not having that long history of security updates, is actually less secure.

• A system running SELinux may, in fact, be highly secure. But many administrators still turn it off. SELinux does not make them feel secure because they do not understand it, and they fear (rightly or wrongly) that it will interfere with the proper operation of the system. But, by turning it off, they undoubtedly expose themselves to a number of attacks which SELinux would block.

We should hear Bruce's point and think a bit more about how we can ensure that free software creates the feeling of security - but a feeling which is backed up by real security. It's a hard problem, one which lacks technical solutions. But we'll find ourselves less secure than we would otherwise be if we do not address that side of the issue.

Wireshark uses privilege separation now, so problems in the packet dissectors will only
compromise the low-privilege account used to do the packet dissection. :)

My solution to the problem: watch less TV.

People are just dependent on other people -- is this news, really?

If we're talking about fear here, we're always talking about dependency, because fear is
always a result of being dependent. If we're talking about inabilities to perform assessments
correctly, they are probably because of the ignorance, pure lack of information, or
disinformation, which can also be a result of being dependent (on someone who does all the
assessments instead of you), or on some other conditions.

I would note that anyway, I think our physical ways of evaluating danger are still much better
than just a bunch of worldwide statistical crap, because instead of believing in some generic
and unconditional statistical facts, we can take many things into account which are special
for each situation. E.g, the fact that the driver is sober or drunk makes much difference,
don't you think? So maybe instead of thinking about the annual death rate, you should see how
good the driver is, what kind of shape the car's in, and so on? The fear of elevators can
indeed exist just because of the inability to assess its state (what's there under the hood
anyway? do you know how this crap works? is it really safe? have you ever seen the internals?
many questions. here we're totally dependent on a good will of the people who maintain this
elevator, hence we have fears).

> I'm not sure I follow you here. If a pack of wolves suddenly appears behind me, how is the
fear I feel a result of being dependent? I'm dependent on what exactly, on the wolves? On me?
On some other people appearing and saving me? If I just hear wolves howling and the hairs on
the back of my head suddenly all stand up, where is the dependency? Or when I find a snake in
the grass and my palms get all sweaty? When lightning strikes beside my tree? I'm just trying
to understand your statement, honestly.

You feel fear because you can't do much about the situation. You're dependent on something
else which would resolve the situation. You have to hope that the wolves aren't after you,
that you're not stumping on a snake, or that the lightning isn't striking at you. You're
dependent on the whimsical mercies of a chance. You're dependent just because you don't seem
to be able to resolve the situation yourself.

> But e.g. with elevators we are not talking about a high risk or a low risk; statistics tell
us that casualties due to cabin falls are zero, or so close to zero that they are not
meaningful.

Who cares about what they say? I've met many people who were saying many different things. Why
would I want to believe? Let me have my own statistics and draw my own conclusions. What I
know is that falling from great heights is dangerous and can be lethal, that metals are very
tough, that the elevator's engines are very powerful and can easily tear me apart -- that's
what I KNOW. Don't you think it kinda contradicts what these statistics of yours say? Why
would I want to believe them then?! You can say that nuclear power plants are safe, and I
would never agree -- just because they inherently contain sources of dangers, no matter how
perfectly confined they are. Same with elevators.

While I personally don't have any elevators' fears, I assert that the line of thought I
presented is totally legitimate and has its merits, and I also think this is the way any
living being makes its assessments.

> In contrast, with cars we all know that regardless of the condition of driver and car we are
dependent on the good will of all other drivers. Even if everything else is in perfect
condition, if a drunk driver invades your lane or doesn't stop at a red light you are done.

I would disagree here. A good driver is not just someone who knows how to turn left and right
and how to tell red from green, but a person who actually knows his stuff, sees problems
coming, sees if other persons don't behave right on the road, anticipates everything and
doesn't get into problems as a result.

What you push here is that we should trust somebody who is presumably much more clever than
us. What I push is that, first of all, we should trust ourselves, and if somebody wants to
earn our trust, he should indeed earn it first. I personally see no problems in how people do
their assessments -- they might not always be right, but they are doing the right thing. If
they are wrong, it's probably lack of information -- but you can't just shove this information
down their throats and expect them to accept it. Most probably, it will be rejected as being
too different from what they know already -- and that's the right thing for them to do.

All fears are very rational in the end, so if your palms still sweat after the 100th time, try
another approach at understanding what you're actually afraid of :)

I wouldn't like to fly with a pilot that doesn't fear what he does. In 
other words, a mistake can kill. The fact that this fear is real and 
vivid and acted upon makes air travel as safe as it is.

People act foolishly when afraid because they don't know what to do. On 
the other hand people regularly are hurt or killed at their workplace 
because they didn't know that they should be afraid.

How many times has people in this readership been afraid to apply a 
change to a working system? The fear moves you to double check, get other 
input, set up a test system, whatever.

Personally, when I fear things that I encounter regularly, I find out 
what to do. Not to allay fear, but to know how to act safely.

Derek (who in his work is regularly in situations that could kill him)

The thought occurred to me that perhaps this is one of the things MS did get right. By having
their Patch <day of the week> they provide the feeling that it's all planned, everything is
under control. I wonder what would have happened if the Wireshark guys had annouced they were
doing a proactive audit and that a new release would happen every first day of the month with
all the issues found in the last month.

Now, the free software community to too large to coordinate anything like that. But imagine if
a distributor decided that all non-critical security updates would happen only on wednesdays,
would people "feel" safer due to it being planned, even though you're sacrificing a little
security (a few days delay).

If you are going to delay disclosure of vulnerabilities, then you need to make sure you aren't
leaking information about those vulnerabilities before that date.

If the project uses CVS or Subversion, then there is no reason that the bad guys wouldn't be
watching the commits.  The contents of the commits may be enough for such a person to deduce
the vulnerability and be able to exploit it in the window the developers have provided (in
addition to the time it takes for people to patch their systems).

So you really want to delay exposure of the commits to the same point where you expose the
vulnerabilities.  With a public CVS/Subversion server, that probably means not committing the
work until that point which is not particularly helpful if you have multiple vulnerabilities
to track.

If you really do want to batch up the security vulnerabilities, perhaps one of the distributed
VCS systems would be appropriate.  The ability to perform disconnected development also means
that it is possible to keep a line of development private but disclose it at a later date with
full history, which is what is wanted here.

Hi Jonathan,

there are at least two different angles regarding SELinux in the context of Bruce LCA keynote:
The nature of security being a tradeoff and the difference between "felt" and "real" security.

If you consider security as a tradeoff, then the fact that SELinux is rather infrequently
deployed is at least a hint toward SELinux being a bad tradeoff: Most people (and I mean
professional sysadmins) tend to think, that the added complexity of SELinux is likely not the
cause of more security - quite the converse.  If you (as a sysadmin) do not understand how
things work an why, you will make bad decisions, and that will make your "real" security
worse.

That does not mean that SELinux is "not secure" - if you are in need of a bulletproof vest,
then please use it!  You have to learn all the necessary stuff about SELinux and you have to
deploy it in a thought out manner, and it will increase your security (considerably!).  But
for most security needs, the tradeoff is bad.

You state that "a system running SELinux may, in fact, be highly secure".  I would like to
stress the "may": You just need a small error in your ACLs (which is easily done and not so
easy to detected) or in one of the many SELinux knobs to play with, and your security turns
from "real" to purely "felt".  And while "felt" security is relevant as Bruce points out,
"felt" without "real" is a real problem :)


regards, thias

PS: I'm a "first day" subscriber and a quite happy one!  Since the topics of Bruce keynote
touch my professional habitat, I just felt the need to comment for the first time :)  Please
keep up the good work at LWN.

There is a good blog post at Financial Cryptography that goes into
more detail than Bruce regarding the "lemons" market in security:

https://financialcryptography.com/mt/archives/000896.html