For years Security, or more specifically, “On-line” security has been a focus of many organizations that have taken the necessary plunge into the “digital ocean”. Every day, millions are spent in researching, developing, and deploying new and inventive ways to “lock down” our “shared” information.
However, security like beauty, is in the eye of the beholder. Really, think about it, isn’t it designed for our own psyche? I mean, these products and standards that are being produced and deployed to secure our digital inventory, aren’t they really manufactured to our degree of tolerance, or at the very least, to the point where we say to ourselves, “I feel better”. Security has long been an issue of practicality, dollars vs. risk. After all, you wouldn’t pay $10,000.00 to protect a cup of coffee, let alone a “Lo-Jack” system for your car vs. a standard useless, public nuisance car alarm.
The ideas of security that are out there are almost laughable. Don’t get me started on the “mandatory password change” policy. In short, it’s a bad idea, because human beings aren’t good at remembering passwords, so they invent different ways to memorialize them, which I think what spawned the “sticky pad” industry, which defeats the purpose of what they are trying to accomplish, but yet I digress.
Security Dyslexia
Security today, is by design, destined to be defeated. Whaaaaaat?! Yup. We are doing it wrong, or more accurately, backwards, or what I term as,”Security Dyslexia”. What do I mean by that? Let’s look at how the majority of devices and controls operate today. Now before all those cards and letters come in, yes, yes, I am sure that your specific technology is the exception to this rule and you have done fantastic things with your particular offering and probably will soon receive the Malcolm-Baldwin award for excellence. However, for remaining 99.999999% of the security technology out there, is really remedial and unnecessarily complex and expensive, and if I may, designed to generate revenue, not really protect.
It all began “back in the day” when well-known security holes were published; about 18 were well known at the time, and tracked to alert those who can figure ways to thwart these corruptions. So security professionals decided, “Hey let’s start “counting the corruptions”, that way we can list all the corruptions and we can compare them to the 40 known legitimate uses, and categorize, detect, block, or erase them. Thus began the futility race, for around the early 1990s, the corruptions greatly exceeded the legitimate uses, as evidenced by your security packages, Spyware, Anti-Virus, Authenticators, Adware/Malware protection, and yes, the firewall too. They all are driven by a database of tens of thousands of corruption signatures that they track. And thanks to the marketing hype, actually companies that use this as some kind of value ad, “we have 100s of thousand of well known signatures of corruption we track, blah, blah, blah...”. This notoriety has incented thousands of aspiring digital deviants to create 200 to 700 new pieces of corruption every month.
Now just think about it… hmmmm... tracking 100s of thousands of corruption signatures, or just watching 40 legitimate operations? These operations could be monitored a heck of allot easier and would eliminate the need for revenue sucking, customer dependent crutches, oh, I mean subscriptions. One could simply limit processes to legitimate uses and limit capturing to unique behavior, not corruptions, but just unique or not recognized behavior, kind of like a doctor does with your body. Now, in defense of some firewalls, they do adopt something like this with their policies “what is not explicitly permitted, deny”; however, even today’s “state of the art” firewalls use logs (counting corruptions) to fault isolate or “flag” breaches. Doesn’t monitoring the legitimate make more sense? But noooooooooo, you just keep paying for those subscriptions for corruption databases and push that sand up the hill… hah. Anyway… I could go on...
The Avengers
Here is prime example of that “eye of the beholder” analogy. Microsoft, Google, and Netflix (The Internet, Avengers) have proposed a standard for copy-protected Web video, DRM, but there is a DRM debate, for as it’s predecessors, DRM shows the difficulties of reconciling open standards with the constraints of the commercial video industry.
Web technologies such as Hypertext Markup Language have progressed rapidly in recent years, and one headline HTML5 feature lets Web pages include streaming video and audio. So far, though, there's no mechanism for digital rights management (DRM), an encryption mechanism that permits only authorized video and audio in an attempt to deter unauthorized copying. So for now, companies offering video often resort to browser plug-ins, such as Adobe Systems' Flash Player, that supports DRM and copy protection. Indeed, although Adobe has embraced HTML and related Web standards, some Web technology allies would like to accommodate DRM within HTML video, and they've been spurred by the arrival of TV and video companies into the World Wide Web Consortium that standardizes HTML. Thus, Google, Netflix, and Microsoft published their Encrypted Media Extensions proposal on Tuesday and announced it on a W3C mailing list.
Down Goes Frasier, Down Goes Frasier!
Now this is all just, as my old biology professor would say, “free nitrogen”, or crap. In come the products that are the “TiVo’s” of the internet… i.e., a completely legal approach to —because no copy protection measures are defeated or circumvented. Instead, films are simply played and "photographed" image-for-image, directly from the screen. It records protected WMV and M4V videos as they play, for example, and saves the resulting copies as unprotected video files in formats like WMV, MP4, AVI, 3GP, MKV and H.264.
So, why are Microsoft, Google, and Netflix paying so much to push a standard that will enforce, what, not anything against video copying that’s for sure. Why do this, for their own psyche? Will they feel better? Once again, folks, security like beauty, it is in the eye of the beholder, and well, if you’re really going to cover your digital assets, you’d better sleep with one eye open.
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
And IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 333-8394 x 689
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff