The Art of Defense

“To win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.”

Sun Tzu, The Art of War

If I try to punch you and your guard blocks my blow, this guard has demonstrated his value as a defensive agent. If I want to punch you but I punch someone else because there stands next to you a formidable guard, this guard has nothing with which to demonstrate his worth to you. To put this in the macro sense, if everyone in danger of being punched hired the second type of formidable guard to protect them, there would be no more attacks and thus there would be no provable need for the formidable guard’s services.

The advent of e-commerce introduced several potential weaknesses in a large corporation’s stability and security. These stem from the public’s ability to communicate and interact with a large company in previously unimaginable ways. While there may be serious barriers of entry to becoming a major oil drilling company, there are no barriers of entry to causing damage to BP after their oil spill. Suddenly large corporations don’t have to deal with the few media giants that control the bulk of the public’s knowledge to do some damage control, they have to deal with bloggers and celebrities and internet petitions. Now let’s not kid ourselves, the internet often overestimates it’s own ability to enact social change and despite it’s boundless ability to say whatever the hell it wants, a huge percent of the population still gets the bulk of it’s information from mainstream media and whether or not mainstream media is influenced by the internet is outside of the scope of this post (if you want to read more there is a fantastic article here though you may have to register to read the whole thing). The other area where the general public can influence and weaken a large company is in the form of cryptographic attacks.

If you discuss digital security or cryptography at all this month you essentially have to mention the heartbleed bug. So what is the heartbleed bug? It’s essentially a flaw in openSSL that lets ANYONE get whatever is in the server’s active memory by exploiting a flaw in the TLS’s “heartbeat request” system. But the question that I’d prefer to ask is, why do we know about it? I don’t mean why does the security community know about it, I mean why does my mother know about it, why is my Facebook wall discussing it, why is it a ubiquitous term? In short, it’s because of a fantastically successful advertising campaign which demonstrates how much information security businesses rely on hackers to maintain their business. There are of course other reasons that lead to Heartbleed’s infamy, it’s simplicity for one, very rarely is such a devastating exploit so remarkably simple. And of course the broad effect of the vulnerability makes it very exciting.

Aaaannnd I’m not done writing this but I have to go


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s