Friday, June 7, 2013

NSA overreach: is it actionable, or just random news?

It has been a busy day. The PRISM furor has the popular press in an uproar. I don't find it surprising at all. This sort of thing has a rather long history, and there were indicators that the status remains quo. That doesn't mean that I am unconcerned; once upon a time this sort of thing was made expressly illegal, and secret law is not a path to success in running a representative democracy.

The net effect on my day is that various people are pinging on me for either an opinion, or sympathy for their sense of outrage. IOW, I am busy, and it's an interruption. Ask yourself if this actionable, in the sense that you should immediately change your behavior or policies? In almost every case, the answer to that question will be no. Write your favorite politician (who are most of the problem, not part of the solution, with notable exceptions), or otherwise do what your conscience demands. But please, do not expect security professionals to be in a white-hot frenzy over this. Unless it's a marketing thing.

Many security practitioners are privacy advocates; it's security on a personal scale, and the same principles apply. Others may see it more from the perspective of a vendor selling tools or services. And some are purely pragmatic, wandering back and forth across that line, as circumstances dictate.

The people being quoted in the media at the moment are not practitioners; they are either managers with a large political bent, or purely politicians. What you are reading is about political agendas. It is of little practical interest to practitioners, because it is not actionable. Anything actionable will come later. Probably months or years from now.

In the meantime, there are more interesting things to think about. PKI is still broken, and possible solutions have been brought forward. Java stills hangs heavily around our necks (and I need to write Part 2 of that post) and Adobe Web products are pretty much as bad. The ability of government and industry to share information is still FUBAR, but there things we can do, today. We have no good handle on the problem of incident response (despite what you may read). We don't even handle code re-use particularly well.

That is the sort of thing that is actionable.

So, back into the trenches of real-world security.













No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.