Timeframes: Immediacy Trumps Traditional Academia

commentary::internals::blog

The time has come to leave the ACM. So those side-bar links will be going away. I am a security practitioner. I don't regard what I do as primarily about software engineering, or computer science. It touches those fields, as well as statistics, visualization, {systems, network, database} administration, compliance, and much else. But this is mostly about bandwidth, and the ACM does not currently represent an optimal use of an always-scarce resource: time. Staying informed, in the security field, is a hard problem. Just as it is in any other technical field; we are not special snowflakes.

The ACM has annoyed me a few times, and I'll mention a bit of that. But I will not use the current "Let me be clear" phrase. I only need some modest amount of skill in written communications to be clear, not the permission of an audience. If you interpret this post as a rant, I will have failed. Failure sucks, but not as much as failing without knowing it. Comments are welcome, not least because I may have totally missed the boat on this, and insight from someone I have never heard of might completely change my view. The Internet is useful for more than cat pictures.

First off, here is one case (there are others) that the ACM makes. These are notable people, and they are all in favor.

Bryan Cantrill, Vice President of Engineering at Joyent, Ben Fried, Chief Information Officer at Google, and Theo Schlossnagle, Chief Executive Officer at OmniTI, discuss motivations and benefits of joining the Association for Computing Machinery (ACM).

A short watch at 2:45.

I am not familiar with OmniIT, but this is an indication that I should probably should fix that. Joyent employs Brendan Gregg, whose performance work will likely enable more practical security work than many realize. And of course everyone knows something, pro or con, about Google.

There are other people whom I respect quite a bit, who have written for Communications of the ACM. I will be linking directly to them in future, and I'll write about exactly why in future posts related to commentary::internals::blog.

So why would I not be renewing my ACM membership? Again, it is all about bandwidth. These people are all CEOs. They have fiduciary responsibilities, hence broader concerns, such as access to well-rounded software developers at going labor rates, media perception, etc. I have only one concern: achieving a security posture commensurate with risk.

Let's take one SIG I belonged to as an example. SIGSAC (Special Interest Group on Security, Audit, and Control). For those of you who might not be familiar with ACM SIGs: perhaps you have heard of SIGGRAPH, the graphics Conference That Got Big. CGI in movies, etc. Huge impact, because Media.

Now, back to security, which has almost no impact, despite all the data loss. Let's look at a couple of papers presented at the fourth edition of the ACM Conference on Data and Application Security and Privacy (CODASPY 2014). These are both interesting papers, in that they might have important near-term implications.

Automated Black-box Detection of Access Control Vulnerabilities in Web Applications

KameleonFuzz: Evolutionary Fuzzing for Black-Box XSS Detection

But unless I missed it, which is always possible, neither paper gives a location where you can simply go get the code, and begin experimenting. That seems a bit out of touch with the times, where fuzzing software is commonly described in other fora, and code is readily available. Much like the IETF does business, running code trumps whatever paper you might care to write, if you care to have an impact on the (rather larger) non-academic world.

That is where the people in the security trenches need to play with the code, form conclusions as to whether it is immediately useful, or how soon it might be useful, in terms of stability, performance penalties (nothing is really free-as-in-beer), and think about budgets.

This is the bit that might be perceived as a ranty bit. Again, it is not intended that way.

I have to mention that ACM ships disks of conference papers. I am sure that they regard that as a benefit of membership, but their disks include autorun files. Given the vast history of Windows system compromise via autorun, this is more than somewhat ironic. Particularly in the case of SIGSAC, where baldy stating why there is no autorun, and the lengthy list of system compromises powered by autorun, would be educational. No, research and teaching are not the same thing in academia. But this is just silly; the sooner any benefit provided by autorun vanishes, the sooner security practioners might actually succeed in getting people to never, ever, enable it. Frankly, there are major dumbass points to be awarded on this one, and I do not thank SIGSAC for making my job harder, and charging me for the privilege.

Another item is that some of the benefits might not be all that one would expect.

• The selection of technical books is much smaller than what is available from the O'Reilly Safari service.
• The Tech Packs are subject to doubt. I submitted extensive flaws in basics, such as broken links, in the Security Tech Pack, and those were repaired. However, nothing was updated. Particularly, there is nothing regarding security economics beyond one very old paper, despite much work done more recently. This is not a membership benefit.