the "more considered" reply...

; feel free to mix and match as you see fit (and sorry for the delay)
I should apologise for any misunderstanding the comments above may have led to, but I stand behind the substance of what was said unhesitantly. You can see an expansion of this thought here:
http://spywarewarrio...pic.php?t=23801 (last post especially). I'll take responsibility for the misunderstanding, given that the response above was hastily thrown together, and attempts to address a very large topic that simply cannot be handled adequately in a paragraph or two in any way that could be called comprehensive, or even adequate. Likewise this is not intended to be comprehensive, but rather, concise.
I am not pointing "fingers of blame" at anyone, or any group, for although there has demonstrably been a failure, I wish instead to draw attention to the catastrophe that followed in the wake of the failure. Well, what does that mean? Assuming you have read the Spyware Warrior post, you now have a flavour of what I am talking about. Though the security community has been made redundant, irrelevant and obsolete by the overarching industry it is part of, the seeds of its failure and catastrophe are to be found within itself. But even this is getting too far ahead.
At its inception, there was a clear choice of two paths the security community could go in its endeavours. Both were oriented toward eventual obsolescence, the only differences being that of whether it would be short- or long-term, and on its own terms, or someone else's. What does that mean? It acknowledges an inherently evolutionary aspect of development within design that mirrors the trial and error methods employed on an individual basis. The difference between a Duryea and a hybrid seems apropos here. At least, that is how it appears on the surface; were it to be that things were that simple in practice.
At first with the extremely crude hardware available, no thought was given to security at all. A little later, when it became possible to connect computers together, finally security emerged as an issue proper, and yet received scant attention. In fact, the only motivation involved in computing is what it always had ever been: pecuniary. Yet, the fledgling security community failed to take this into consideration at an abstract, philosophical level, emphasizing instead the growing complexity of hardware/software, leading to the belief that it was on the path of long-term obsolescence. The mantra went something like this: "with greater capability within the machine itself, our role in maintenance will dwindle accordingly." Moore's Law meets Murphy's.
In the meantime, opportunists flooded the markets with shoddy merchandise that could at best be described as security nightmares (not to mention a few other choice epithets) that was sold on a promise alone, with no intent to deliver. Oh, the money was made, no doubt about that: money everywhere; the cash cow represented by the Copyright Act of 1978 delivered on its promise abundantly enough. Trouble is that the expectant assessment made by the security community failed to materialise at all, and yet still continued to operate under its seductive spell. Even worse: it developed into a kind of cult religion of sorts with gurus, experts, high priests and curia -- all set against: whom? Well the evil "hacker," of course! Cult against cult: religion and politics are exemplary of such practice, where it only takes a moment's reflection to reveal that these are ever only phenomenal for each-another, outside of which exists an oblivion of nothingness. Could a better milieu exist to obscure what is truly going on? I think not.
All this set the "community" up for a very big fall, some of whom do not even realise what has hit to this day.
I am going to be very candid with y'all: joining this forum was a watershed for me, and is central to where my thinking has gone, particularly in light of the row that developed shortly after I joined. If I haven't said it before, I am so very deeply sorry for its having happened, but at the same time, if it
had to have happened, I am glad to be able to say that a saving grace emerged out of it.
After I got over the shock of just what an arrogant asp I had been, I found myself forced to re-examine -- not only how I would get along with any of you -- but more importantly, and on a much more personal level, how I would get along with those who were paying for my services, my customers. What I found was even more shocking. Where it wasn't altogether lacking, it was exclusive, to the point of being elitist. Why would that be? Is it because they are stupid? No. Is it because I am stupid? No. (Well, maybe... um, probably...). Is it because I learned it from others? Partially: this attitude is evident both in the security and hacker community (et al) -- and very seductive. I wanted something more essential though. What exactly is it about the relationships involved that make for such a horrible rapport? What is the missing element?
The missing element is what its always been within the computer industry: the end-user, the
consumer. They are always the ones getting the shaft, the last ones who are thought about, when they are considered at all. Polling and focus groups not withstanding, consideration of the customer begins and ends with their
money. As such, they become objects and objectified; consequently they lose their humanity, but notice also that the so-called
subjectum has lost his as well. I decided to test my hypothesis by rethinking my comportment toward my charges. I tried to include them in decisions where I would have decided before, and to let them know even about trivial matters. This reflected in the work order, which sometimes ran 2 pages to describe fully what I had just done. Some responded positively, but most were indifferent. I was surprised; I expected a warmer response, but had missed the mark again.
The truth is that people intuitively know what is going on with computers, regardless of what counts for common knowledge about the situation: they know they are getting ripped-off, and are just too baffled by them and frazzled by life to be bothered with it. What keeps this awareness subliminal? The ubiquitous, yet insincere promise of jiggles. Neither do they appreciate being patronised, for that is seen as being in collusion with already established [deceptive] practice. Its too much work to assimilate the technical knowledge to intelligently operate one of
these machines. On this, I can find no basis of disagreement, and my complete concurrence and is bolstered by an intrinsic authority gained from having the technical background, together with the savvy to think the situation through (hopefully!). There simply is
no excuse for having machines, even with today's comparatively meagre state-of-the-art, that aren't as easy to use as an electric can opener -- and as fool-proof.
Trying to draw a parallel to a similar circumstance, I have heard, perhaps too often now, the familiar refrain, that attempts to draw an analogy with the automotive milieu. When I first heard it, it sounded like a good idea, but that was just on the surface, before any serious consideration had been given to the implications and consequences. It goes something like: computer users need undergo a period of training and subsequent licensing before they can be allowed to use the machines -- just like those who want to operate an automobile. While there are many objections one could raise, it seems to me that they would almost all be ancillary to the essential one, this being that the automotive industry never made any promises that it had no intention of keeping at its inception, while for the computer industry, it is
foundational. What I am referring to is of course the pernicious notion, reinforced by popular culture, that computers do things for people, when in fact it is the direct opposite that is true: computers are the most astonishingly stupid machines ever conceived by man. One need only look at man in the wake of computers (together with the muthos that surrounds them) to understand what I am saying.
One would think that this commits me to a contradiction, on one hand saying that computers are "stupid" while on the other insisting that they can be made as easy to use as a can opener is. Computers
are stupid; they must be told in infinite detail by their human makers the "what" of their doing (within the constraints of their unique "how"). Herein lies the limitation, as well as the solution. The overall point is that the "fantasy" aspects of marketing automobiles weren't apparent until a fair degree of mastery had already been achieved in important aspects of their design ('50s, '60s) where with computers, it was fantasy and promises from day one.
Many will notice that I seem to harbour a bias precluding software. Actually only part of the bias is aimed at software as such; the remainder is toward those who produce it, together with their oft-arrogant comportment and profit motive. This is about split evenly with the understanding that "software" is a phantasm that we can all live without, and is only supported by our continuing to give the notion unconditioned belief. Incredible thing to say, huh? Well, maybe not, especially if the matter is examined anew. We must ask with sincerity just what "software" is afresh, and be prepared to accept the truth that emerges from our questioning.
Beginning with the question, "what is software?" leads to the question "what is hardware?" and finally to the question, "what is a computer?". A computer is a counting machine: nothing more and nothing less. "Hardware" is a gathering of electronic devices and support items that facilitate the presence of the counting machine physically; it is not yet a computer though. It is not sufficient to its working that it just exist physically (at least as presently designed). Instead, what we call "hardware" is more akin with an empty container. This isn't intended to be a perfect analogy, but suffices to illustrate the dependency hardware has built into it (again, as presently designed) upon externally supplied instructions to carry out its tasks. This is where software comes in, for software
is the instruction set.
Now, with this understanding, a designer could be well-armed to re-approach the problems Turing, von Neumann, et al, encountered in their fledgling steps (which we have not got past as yet), and rethink the design of a counting machine from the ground up. Two things are suggested immediately: namely, 1) that the dependency on external instructions
could hypothetically be eliminated altogether; and, 2) the dependency could be worked-around by having the hardware generate
its own instructions. This is not as far-fetched as it sounds, and indeed is technically feasible today.
Unfortunately there is/will predictably be a monumental resistance to this move as well. The point overall is to finally get beyond the unquestioned assumptions design has taken as canonical heretofore, particularly in regard of Moore's Law, which in truth only has a nominal relationship with the design of computers. The second aspect makes itself apparent by the pernicious notion that hardware is somehow "bad" and needs be "saved" by "clean" software (currently its called virtualisation). The awful truth is that none of the problems experienced in regard of security can be traced directly to hardware, but then
maybe the 10 001th lie will finally result in truth, so its worth a shot, eh?
When at first this "bigger picture" began to emerge for me in regard of the situation, my reaction to it was an angry one, vis the community. One will readily see this in the tone of the Spyware Warrior essay. What seemed like hypocrisy on my part begs be understood within the context of what had preceded, for it was about a year after the hysteria surrounding the so-called WMF exploit debacle. This singular event, to my mind, signalled the death knell of the security community louder than any possibly could, although the signs were in fact everywhere. The "community's" comportment toward its charges was exposed to full light, and the shadow it cast was extremely broad and sharp. I won't go into the manifold specifics for the sake of brevity; just suffice it to say that for me, the implicit trust the "community" had demanded and received up to that point became questionable: my faith was shattered. I am sure some are thinking of me as an apostate, just reading this.
This is why I am saying, that if there is even to be a relevant, viable, robust and effectual security presence within the industry, its going to take a fight to get [back] in, and it will have to be based on an approach that is oriented toward
consumer advocacy. This means nothing short of taking a lead within the industry to gather standards and provide
direction for the design of computer equipment so that the consumer can reasonably expect reliable performance without any investment in technical knowledge whatever. Furthermore, other than peripherals, the machine itself should require no additional outlay of resources, most especially including [what is now called]
software. Having to "reinstall the operating system" at all is an abomination. Likewise, it is not unreasonable to assign a target MTBF of 10 years, minimising repair costs. The digressions above should to serve as examples of how the security community could be involved in making things better for everyone, as opposed to merely securing... some advantage.
While I share much of the disdain many feel toward the corporate aspect of the industry, we must face the fact that we will never change this except on terms they understand, but at least we will be in a position to influence it through a comportment of advocacy
for consumers, rather than one
against some imaginary phantasm. As soon as an "us/them" dichotomy is resolved into a "we," then things can get done, for the "we" I refer to is
all of us. Left to its own devices (sic), the industry has shown no such tendency, and in fact is not in its financial interest to do so. As it stands now, the path of short-term obsolescence is already trod, and its destination reached. We have failed. To insist otherwise is to deny all the palpable evidence to the contrary.
While I perhaps am less relevant that any of you these days, I am no less to blame, if blame must be cast. I saw the handwriting on the wall, so to speak, 2 years ago, when people became drastically less interested in preventative maintenace, and went back to my first love in computers: digital signal processing. Mostly forensic, I recover, fix and edit pics, sounds and movies now, when health permits. I still remain interested and active in security issues, but only for myself now, having seen that glazed look people adopt when discoursing about these, a few too many times. If there is a call for blame, this would be it, and yes I have contributed more than my share.
As for the anger I formerly felt, having gained some distance has not only given me a perspectival advantage, it has allowed me the freedom to discern a certain levity, albeit
post mortem. Along with this, I have been forced to examine my own relation with computers and the net, asking myself the question: how would things change if tomorrow none of it worked? Of course, I don't mean the nuts and bolts of the relation, but the emotive attachment and investment involved; there isn't a single thing that humans do with computers that wasn't somehow accomplished before without them, and yet nevertheless, we all seem to have a certain passion that is central to the relation. From there, the question remains whether I am just deluding myself or not, to say that I could walk away from computers tomorrow, without a qualm.
As for any confusion that may result when I refer to anyone beside myself in discussing this, because of the complexity involved, it may not always be possible to be clear on it from context alone. I am not looking to excuse myself for imprecision, just trying to employ as many shortcuts style allows, for the sake of brevity (this is already long enough). First there is the simple aspect: groups, and the individuals that compose them. Secondly, there is the apparent inconsistency of my insisting an "us/them" dichotomy somehow be resolved into a "we."
Working backward, the seeming inconsistency is resolved by the fact of a commonality that remains despite any moral judgment: we are all consumers. In regard of the former, things definitely get stickier, but I would like to think that I am smarter than to get stuck in the trap. Yes, everyone involved has contributed, but it is the community that failed. The trick here is to discern observation from judgment, and procede from there, trying to avoid the latter insofar as this is possible. It is more important to be able to describe what has happened that the mistake not be repeated, than to indulge the emotive aspect, for then, the failure would only be compounded. The only thing I can say with certainty is that those who haven't yet grown out of the binary teevee unworld of good/bad, true/false, yes/no, on/off dichotomies will not "get" anything of what has just been said.
So, what does all this mean for the here & now? What does it mean practically? Well, nothing and everything. Nice, definite reply, huh. We have seen that a definite failure has taken place, compounded by a subsequent disaster. We have seen that everything isn't exactly as it has been portrayed by the parties involved, and that everyone has had a hand to play in the affair. We have seen also that there is at least
one way out of the mess, perhaps more, but that it will take courage and thinking to attain this goal.
"Does this mean that all the efforts at remediation and reportage by various boards is all for nought?" Hardly. Remediation, though still necessary, cannot achieve more than just that, but the problem is very much larger than simply infection or its propensity. Likewise, we all have rather an obligation to keep abreast of that vulnerabilities are currently being exploited, that is, until something can be done to prevent this situation from happening in the first place, so reportage is central to this task. In this vein, observe how over the past 2 years or so, every subsystem of Video For Windows was systematically hacked, then when that was complete, it was on to DirectX. That says something more to me than simply a JPG buffer overflow could. How 'bout you? Well the so-called "community" could have been knocked over by a feather so to speak; it was just completely out of the blue. Yeah.
The bottom line is that until the security "community" decides it wants to be a community, we should keep doing what we need to do to survive --
with or without them. I don't see how I could make this any clearer. In the meantime, sit tight: things are already in flux. Those who are smart and want a genuine improvement in the situation will act to see that events unfold in a manner that benefits all -- or all will be lost. I cannot put it any simpler than that.
I want to end by saying that I have rarely happened upon a lovlier group of people on the net that I have here, and am SO honoured to have been welcomed, despite my own stupidity. Moreover, I have incurred a great, unpayable debt to this forum in particular, for all the extremely helpful information and assistance I have received over the months. While the days of implicit trust may be long over as regards the "community" at large (at least for me), I can without doubt or equivocation say this gathering place has more than earned my attention, and will keep it so long as it is mine to give. Thanks for being my friend, and for listening.
john