There’s no hope – I quit

There’s no hope – I quit

5 Comments on There’s no hope – I quit

OK, I am officially depressed.  Here’s Richard Bejtlich’s impression of the state of security after one day at BlackHat:

My overall impression from the first day of briefings can be summarized in this manner.

  • Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, “properly configured,” not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.
  • Detecting current attacks in “real time” is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by “rich Internet applications” and frameworks. I realized that the “rich” in “RIA” refers to the money intruders will make by exploiting Web clients.
  • The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it’s time to face the truth. There is no way to get “ahead of the threat” here.

Holy crap.  What in world am I doing then?  I guess making money off some poor, ignorant bastards who have no idea that every effort we are making is totally useless.  Well, I guess in order to maintain my integrity, I should just quit.



About the author:

My name is Michael Farnum. I am a Practice Principal at HP Fortify on Demand. I live in Tomball, Texas. I have been in the IT and InfoSec field since 1994. I am the founder and chairperson of HouSecCon, THE Houston Information Security Conference. These are MY words, not my employer's or anyone else's.


  1. Scott Wright  - August 24, 2007 - 10:44 pm

    I think the comments posted so far should be enough justification that hope is not lost. But I also think that it’s not always about technology. We look at technologies that are supposed to do prevention or detection or reporting and see that they don’t always work. In fact, if they aren’t used properly they may not work well most of the time.

    In the end, if the bad guys are winning, I think it’s because we have too much value we are trying to protect with the wrong methods. Vendors try to suck every last dollar they can out of clients, and leave no budget for the rest of the security layers, particularly the human element.

    Harsh comment? Yes, but I was a product manager for many years, and it happens all the time. Isn’t the first thing in the sales guy’s prospect qualification checklist “How much budget does the client have?” Nobody stops to ask if that budget has been properly allocated. They just aim to use it up (maybe with enough professional services and support to make that one technology work as it should).

    Yes, we should be trying to counter attack technologies with new preventative technologies. But we will rarely be in equilibrium with them.

    My two cents.

  2. Kees's blog  - August 8, 2007 - 8:08 am

    Michael Farnum quits……

    Michael Farnum wrote a post on his blog, in which he referred to another post that said: Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if……

  3. LonerVamp  - August 6, 2007 - 3:52 pm

    Let’s see some other viewpoints. I’ve long known these facts, and quite happily accept them. If we could win, then does that not mean we’ll all be out of a job once we automate what we do, and wouldn’t that fly in the face of some of the absolute tenets we hold, such as security is not a state…and you WILL be owned someday? (And we can add the tenet that technology will always precede security, therefore new technologies will be insecure until we can catch up; read: web 2.0.)

    You’re right, we may not be able to stop them, but we’re not useless unless you are looking on a global level (and let’s face it, there is no police or policing force in the world that looks at that level and thinks they can prevent everything). If we can avoid risk enough to ensure our companies or even our interests, we’ve provided a lot of value. If we get owned by low-hanging fruit and garden-vareity exploits, yes, we’re f***ed.

    We can also take heart that what comes out of defcon and black hat can sometimes be called highly skilled, exotic attacks that are simply not widely accessible or even understand by very many people. There are always exceptions, such as Graham/Maynor’s tools Ferret/Hamster which speeds things up a LOT. But that tool-pair is still only leveraging known issues.

    Besides, we’re puzzle-solvers, in this field. And would we be very happy if we solved our puzzles fully? Hell no. :)

    So, don’t quit just yet. There’s plenty to be had before retirement! 😉

  4. Rob Lewis  - August 4, 2007 - 11:01 pm

    Well it takes a real man to admit it anyway Michael. In many people’s books, that still makes you a security samurai.

  5. Rob Newby  - August 4, 2007 - 12:47 pm

    Sheesh indeed. Bejtlich says it, so we should all just give up.

    The guru’s missed the point however: “it is simply not possible to prevent the attacks I saw at Black Hat”, yep Richard, that’s the point of Black Hat. Now we are all aware of them, perhaps we can go and sort them out instead of running around yelling “the sky’s falling in!”

    Just because he grew legs before we climbed out of the sea, doesn’t mean we’re all so far evolved. I’m getting sick of gurus and other geniuses.

    And here’s me thinking Security was about awareness.

Back to Top