Thursday, April 21, 2011

essential FUD

upon reading mike rothman's recent post on categorizing FUD i was struck with a rather surprising realization. not only has the much reviled APT suffered semantic dilution, but apparently so has the seemingly simple concept of FUD.

i say semantic dilution rather than semantic drift because, rather than taking on a new meaning, the apparent elimination of uncertainty and doubt from mike's description means that it's 2/3rds of the way to having no meaning at all. it seems that anything invoking fear is now some kind of FUD - but can that be true? are fear and FUD interchangeable? do we want to make them interchangeable? wouldn't we really only be saving a single keystroke in the process?

i don't agree with mike's characterization of FUD (which seems only fitting as mike doesn't agree with much i say). although i have tried to define FUD before, i've never gone into enough depth that it would contradict interpretations like mike's. that changes today.

if there is one part of fear, uncertainty, and doubt that could clear this all up if it weren't so often completely overlooked - one word that held a surprising amount of meaning - it would be:

AND

it's not fear, uncertainty, OR doubt, boys and girls, it's AND. we're talking about the intersection of the three, not the union. no single one of fear, uncertainty, or doubt qualifies as FUD on it's own. FUD requires the presence of all three. fear is only part of it. i'm tempted to say fear is only the beginning, but that's not true, something as yet unmentioned is the beginning and fear, uncertainty, and doubt are the consequences.

what's going on behind the scenes with FUD, what makes it such a bad thing beyond the simple fact that it's used as a manipulation, is that it introduces an inaccurate mental model that competes with superior ones and the results are rather insidious. mental models inform our actions. they allow us to predict outcomes and consequently allow us to make plans designed to control outcomes in our favour. they are a tool which allows us to effectively formulate strategies for satisfying our basic human needs.

unfortunately, mental models are never 100% complete. there are always holes, always missing pieces and weak points. these are what FUD models exploit in order to compete with existing mental models. obviously if someone's mental model is more complete and internally consistent they are less susceptible to FUD because they "know better" than to fall for it, but unfortunately many people have mental models that are largely incomplete so a FUD mental model has a good chance of taking hold and effectively competing with the model the person had.

that competition is a problem. it causes a person to be confused, to question what they thought they knew. this is the uncertainty - the U in FUD. subsequent to that a person would then logically start to distrust the sources that had informed them and helped them form their previous mental model. this makes it difficult for those or similar/consistent sources to fill in blanks in the original mental model and thus interferes with a person's ability to build a better mental model. this is the doubt - the D in FUD. finally comes the logical conclusion that if what one thought one knew was wrong then the steps one took based on that knowledge could also be wrong. the consequence of that being that the person is no longer prepared or capable of handling something they needed to handle and the emotional reaction to that is fear - the F in FUD.

recapping then, a more in-depth account of FUD is that it is a communicated inaccurate mental model that causes:
  • uncertainty about what you know
  • doubt in those whom you learned from or could learn from in the future
  • fear that you're no longer going to be able to satisfy some need that you have
it should be noted that that same fear can result when you fill in some of the blanks of an incomplete mental model. what differentiates that from FUD, however, is that although fear can result in the short term, there's no uncertainty or doubt. building a better, more complete mental model results in a person being better able develop strategies to satisfy their needs in the long run and is thus beneficial, as compared with FUD which stymies a person's ability to develop effective strategies.

now the argument could be made that mike himself was spreading FUD about FUD (meta-FUD). a model of FUD that seemingly allowed for anything involving fear to be called FUD would certainly make people uncertain about what they previously knew about FUD and doubt the people that had previously informed their opinions about FUD. and since mike also opened the door for the possibility of good FUD and suggested that FUD was more widespread than one would have otherwise thought (as a consequence of dropping 2/3rd's of the requirements), there would certainly be room for people to be concerned that they no longer knew how to navigate the sea of FUD mike was depicting and thus be afraid of getting duped.

on the other hand, however, the argument could also be made that mike's model of FUD is simply incomplete (seemingly missing uncertainty and doubt) and that what might appear to be meta-FUD is actually inaccurate conclusions drawn as a result of missing pieces of that model.

i'm not going to accuse mike of spreading meta-FUD, primarily because i feel accusations of FUD spreading should be reserved for those who should know better than to believe the model they're communicating. those spreading inaccurate or inferior mental models unwittingly should certainly be notified, however.

Tuesday, April 12, 2011

it's not a detection rate

(this has been stewing for a little while now)

look, i realize that virustotal performs a series of detection tests in order to get it's results. i also know that it expresses those results as something that looks a lot like a rate. but as much as you may want to, as much intuitive sense as it may make, don't mistake those results for a detection rate.

first, let's deal with the elephant in the room. in the anti-malware world, the term "detection rate" has already been used for something else. traditionally a detection rate is arrived at by testing an anti-malware product against many malware samples in order to see how good the product is at detecting malware. this is what detection rate has meant for somewhere on the order of two decades, and it bares little relation to what virustotal does.

the inverse of that method, to test a single sample against many anti-malware products in order to see how bad anti-malware technology is, is in theory similar to what virustotal does but it differs in two very important ways:
  1. the purpose of virustotal's test is to give the user an indication of whether the submitted sample is likely to be malware rather than to determine how bad anti-malware technology is
  2. the way virustotal uses anti-malware products in it's testing does not lend itself to an accurate determination of whether a particular product can detect a particular sample (as i've discussed over and over again, and as hispasec themselves mention)
i mulled over the idea that even though it's not a detection rate, and it's not even an inverse detection rate, maybe it could at least represent the lower bound of an inverse detection rate since the most obvious methodological problems (if we were trying to interpret virustotal results the way some people seem to want) would lead to detection capabilities being under-reported. even if it could be called that, however, an inverse detection rate lower bound is so abstract that there's little benefit in using the term with the general population.

i'm tempted to suggest people just call the results a score, but when you compare "virustotal results" with "virustotal score" you realize you're not really saving much more than 2 keystrokes by using that term. there's no intuitive meaning to be had in either of them. it seems the kind of intuitive meaning that people hope to convey by calling it a detection rate simply can't be had.

as such, whether you're an recognized and well regarded expert like dancho danchev who explicitly calls it a detection rate, or brian krebs who tries to infer meaning about anti-malware technology by looking at the results, or even if you just someone who relies on such experts for their accurate analyses and informed opinions - remember that virustotal is for testing samples not anti-malware products. don't try to infer meaning from virustotal test results about something virustotal isn't meant to test. you will most likely fail.

Wednesday, April 06, 2011

why the epsilon breach shouldn't be an issue

the epsilon breach (where an email marketing company that does business with a veritable who's who of big name corporate brands and financial institutions lost the names and email addresses of the customers of those companies) seems to be on everyone's mind recently, and to tell the truth i find that kind of strange.

it's not as though i'm under any illusion about it not being able to affect me. a colleague of mine at work got a notification about the breach affecting him so while i haven't received one yet myself, the possibility of receiving one certainly exists. yet i find myself completely unconcerned about the possibility. why? because i took steps to protect myself proactively (steps my colleague knew he should have taken such that now wishes he'd been more vigilant).

i have been using disposable email addresses since the fall of 2004. with them i've managed to keep any email accounts i created after that point completely spam free for the past 6 1/2 years, i've come up with a sender authentication protocol to foil phishing, and as it happens i've recovered from email breaches in the past in mere moments.

and that's the reason a breach like epsilon is a non-issue to me. not only is it old hat, recovering is as simple as logging into the disposable email provider and clicking disable or delete (depending on the provider) for each compromised address, and then going on about the rest of your day.

it's dead simple to recover from the breach of something when that something happens to be disposable - you simply dispose of it. what i don't understand is, why aren't more people and especially more security practitioners doing the same thing? why hand out your real personal contact information like candy on halloween if you don't have to (and believe me, you don't have to)?  even if you decide you still want to do business with these companies who saw fit to hand your contact information over to a marketing company (hey, you're already their customer, why do they need to keep trying so hard to sell to you), it's a heck of a lot easier to make a replacement disposable email address than it is to make a replacement real email address. just a couple of clicks and some random typing (or just mash keys if you prefer); no captcha, no verifcation, no profile info, you filled that all out when you created an account at the disposable email provider in the first place.

cory doctorow gave a short talk about kids and privacy and he mentioned that they're being trained to not value their privacy, in part by over protective parents who prevent them from learning how to protect themselves. i don't think kids are the only ones who've been so trained. one of the most regrettable schools of thought that i've seen displayed from users all the way up to security pros is the one that says 'they are (or are supposed to be) protecting me'. there is a profound absence of self-reliance in favour of letting protection be the responsibility of someone else.

most people wouldn't hand their phone number out to every tom, dick, or harry they meet on the street, but when it comes to email addresses somehow people think the rules are different. they trust everyone who asks for it and expect everyone to protect it for them instead of protecting it themselves. this is an absurd position to take, but authorities (ie. people who are supposed to know better) have groomed the masses to systematically take just that position when it comes to anything that has to do with online protection.

i'm not holding my breath but, considering the scope of the epsilon breach, maybe some people will start to think
well if you're going to protect me from the bad guys, who's going to protect me from you?
i know, i'm probably being too optimistic, but surely some people out there will see this incident and realize how truly pervasive the mishandling of personal information is by the people we entrust it to. dozens of companies handed that data over to one completely unnecessary entity which then became a single point of failure, and because most people weren't protecting themselves from those companies (either their intentional bad acts or their ineptitude) many people are now at much greater risk of falling victim to targeted phishing and other related attacks.

a clever reader would probably realize that entrusting your real email address to a disposable email provider is still expecting that provider to protect it for you. the thing is, instead of trusting many entities with your data, under this model you're only trusting one. you also don't have to trust them with the same address you use for personal correspondence (which would be the hardest kind of address to change); i certainly don't.