Thursday, July 24, 2008

Are we Outrunning the Bear?

Or wasting our time trying?

Amrit's latest post has me thinking about what's been one of our brew pub round table topics lately.

There is an old joke about the hikers who cross paths with a grizzly bear. The first hiker immediately takes off his hiking boots and puts on his running shoes.

The second hiker: “why are you doing that - you can’t out run the bear”.

First hiker: “I don’t need to out run the bear, I only need to outrun you”.

In a sense, if hacking today is focused on profit rather than challenge or ego, as perhaps it once was, then the miscreants will likely follow the least cost or least resistance path to their goal (marketable data, marketable botnets). If that is true, our goal needs to be to outrun the other hikers, not the bear.

Fortunately there appears to be a limitless supply of slow hikers (clueless developers, sysadmins, security people and their leadership, or more likely - competent developers, sysadmins and security people led astray by clueless leadership).

We need to focus on out running them, not the bear.


  1. I think this reassembles the old saying: In the land of the blind, the one-eyed man is king.

    In other words, you don't have to have the whole package as long as you have more than your competition.

    - Unomi -

  2. I'm also reminded of the axiom that the amount of protection should be justified by what's being protected. Grandma's recipes don't need quantum encryption (if it works right).

    In terms of outrunning the other hikers, my only concern is that there are a LOT of bears out there, and some of them are mechanical. Or zombies.

    And if zombie robot bears doesn't scare you, then I don't know what would.

  3. One problem with the bear parable is that not all hikers are created alike. The bear may chase a fast but big and tasty hiker even if the scrawny unappetizing hiker is easier to catch. It doesn't do Microsoft much good to be faster than Joe's Bar & Auto Lube, because the targets aren't equally attractive.

    Another problem with the bear analogy is that my security depends partly on how well other people secure their systems. Botnets, phishing sites, and worms work partly because lots of other people have crummy security. To extend the analogy, the bear chasing us is a vampire bear: once it catches someone, it turns that person into another vampire bear. Being faster than the other hiker just means you'll soon have to outrun two vampire bears instead of one.

    In security, I think it's better if everyone is faster than the bear.

  4. I'd agree that it would be better if all the hikers were faster than the bear, but they are not, and probably never will be.

    I'm thinking of another analogy, this time with an addict and a $20 fix. The addict needs the money for a fix and plans a grocery store robbery to obtain the fix. On the way to the planned robbery, the addict sees $20 on the sidewalk. What will the addict do?

    The bear only runs fast enough to catch a suitable hiker, and then, upon having caught the hiker, is distracted by the catch sufficiently that the other hikers can trot along quite merrily, until of course the next bear comes along.

    With automated (zombie) attacks, there are many bears, true enough, but because the attacks are zombied, they are also predictable (after a few successful attacks).

    In the particular case of vampire bears, a successful defense against one will prove to be a successful defense against all vampire bears of the same species. So it really is a single threat.