Operations
3/10/2016
11:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Lessons From “The Gluten Lie”

How faith healers and security vendors have learned what lies work.

I was going to talk about security lessons from my stockbroker this week, but I’ve recently read a wonderful little book called The Gluten Lie, and I’d like to talk about how its lessons can be applied to security. The Gluten Lie is by James Madison university assistant professor Alan Levinovitz.  With a title like that, you might expect him to be a professor of nutrition or public health but he is a professor of comparative religion who noticed that stories people tell about nutrition have structural similarities, in the same way that many cultures have stories of a world-altering flood.

What Levinovitz talks about are a set of myths that recur across food scares (gluten, MSG, salt, sugar).  He points out how we discuss foods as “good” or “bad,” rather than “nutritious” or “hard to digest,” conflating morality with science, and how we’re good or bad for eating them.  He points out how some foods, which are actual foods eaten for thousands of years, start being called a poison.  How each is compared to the diet of the ancients. How studies are misconstrued and misrepresented. 

It’s worth saying that he acknowledges that celiac is a real disease, and I have friends who suffer from both celiac and Krohn’s disease. But for most people, gluten is not even harmful, and the sales of expensive gluten-free foods far exceed the rise in diagnosis of both diseases. Levinovitz also talks about abuse of science, and about some of the quite harmful diet fads that have resulted from these misunderstandings (such as the banana diet).

Levinovitz also discusses how the torrent of stories about harmful foods leads to anxiety, contributes to people committing to impossible diets, and how that may play a role in eating disorders like anorexia and bulimia.

All of these things make sense.  If you eat fat, you’ll get fat, right?  Wrong. It turns out that it’s way more complex than that. And also, way simpler. If you regularly eat fewer calories than you use, you’ll lose weight. If your eating is unsustainable or tied up in self-perception issues, then you might gorge when you go off your diet. I’m sure that there are readers who, having cut gluten from their diet, feel better in a variety of ways.  In order to cut gluten, they probably have to be more conscientious about what they eat, which may, just may, play a factor.

So what are we in infosec to learn?

First, the fads of fear do not help us.  Folks are going to use the internet, and telling them not to do so because they can’t come up with a password hint methodology to protect their passwords inside a password manager doesn’t help them.

Second, moralization doesn’t help us. It sure plays into several narratives to claim that porn sites will give you a virus, but there’s also (disputable) evidence that church web sites are worse. The moralizing sure is fun, and probably the research, too. But in this world of fear and moralization, we create a situation in which people feel guilt for not following security advice.  

I’ve heard people say things like “this is probably my fault, but my account is sending spam.  What do I do?”  Wait!  How, young man, is that your fault?  Why didn’t your email provider secure the login?  Why didn’t someone notice you logging in from across the world 15 minutes after your last access in New York with a computer configured in Kyrgystani? Why didn’t anyone notice you sending a one line email to hundreds of people you haven’t spoken to in ages?  (There are, by the way, probably answers to each of these, but we’re space constrained.)

Third, the advice we hit people with is overwhelming and contradictory.  In the world of anxiety, feeding people the wrong advice makes them want for a simple story.  A morality play.

And what’s the takeaway?

First, drop the morality play.  No one likes being lectured, and it doesn’t help.

Second, drop the fear-based marketing.  Of course, this is hard. It’s popular because it works. This morning on the radio, I heard an ad in which words like “reminding consumers that insecure WiFi can leak information to the internet, resulting in identity theft.” My editor tells me if I can’t say anything nice, I should go say it on Twitter.  But we have to try marketing that’s more direct, simple and respectful of the audience.

Third, let’s get clear about what our products really do and do not. Attacks rarely actually sink a business.  Your product doesn’t stop real APTs (There is no try, as Yoda taught us.)  Real APTs include multiple 0-days in their air-gap jumping code.  Real APTs re-write the firmware on your hard drive to hide their malware and survive a re-install. 

Lastly, use your common sense. Listen with a critical ear in all aspects of life. And perhaps you’d enjoy reading The Gluten Lie.

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is an entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently building his fifth startup, focused on improving security effectiveness, and mentors startups as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dark_Hatter
50%
50%
Dark_Hatter,
User Rank: Apprentice
3/14/2016 | 9:17:17 AM
Re: Gartner study
Correllation does not prove Causation
stevew928
0%
100%
stevew928,
User Rank: Strategist
3/12/2016 | 9:17:41 PM
Common sense???
Wow, I'm not really sure where to start on this. While I agree that system security should be better, we're also living in reality here. And, I'm going to be recommending a password manager, not holding my breath for the industry to get their act together.

But, I guess I've also got a few bits of advice for you:

1) Pay more attention to the real world (ie: science) instead of The Science.™

2) Don't pay much attention to comparative religion profs. (whether they are writing about religion or gluten)

3) Starting with a clever angle or story doesn't help much if you don't know how to tie it together. Your article should have been about a paragraph long, and probably best to stick to things you know something about.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/10/2016 | 8:17:44 PM
Re: Gartner study
Thanks Joe!

 

I do not know the study, but I absolutely dispute the claim.  Go for example to www.privacyrights.org/  data-breach  slash new, select 2013 and unselect gov/edu/non-profit and medical (those seem less likely to go out of businesses.  (DR blocks all URLs in comments, sorry!)

 

I see Aaron brothers (still around), etrade (still around), the The Shelburne Country Store (still around), nomorerack.com (now Choxi.com), "Various taxi cab companies in chicago" (Don't know how to reasonably evaluate that, especially in light of Uber), Sears (still around), Zevin Asset Management (still around.)  I am now bored, because out of 7, I have one I don't know and 6 "still around."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/10/2016 | 8:08:44 PM
Gartner study
Re: "Attacks rarely actually sink a business."

Adam, what of the oft-quoted stat from Gartner a couple years back indicating that the majority of businesses to suffer a data loss went out of business within two years?  Has there been an update?  Or do you dispute the methodology of the study?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How To Build An Effective Defense Against Ransomware
A compendium of Dark Reading´s best recent coverage of ransomware attacks, as well as best practices for defending your enterprise against them.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers