Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/10/2016
11:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Lessons From The Gluten Lie

How faith healers and security vendors have learned what lies work.

I was going to talk about security lessons from my stockbroker this week, but I’ve recently read a wonderful little book called The Gluten Lie, and I’d like to talk about how its lessons can be applied to security. The Gluten Lie is by James Madison university assistant professor Alan Levinovitz.  With a title like that, you might expect him to be a professor of nutrition or public health but he is a professor of comparative religion who noticed that stories people tell about nutrition have structural similarities, in the same way that many cultures have stories of a world-altering flood.

What Levinovitz talks about are a set of myths that recur across food scares (gluten, MSG, salt, sugar).  He points out how we discuss foods as “good” or “bad,” rather than “nutritious” or “hard to digest,” conflating morality with science, and how we’re good or bad for eating them.  He points out how some foods, which are actual foods eaten for thousands of years, start being called a poison.  How each is compared to the diet of the ancients. How studies are misconstrued and misrepresented. 

It’s worth saying that he acknowledges that celiac is a real disease, and I have friends who suffer from both celiac and Krohn’s disease. But for most people, gluten is not even harmful, and the sales of expensive gluten-free foods far exceed the rise in diagnosis of both diseases. Levinovitz also talks about abuse of science, and about some of the quite harmful diet fads that have resulted from these misunderstandings (such as the banana diet).

Levinovitz also discusses how the torrent of stories about harmful foods leads to anxiety, contributes to people committing to impossible diets, and how that may play a role in eating disorders like anorexia and bulimia.

All of these things make sense.  If you eat fat, you’ll get fat, right?  Wrong. It turns out that it’s way more complex than that. And also, way simpler. If you regularly eat fewer calories than you use, you’ll lose weight. If your eating is unsustainable or tied up in self-perception issues, then you might gorge when you go off your diet. I’m sure that there are readers who, having cut gluten from their diet, feel better in a variety of ways.  In order to cut gluten, they probably have to be more conscientious about what they eat, which may, just may, play a factor.

So what are we in infosec to learn?

First, the fads of fear do not help us.  Folks are going to use the internet, and telling them not to do so because they can’t come up with a password hint methodology to protect their passwords inside a password manager doesn’t help them.

Second, moralization doesn’t help us. It sure plays into several narratives to claim that porn sites will give you a virus, but there’s also (disputable) evidence that church web sites are worse. The moralizing sure is fun, and probably the research, too. But in this world of fear and moralization, we create a situation in which people feel guilt for not following security advice.  

I’ve heard people say things like “this is probably my fault, but my account is sending spam.  What do I do?”  Wait!  How, young man, is that your fault?  Why didn’t your email provider secure the login?  Why didn’t someone notice you logging in from across the world 15 minutes after your last access in New York with a computer configured in Kyrgystani? Why didn’t anyone notice you sending a one line email to hundreds of people you haven’t spoken to in ages?  (There are, by the way, probably answers to each of these, but we’re space constrained.)

Third, the advice we hit people with is overwhelming and contradictory.  In the world of anxiety, feeding people the wrong advice makes them want for a simple story.  A morality play.

And what’s the takeaway?

First, drop the morality play.  No one likes being lectured, and it doesn’t help.

Second, drop the fear-based marketing.  Of course, this is hard. It’s popular because it works. This morning on the radio, I heard an ad in which words like “reminding consumers that insecure WiFi can leak information to the internet, resulting in identity theft.” My editor tells me if I can’t say anything nice, I should go say it on Twitter.  But we have to try marketing that’s more direct, simple and respectful of the audience.

Third, let’s get clear about what our products really do and do not. Attacks rarely actually sink a business.  Your product doesn’t stop real APTs (There is no try, as Yoda taught us.)  Real APTs include multiple 0-days in their air-gap jumping code.  Real APTs re-write the firmware on your hard drive to hide their malware and survive a re-install. 

Lastly, use your common sense. Listen with a critical ear in all aspects of life. And perhaps you’d enjoy reading The Gluten Lie.

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dark_Hatter
50%
50%
Dark_Hatter,
User Rank: Apprentice
3/14/2016 | 9:17:17 AM
Re: Gartner study
Correllation does not prove Causation
stevew928
0%
100%
stevew928,
User Rank: Strategist
3/12/2016 | 9:17:41 PM
Common sense???
Wow, I'm not really sure where to start on this. While I agree that system security should be better, we're also living in reality here. And, I'm going to be recommending a password manager, not holding my breath for the industry to get their act together.

But, I guess I've also got a few bits of advice for you:

1) Pay more attention to the real world (ie: science) instead of The Science.™

2) Don't pay much attention to comparative religion profs. (whether they are writing about religion or gluten)

3) Starting with a clever angle or story doesn't help much if you don't know how to tie it together. Your article should have been about a paragraph long, and probably best to stick to things you know something about.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/10/2016 | 8:17:44 PM
Re: Gartner study
Thanks Joe!

 

I do not know the study, but I absolutely dispute the claim.  Go for example to www.privacyrights.org/  data-breach  slash new, select 2013 and unselect gov/edu/non-profit and medical (those seem less likely to go out of businesses.  (DR blocks all URLs in comments, sorry!)

 

I see Aaron brothers (still around), etrade (still around), the The Shelburne Country Store (still around), nomorerack.com (now Choxi.com), "Various taxi cab companies in chicago" (Don't know how to reasonably evaluate that, especially in light of Uber), Sears (still around), Zevin Asset Management (still around.)  I am now bored, because out of 7, I have one I don't know and 6 "still around."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/10/2016 | 8:08:44 PM
Gartner study
Re: "Attacks rarely actually sink a business."

Adam, what of the oft-quoted stat from Gartner a couple years back indicating that the majority of businesses to suffer a data loss went out of business within two years?  Has there been an update?  Or do you dispute the methodology of the study?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Why AI Will Create Far More Jobs Than It Replaces
John DiLullo, CEO, Lastline,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Talk about vendor lock in...
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11816
PUBLISHED: 2019-05-20
Incorrect access control in the WebUI in OPNsense before version 19.1.8, and pfsense before 2.4.4-p3 allows remote authenticated users to escalate privileges to administrator via a specially crafted request.
CVE-2019-10076
PUBLISHED: 2019-05-20
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10077
PUBLISHED: 2019-05-20
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
CVE-2019-10078
PUBLISHED: 2019-05-20
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
CVE-2019-12239
PUBLISHED: 2019-05-20
The WP Booking System plugin 1.5.1 for WordPress has no CSRF protection, which allows attackers to reach certain SQL injection issues that require administrative access.