Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/10/2016
11:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Lessons From “The Gluten Lie”

How faith healers and security vendors have learned what lies work.

I was going to talk about security lessons from my stockbroker this week, but I’ve recently read a wonderful little book called The Gluten Lie, and I’d like to talk about how its lessons can be applied to security. The Gluten Lie is by James Madison university assistant professor Alan Levinovitz.  With a title like that, you might expect him to be a professor of nutrition or public health but he is a professor of comparative religion who noticed that stories people tell about nutrition have structural similarities, in the same way that many cultures have stories of a world-altering flood.

What Levinovitz talks about are a set of myths that recur across food scares (gluten, MSG, salt, sugar).  He points out how we discuss foods as “good” or “bad,” rather than “nutritious” or “hard to digest,” conflating morality with science, and how we’re good or bad for eating them.  He points out how some foods, which are actual foods eaten for thousands of years, start being called a poison.  How each is compared to the diet of the ancients. How studies are misconstrued and misrepresented. 

It’s worth saying that he acknowledges that celiac is a real disease, and I have friends who suffer from both celiac and Krohn’s disease. But for most people, gluten is not even harmful, and the sales of expensive gluten-free foods far exceed the rise in diagnosis of both diseases. Levinovitz also talks about abuse of science, and about some of the quite harmful diet fads that have resulted from these misunderstandings (such as the banana diet).

Levinovitz also discusses how the torrent of stories about harmful foods leads to anxiety, contributes to people committing to impossible diets, and how that may play a role in eating disorders like anorexia and bulimia.

All of these things make sense.  If you eat fat, you’ll get fat, right?  Wrong. It turns out that it’s way more complex than that. And also, way simpler. If you regularly eat fewer calories than you use, you’ll lose weight. If your eating is unsustainable or tied up in self-perception issues, then you might gorge when you go off your diet. I’m sure that there are readers who, having cut gluten from their diet, feel better in a variety of ways.  In order to cut gluten, they probably have to be more conscientious about what they eat, which may, just may, play a factor.

So what are we in infosec to learn?

First, the fads of fear do not help us.  Folks are going to use the internet, and telling them not to do so because they can’t come up with a password hint methodology to protect their passwords inside a password manager doesn’t help them.

Second, moralization doesn’t help us. It sure plays into several narratives to claim that porn sites will give you a virus, but there’s also (disputable) evidence that church web sites are worse. The moralizing sure is fun, and probably the research, too. But in this world of fear and moralization, we create a situation in which people feel guilt for not following security advice.  

I’ve heard people say things like “this is probably my fault, but my account is sending spam.  What do I do?”  Wait!  How, young man, is that your fault?  Why didn’t your email provider secure the login?  Why didn’t someone notice you logging in from across the world 15 minutes after your last access in New York with a computer configured in Kyrgystani? Why didn’t anyone notice you sending a one line email to hundreds of people you haven’t spoken to in ages?  (There are, by the way, probably answers to each of these, but we’re space constrained.)

Third, the advice we hit people with is overwhelming and contradictory.  In the world of anxiety, feeding people the wrong advice makes them want for a simple story.  A morality play.

And what’s the takeaway?

First, drop the morality play.  No one likes being lectured, and it doesn’t help.

Second, drop the fear-based marketing.  Of course, this is hard. It’s popular because it works. This morning on the radio, I heard an ad in which words like “reminding consumers that insecure WiFi can leak information to the internet, resulting in identity theft.” My editor tells me if I can’t say anything nice, I should go say it on Twitter.  But we have to try marketing that’s more direct, simple and respectful of the audience.

Third, let’s get clear about what our products really do and do not. Attacks rarely actually sink a business.  Your product doesn’t stop real APTs (There is no try, as Yoda taught us.)  Real APTs include multiple 0-days in their air-gap jumping code.  Real APTs re-write the firmware on your hard drive to hide their malware and survive a re-install. 

Lastly, use your common sense. Listen with a critical ear in all aspects of life. And perhaps you’d enjoy reading The Gluten Lie.

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps organizations improve their security via Shostack & Associates, and advises startups ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dark_Hatter
50%
50%
Dark_Hatter,
User Rank: Apprentice
3/14/2016 | 9:17:17 AM
Re: Gartner study
Correllation does not prove Causation
stevew928
0%
100%
stevew928,
User Rank: Strategist
3/12/2016 | 9:17:41 PM
Common sense???
Wow, I'm not really sure where to start on this. While I agree that system security should be better, we're also living in reality here. And, I'm going to be recommending a password manager, not holding my breath for the industry to get their act together.

But, I guess I've also got a few bits of advice for you:

1) Pay more attention to the real world (ie: science) instead of The Science.™

2) Don't pay much attention to comparative religion profs. (whether they are writing about religion or gluten)

3) Starting with a clever angle or story doesn't help much if you don't know how to tie it together. Your article should have been about a paragraph long, and probably best to stick to things you know something about.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/10/2016 | 8:17:44 PM
Re: Gartner study
Thanks Joe!

 

I do not know the study, but I absolutely dispute the claim.  Go for example to www.privacyrights.org/  data-breach  slash new, select 2013 and unselect gov/edu/non-profit and medical (those seem less likely to go out of businesses.  (DR blocks all URLs in comments, sorry!)

 

I see Aaron brothers (still around), etrade (still around), the The Shelburne Country Store (still around), nomorerack.com (now Choxi.com), "Various taxi cab companies in chicago" (Don't know how to reasonably evaluate that, especially in light of Uber), Sears (still around), Zevin Asset Management (still around.)  I am now bored, because out of 7, I have one I don't know and 6 "still around."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/10/2016 | 8:08:44 PM
Gartner study
Re: "Attacks rarely actually sink a business."

Adam, what of the oft-quoted stat from Gartner a couple years back indicating that the majority of businesses to suffer a data loss went out of business within two years?  Has there been an update?  Or do you dispute the methodology of the study?
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.