The Farmer, the Cowman, and the Prisoner’s Dilemma

SOURCE: SourceClear

I’m in Austin. Gave a talk at the ISC2 Secure SDLC event and stuck around to hear a few others, including one that’s got me all wound up. It was delivered by a “security expert” working for one of the big antivirus firms, who had some scary things to say to us in the developer community. Now, when I say “scary,” I don’t mean “sobering” or even “frightening.” Those are grown-up words. “Scary” is what you expect from children and what you use when addressing children. What this speaker had to say was definitely scary. To wit …

‘When you ship your code to AWS in the cloud, you have no idea in the world where it is.’

As I said—scary. But neither sobering nor frightening, because it’s simply not true. Amazon Web Service isn’t a black box. You know what region your code gets deployed to and where it is. You control it. There’s just no mystery, no sabotage, no conspiracy.

But, as the TV pitchman puts it, wait! There’s more!

“I’m the sort of guy who sits in airports sniffing developers committing code to GitHub.”

The truth is that this “sort of guy” is the “sort of guy” who doesn’t actually exist—except in the sales pitch of someone who makes a living by selling two things. One is security products and services. The other is the FUD—fear, uncertainty, doubt—that churns up the demand for those products and services.

Developers commit code to GitHub over Secure Shell (SSH) or SSL and while there have been well published implementation issues we are all aware of, to make light of launching a targeted MITM attack on security protocols at will is nothing more than security theatre and showmanship.

The folks in Oklahoma like to diminish Texas, their southern neighbor, by calling it Baja Oklahoma. I don’t make it a habit to think about Rodgers and Hammerstein’s 1943 musical Oklahoma! But maybe because this antivirus guy’s “scary” words are echoing in my head and here I am, in Texas, sitting right under the state of Oklahoma, that the lyric about how “the farmer and the cowman should be friends” suddenly comes to mind.

Developers have nothing against antivirus software and other security products. But security “experts” never seem ready to trust developers with any aspect of security. Regrettably, the speaker I heard in Austin is far from an exceptional case. In a pitch for security products, he peddled FUD, treating an audience of grown developers like little children by telling them scary stories.

Rational caution is essential to digital security. In fact, the most rational approach to creating secure software is to build in security while code is actually being written. This means trusting and empowering developers with security tools, authority, and responsibility.

FUD-fed paranoia may feel like a prudent abundance of caution, but it is actually delusional and therefore destructive. News flash: the Prisoner’s Dilemma is no longer an actual dilemma because it was solved a long time ago.

If you’re familiar with the Prisoner Dilemma, just skip over the next bit. But if you’ve forgotten how it goes, here it is:

Two partners in crime, Able and Baker, are arrested. Each is in locked solitary, unable to communicate with the other. The cops have enough evidence to convict both on a minor charge punishable by a year in jail. If, however, they can get one to turn state’s evidence against the other or the duo to mutually betray one another, they can get a major conviction and a heavier sentence. So they give each prisoner the opportunity either to betray one another or to cooperate with each other by remaining silent.

If Able and Baker betray each other, each serves 2 years in prison.

If Able betrays Baker but Baker remains silent, Able is freed and Baker serves 3 years (and vice versa).

If both remain silent, both serve just 1 year.

Our inclination to the cynicism and paranoia of FUD tells us that because betrayal offers the greatest reward, the prisoners will betray each other. But the reality is that people are biased toward cooperative behavior and, even against the dictates of apparent self-interest, they usually choose to cooperate. (In the case of the Prisoner’s Dilemma, they remain silent and accept 1 year in jail instead of risking 2 or even 3 in the tenuous hope of being set free.)

Trusted and empowered, developers will collaborate with anyone—even security “experts”—to create more secure software and more secure computing. “One man likes to push a plough, the other likes to chase a cow,” but the farmer and the cowman can be friends. But security people be warned, the more FUD that is allowed to propogate then the more difficult collaboration will be.

Mark Curphey (who is sat in the United Admiral lounge in the Austin airport commiting code to GitHub if you are man enough AV boy)