Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/10/2016
11:30 AM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Lessons From “The Gluten Lie”

How faith healers and security vendors have learned what lies work.

I was going to talk about security lessons from my stockbroker this week, but I’ve recently read a wonderful little book called The Gluten Lie, and I’d like to talk about how its lessons can be applied to security. The Gluten Lie is by James Madison university assistant professor Alan Levinovitz.  With a title like that, you might expect him to be a professor of nutrition or public health but he is a professor of comparative religion who noticed that stories people tell about nutrition have structural similarities, in the same way that many cultures have stories of a world-altering flood.

What Levinovitz talks about are a set of myths that recur across food scares (gluten, MSG, salt, sugar).  He points out how we discuss foods as “good” or “bad,” rather than “nutritious” or “hard to digest,” conflating morality with science, and how we’re good or bad for eating them.  He points out how some foods, which are actual foods eaten for thousands of years, start being called a poison.  How each is compared to the diet of the ancients. How studies are misconstrued and misrepresented. 

It’s worth saying that he acknowledges that celiac is a real disease, and I have friends who suffer from both celiac and Krohn’s disease. But for most people, gluten is not even harmful, and the sales of expensive gluten-free foods far exceed the rise in diagnosis of both diseases. Levinovitz also talks about abuse of science, and about some of the quite harmful diet fads that have resulted from these misunderstandings (such as the banana diet).

Levinovitz also discusses how the torrent of stories about harmful foods leads to anxiety, contributes to people committing to impossible diets, and how that may play a role in eating disorders like anorexia and bulimia.

All of these things make sense.  If you eat fat, you’ll get fat, right?  Wrong. It turns out that it’s way more complex than that. And also, way simpler. If you regularly eat fewer calories than you use, you’ll lose weight. If your eating is unsustainable or tied up in self-perception issues, then you might gorge when you go off your diet. I’m sure that there are readers who, having cut gluten from their diet, feel better in a variety of ways.  In order to cut gluten, they probably have to be more conscientious about what they eat, which may, just may, play a factor.

So what are we in infosec to learn?

First, the fads of fear do not help us.  Folks are going to use the internet, and telling them not to do so because they can’t come up with a password hint methodology to protect their passwords inside a password manager doesn’t help them.

Second, moralization doesn’t help us. It sure plays into several narratives to claim that porn sites will give you a virus, but there’s also (disputable) evidence that church web sites are worse. The moralizing sure is fun, and probably the research, too. But in this world of fear and moralization, we create a situation in which people feel guilt for not following security advice.  

I’ve heard people say things like “this is probably my fault, but my account is sending spam.  What do I do?”  Wait!  How, young man, is that your fault?  Why didn’t your email provider secure the login?  Why didn’t someone notice you logging in from across the world 15 minutes after your last access in New York with a computer configured in Kyrgystani? Why didn’t anyone notice you sending a one line email to hundreds of people you haven’t spoken to in ages?  (There are, by the way, probably answers to each of these, but we’re space constrained.)

Third, the advice we hit people with is overwhelming and contradictory.  In the world of anxiety, feeding people the wrong advice makes them want for a simple story.  A morality play.

And what’s the takeaway?

First, drop the morality play.  No one likes being lectured, and it doesn’t help.

Second, drop the fear-based marketing.  Of course, this is hard. It’s popular because it works. This morning on the radio, I heard an ad in which words like “reminding consumers that insecure WiFi can leak information to the internet, resulting in identity theft.” My editor tells me if I can’t say anything nice, I should go say it on Twitter.  But we have to try marketing that’s more direct, simple and respectful of the audience.

Third, let’s get clear about what our products really do and do not. Attacks rarely actually sink a business.  Your product doesn’t stop real APTs (There is no try, as Yoda taught us.)  Real APTs include multiple 0-days in their air-gap jumping code.  Real APTs re-write the firmware on your hard drive to hide their malware and survive a re-install. 

Lastly, use your common sense. Listen with a critical ear in all aspects of life. And perhaps you’d enjoy reading The Gluten Lie.

Related content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dark_Hatter
50%
50%
Dark_Hatter,
User Rank: Apprentice
3/14/2016 | 9:17:17 AM
Re: Gartner study
Correllation does not prove Causation
stevew928
0%
100%
stevew928,
User Rank: Strategist
3/12/2016 | 9:17:41 PM
Common sense???
Wow, I'm not really sure where to start on this. While I agree that system security should be better, we're also living in reality here. And, I'm going to be recommending a password manager, not holding my breath for the industry to get their act together.

But, I guess I've also got a few bits of advice for you:

1) Pay more attention to the real world (ie: science) instead of The Science.™

2) Don't pay much attention to comparative religion profs. (whether they are writing about religion or gluten)

3) Starting with a clever angle or story doesn't help much if you don't know how to tie it together. Your article should have been about a paragraph long, and probably best to stick to things you know something about.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
3/10/2016 | 8:17:44 PM
Re: Gartner study
Thanks Joe!

 

I do not know the study, but I absolutely dispute the claim.  Go for example to www.privacyrights.org/  data-breach  slash new, select 2013 and unselect gov/edu/non-profit and medical (those seem less likely to go out of businesses.  (DR blocks all URLs in comments, sorry!)

 

I see Aaron brothers (still around), etrade (still around), the The Shelburne Country Store (still around), nomorerack.com (now Choxi.com), "Various taxi cab companies in chicago" (Don't know how to reasonably evaluate that, especially in light of Uber), Sears (still around), Zevin Asset Management (still around.)  I am now bored, because out of 7, I have one I don't know and 6 "still around."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/10/2016 | 8:08:44 PM
Gartner study
Re: "Attacks rarely actually sink a business."

Adam, what of the oft-quoted stat from Gartner a couple years back indicating that the majority of businesses to suffer a data loss went out of business within two years?  Has there been an update?  Or do you dispute the methodology of the study?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...