I was going to talk about security lessons from my stockbroker this week, but I’ve recently read a wonderful little book called The Gluten Lie, and I’d like to talk about how its lessons can be applied to security. The Gluten Lie is by James Madison university assistant professor Alan Levinovitz. With a title like that, you might expect him to be a professor of nutrition or public health but he is a professor of comparative religion who noticed that stories people tell about nutrition have structural similarities, in the same way that many cultures have stories of a world-altering flood.
What Levinovitz talks about are a set of myths that recur across food scares (gluten, MSG, salt, sugar). He points out how we discuss foods as “good” or “bad,” rather than “nutritious” or “hard to digest,” conflating morality with science, and how we’re good or bad for eating them. He points out how some foods, which are actual foods eaten for thousands of years, start being called a poison. How each is compared to the diet of the ancients. How studies are misconstrued and misrepresented.
It’s worth saying that he acknowledges that celiac is a real disease, and I have friends who suffer from both celiac and Krohn’s disease. But for most people, gluten is not even harmful, and the sales of expensive gluten-free foods far exceed the rise in diagnosis of both diseases. Levinovitz also talks about abuse of science, and about some of the quite harmful diet fads that have resulted from these misunderstandings (such as the banana diet).
Levinovitz also discusses how the torrent of stories about harmful foods leads to anxiety, contributes to people committing to impossible diets, and how that may play a role in eating disorders like anorexia and bulimia.
All of these things make sense. If you eat fat, you’ll get fat, right? Wrong. It turns out that it’s way more complex than that. And also, way simpler. If you regularly eat fewer calories than you use, you’ll lose weight. If your eating is unsustainable or tied up in self-perception issues, then you might gorge when you go off your diet. I’m sure that there are readers who, having cut gluten from their diet, feel better in a variety of ways. In order to cut gluten, they probably have to be more conscientious about what they eat, which may, just may, play a factor.
So what are we in infosec to learn?
First, the fads of fear do not help us. Folks are going to use the internet, and telling them not to do so because they can’t come up with a password hint methodology to protect their passwords inside a password manager doesn’t help them.
Second, moralization doesn’t help us. It sure plays into several narratives to claim that porn sites will give you a virus, but there’s also (disputable) evidence that church web sites are worse. The moralizing sure is fun, and probably the research, too. But in this world of fear and moralization, we create a situation in which people feel guilt for not following security advice.
I’ve heard people say things like “this is probably my fault, but my account is sending spam. What do I do?” Wait! How, young man, is that your fault? Why didn’t your email provider secure the login? Why didn’t someone notice you logging in from across the world 15 minutes after your last access in New York with a computer configured in Kyrgystani? Why didn’t anyone notice you sending a one line email to hundreds of people you haven’t spoken to in ages? (There are, by the way, probably answers to each of these, but we’re space constrained.)
Third, the advice we hit people with is overwhelming and contradictory. In the world of anxiety, feeding people the wrong advice makes them want for a simple story. A morality play.
And what’s the takeaway?
First, drop the morality play. No one likes being lectured, and it doesn’t help.
Second, drop the fear-based marketing. Of course, this is hard. It’s popular because it works. This morning on the radio, I heard an ad in which words like “reminding consumers that insecure WiFi can leak information to the internet, resulting in identity theft.” My editor tells me if I can’t say anything nice, I should go say it on Twitter. But we have to try marketing that’s more direct, simple and respectful of the audience.
Third, let’s get clear about what our products really do and do not. Attacks rarely actually sink a business. Your product doesn’t stop real APTs (There is no try, as Yoda taught us.) Real APTs include multiple 0-days in their air-gap jumping code. Real APTs re-write the firmware on your hard drive to hide their malware and survive a re-install.
Lastly, use your common sense. Listen with a critical ear in all aspects of life. And perhaps you’d enjoy reading The Gluten Lie.
Adam is a leading expert on threat modeling. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an ... View Full Bio