Complexity killed the Cat

René „Lynx“ Pfeiffer

DeepSec In-Depth Security Conference 2022

Everything is based on Growth


Source: The Guardian

IT can relate to Growth

                
program-id. hello-world.

procedure division.
  display "Hello, World!"

  goback
  .
Code grows over time (source Rosetta Code).

IT can relate to Growth (2)

                
.data
szMessage:      .asciz "Hello world. \n"   
.equ LGMESSAGE, . -  szMessage  // compute length of message
.text
.global main 
main:
    mov x0,1                   // output std linux
    ldr x1,qAdrMessage         // adresse of message
    mov x2,LGMESSAGE           // sizeof(message) 
    mov x8,64                  // select system call 'write' 
    svc 0                      // perform the system call 
 
    mov x0, 0                  // return code
    mov x8,93                  // select system call 'exit'
    svc 0                      // perform the system call 
qAdrMessage:      .quad szMessage
Code expands to other programming languages (source Rosetta Code).

IT can relate to Growth (3)
Code can become more complex (source IOCCC).

Variations

Source: List of Hello World Programs in 300 Programming Languages

Prerequisites

Let's keep this in mind.

Growth and Prosperity

If everything (?) is based on growth, where is the problem?

Limits! Or limiting factors.

COVID-19 Cases

Source: WHO

Exponential Function

„Well-known“ since COVID-19…

Pure exponential growth has no limiting factors.

Logistics Function

„Limitless“ growth with limits looks like this:

Economists and investors hate this function and often ignore it.

(Moore's Law has not yet encountered „hard“ limits…)

Enter the Human Mind

Back to Complexity

Complexity „just happens“ (subjectively)…

…but is is created because of limitations.

Enter the Machine's Mind

int, float, char, boolean, String

int, long, short, char, long long, float, double, bool, void *

Machines „think“ differently.

Complexity

Yes, it's curl / libcurl!

Complexity

Could be any other (tech) company!

Why does this happen?

Libraries are great!

One does not simply walk into Mordor with one's own libcrypto.

With great package managers comes great responsibility!

Selection of components vary from conservative to 50 packages per second.

Complexity Reloaded

Complexity is not exclusively tied to software development.

Data Loss Prevention (DLP) means you know all data of your organisation.

Do you?

Information Technology

IT has to deal with complexity. And humans!

Source: Network Security: Private Communication in a Public World

Keep It Simple(, Stupid) (KISS)

Origin in Lockheed Skunk Works (U-2, SR-71)…

…or the 1938 issue of the Minneapolis Star.

Often cited, not self-evident, hard to implement, always misunderstood.

Keep It Simple (2)

You can have complex objects, but…

…these objects must be easy to fix (in the „field“ = „in production“).

„Make everything as simple as possible, but not simpler.“ ( Albert E. )

Information Security

Source: xkcd Authorization

Hype, Trends, Fashion Statements

This feels familiar.

Problem

That's not a model. It's just a drawing.

Thinking like this is the cause for serious issues in IT (security)!

How do you select IT security solutions?

  • There is a need for ${SOMETHING}.
  • Need usually means unsolved problems or hazards. 🧯☣ ☢
  • How do you measure (lack of / increased) security? 🔎
  • Can you assess all your data and systems? ⚖
  • Can you tolerate a false positive rate of 0.0005? 🛎
  • (No, because 1e6 events/month mean 16,6 alerts/day.)
  • Can you name relevant indicators of compromise? 🔥
  • „Hello, world!“ – Complexity is back. 🥳

What actually happens

  1. Ask the IT department, maybe get an answer.
  2. Check the budget.
  3. Ask companies with a good PR department for their products.
    (If you don't know them, you cannot ask them, hence PR.)
  4. Spend money for a compromise between budget, blame, and risk.

„In IT security, the products with the best PR usually wins.“

The Joy of Metrics

It is good practice to measure something. Or to pretend, at least.

Quantification has become a cult - procedure without meaning.

What about Complexity?

We can deal with complexity in software (mostly).

We cannot deal with complexity in black boxes!


Source: Schrödinger’s cat gets a reality check

Metrics: The Checklist

  1. What kind of information are you thinking of measuring?
  2. How useful is the information?
  3. How useful are more metrics?
  4. What are the costs of not relying upon standardized measurement?
  5. To what purposes will the measurements be put?
  6. To whom will the information be made transparent?
  7. What are the costs of aquiring the metrics?
  8. Why does your organisation demand performance metrics?
  9. How and by whom are the measures of performance developed?

Source: The Tyranny of Metrics

Helpful Hints

  • Reanalyze Big Data.
  • Define and apply sensible metrics.
  • Refactor everything - reduce complexity in your organisation.
  • What does SIEM mean for you?

Questions?

Source: N-Body Simulation with 131072 bodies

whoami

  • 🆔 René „Lynx“ Pfeiffer
  • ℹ Senior Systems Administrator
  • DeepSec In-Depth Security Conference organisation team
  • ☢ Study of theoretical physics
  • 🕸 Internet user since 1992
  • ⏳ 30+ years of experience with software development, computing platforms, and systems administration

Contact

  • Email: rpfeiffer@deepsec.net
  • PGP/GPG: 0x8531093E6E4037AF
  • Mobile: +43.676.5626390 (Signal available)
  • GSMK Cryptophone™: +807.94905059
  • Threema: 7U6X9E5W

About the Author

René „Lynx“ Pfeiffer was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn Texas Instruments TMS 1600 assembler before any other programming language.

After finishing school he went to university in order to study physics. He then collected experiences with a C64, a C128, two Commodore Amigas, DEC's Ultrix, OpenVMS and finally GNU/Linux on a PC in 1997. He is using Linux since this day and still likes to take things apart und put them together again. Freedom of tinkering brought him close to the Free Software movement, where he puts some effort into the right to understand how things work – which he still does.

René is a senior systems administrator, a lecturer at the University of Applied Sciences Technikum Wien and FH Burgenland, and a senior security consultant. He uses all the skills in order to develop security architectures, maintain/improve IT infrastructure, test applications, and to analyse security-related attributes of applications, networks (wired/wireless, components), (cryptographic algorithms), protocols, servers, cloud platforms, and more indicators of modern life.