Troopers Trust Survey results

Troopers14 Trust Survey results are here.

I’ve run the survey using Trust-O-Meter methodology throughout the conference. I received a fair amount of responses (as well as some attempts on ballot stuffing and plain hacking, as expected). This survey is just a baseline, to establish what we think about the level of trustworthiness of some of the largest players in information security. I will repeat it at other occasions so that we can see some trends.

Generally, the situation is not as bad as I was afraid of, but far from being stellar. Even the best large player received relatively low score, with none of them scored ‘green’ which would indicate that they help building trustworthiness throughout the industry. They are just that: suppliers and players. As for trust in information security, we have to fild alternative ways to build it.

Posted in conference, Trust-O-Meter, trustworthiness, Uncategorized | Leave a comment

There is no vulnerability

Yes. There are no vulnerabilities in the code. There are only features.

Vulnerability is a discrepancy between what the code does and what the code is expected to do. It is a specific discrepancy, one that allows you to own the system, but that’s it. So, if you have no expectation of how the code should behave than – by definition – it has no vulnerabilities.

Interestingly, the majority of code is sold exactly ‘as is’, i.e. with no claim for correctness, fitness for purpose or reliability. The manufacturer, in plain legal English, tells you that you should have no expectation if and how it works. Apparently this code has no vulnerabilities at all because we should have no expectations. However, it may have features that we may not desire. And of which we do not know. That’s it. Now it is our job to find them.

Back to the main threat. If you take the code ‘as is’, then it has no vulnerabilities, only features. If you understand that the code has to satisfy several conflicting ‘has to do’ needs, you will not be surprised that it is full of features that you can call vulnerabilities.

What conflicting interests? The code is made to the specification and supposed to deliver what is says on the tin. Right?

Wrong. Code writing is a social process. For some the only purpose of the code is to put bread on the table. For others the only purpose of the same code is to show that they are superior to their peers. For others it is an insurance against being fired. Others can see the same code as an avenue to a hefty bonus. I can keep writing this list, but I guess you have an idea.

Each one of those participants will force features that they value. Some will prefer the code that is easy to write. Other will prefer the code that is obscure. Some will install backdoors. Others will value flashy screens with no content.

Some of those features will become what you call vulnerabilities. If your business is in finding and exploiting them, then those features will put food on your table. That’s good. Those people work for you, in a way. If your business is in preventing vulnerabilities from occurring, you’d better find yourself another job.

Posted in conference, technology | Leave a comment

TrustyCon

That’s a really welcome news:

TrustyCon – the one-day conference about trust and information technology. Shame is so far from where I live.

Posted in conference | Leave a comment

Trust-O-Meter and used cars

My guest blog entry on buying used cars with the help from Trust-O-Meter went online

Posted in event, Trust-O-Meter | Leave a comment

Trust-O-Meter is out

Finally. The world is holding its breath. :)
Trust-O-Meter, version 1.0 is out in Google PlayStore.
Congratulations, myself.

Posted in announcement, news, Trust-O-Meter | Leave a comment