Wednesday, December 12, 2018

Computer Security is the Wild West

Vertigo film poster
Theatrical poster for the film Vertigo
(detail), from Wikipedia.
Greetings from the Australian National University in Canberra, where I am attending a reading group on cyber security. One of the attendees from "a government agency" asked a senior academic why some of the research at international conferences is so poor: the answer was "Computer Security is the Wild West".

It has been an interesting morning. I attended a seminar  on "Vertigo: Fake news/real theory" by the ANU College of Law. Appropriately for the government established university, there was discussion of  David Foster Wallace's unfinished novel The Pale King. This relates the horrors of being a tax inspector. There was also discussion of the difficulties of countering fake news.

The ANU cyber reading group primarily reviews papers on fuzzing.  With this random data is presented to a program to test its security. Millions of random variations can be input to see if the program does something it is not supposed to. This technique is now in routine use to the point where one of our resident experts commented we had reached "peak fuzzing".

There is evidence for "peak fuzzing". The steady increase ion the number of scholarly publications found with a Google web search for "fuzzing, security testing" seems to have leveled off in 2018.


2018 1060
2017 1070
2016 841
2015 805
2014 750
2013 696


It occurs to me fuzzing might be used to test how the political system copes with fake news. This would be done by generating social media posts which are in grammatically correct language, but contain random words. The program would then look to see which posts were liked, passed on and positively rated. There are perhaps for-profit, and state based actors already doing this to attract clicks, or spread confusion.


Also, I suggest looking at the ethics and legal issues with detecting bugs. What systems should you test, and when you find a vulnerability what can (and should) you do with that information? With a quick search I found a recent paper on the Pentagon's Vulnerability Reward Program (Chatfield & Reddick, 2017).

Reference


Chatfield, A. T., & Reddick, C. G. (2017, June). Cybersecurity Innovation in Government: A Case Study of US Pentagon's Vulnerability Reward Program. In Proceedings of the 18th Annual International Conference on Digital Government Research (pp. 64-73). ACM. URL https://doi.org/10.1145/3085228.3085233


Reference

Chatfield, A. T., & Reddick, C. G. (2017, June). Cybersecurity Innovation in Government: A Case Study of US Pentagon's Vulnerability Reward Program. In Proceedings of the 18th Annual International Conference on Digital Government Research (pp. 64-73). ACM. URL https://doi.org/10.1145/3085228.3085233