Saturday, September 02, 2006

the end of security experts

no, i'm not talking about some sort of apocalypse that's going to wipe out all the security experts, i'm talking about the fact that the very notion of a security expert is starting to become ridiculous...

what's brought this line of thinking on is the raging false authority syndrome being displayed in the security community over the recent consumer reports contraversy... everywhere i look i'm finding so-called security experts offering their opinions about how the anti-virus community is overreacting or people citing security experts when discussing virus related issues...

i have a computer science degree, does that make me an expert in (or qualified in any way to talk about) artificial intelligence? no... sure AI research is a computer science discipline but my computer science background was not in AI... in fact there are a number of computer science disciplines which are so far outside of my experience that i know better than to open my mouth about them most of the time... too bad this doesn't hold true for the computer security community...

see, the security domain is not a simple one and it's not getting any simpler as time goes by... it's a complex and diverse set of quasi-related fields and specialized disciplines and the reality is that it's no longer possible (and hasn't been for some time) for any one person to have expert knowledge of them all... so what we have instead of security experts are experts in some specialized security subdisciplines with good heads for a lot of the more generic security concepts... they call themselves (or are called by others) security experts but that's not really what they are, and the knowledge from their own particular area of expertise is not necessarily applicable to all other parts of the computer security domain...

that doesn't stop them, however, as the consumer reports contraversy clearly illustrated... anti-malware in general and anti-virus in particular is a highly specialized discipline that deals with a kind of threat unlike anything else currently in the computer security domain... unfortunately we still have security experts saying viruses artificially generated in a lab represent the real world more accurately than viruses from the real world, or likening the threat posed by viruses to the threat posed by remote code execution exploits, or that the only reason the anti-virus companies reacted the way they did was because consumer reports made their products look bad (in spite of the fact that retrospective testing does the same thing, or the fact that some of the companies complaining weren't even included in the consumer reports test), etc...

if these people have no real background in the anti-virus field, why should what they say about virus issues be given any weight above that of a novice? because they're security experts and the anti-virus field is part of the security domain? please - security experts are not experts in all the security related disciplines, usually only one or two... most don't even bother to get enough of a taste of the other disciplines outside their area of expertise to know the true extent to which their own knowledge can apply there, otherwise they wouldn't behave like authorities on subjects for which they quite obviously have no real qualifications - the epitome of false authority syndrome... most security experts have no appreciation for the limitations that computational complexity places on detection techniques, or for the autonomous nature of the threat, or the environmental conditions that caused the anti-virus community to evolve the way it has, or any of a myriad of other details that are required to be a true authority in the anti-virus field...

the title of security expert is dead, it just doesn't know it yet... it doesn't mean what people think it means anymore, it's just a way of putting on airs... next time someone gets called or calls themself a security expert ask yourself "is that like an animal expert?" and then ask yourself if you have a question about a particular type of insect, do you want to talk to an animal expert or an entomologist?...

0 comments: