 |
| Image from Pixabay |
Recently, RITA came into my life. She just fluttered in during a risk analysis, and I
listened with fascination to what a colleague had to say about her (thank you
Henk!). Later I Googled her and was impressed by her engaging personality. Her
image is a bit less flattering, but I still prefer to judge RITA on her
character rather than her appearance.
RITA
is an acronym that stands for Reliable Internetwork Troubleshooting Agent.
It's an April Fool's joke from 1998, presented as an RFC. That abbreviation
stands for Request for Comments. An RFC is literally a request to
comment on something. That ‘something’ are protocols and other documents that
describe the operation of the internet. Ultimately, an RFC becomes a standard,
but strangely enough it’s still called an RFC.
RFC
2321 describes “usage of Nondeterministic Troubleshooting and Diagnostic
Methodologies as applied to today’s complex nondeterministic networks and
environments”. The difficult word, which appears twice in the previous
sentence, means that outcomes are variable even when the conditions are the
same. I put aside the common assumption among laymen that computers always
produce the same output in identical situations - especially with identical
input - at the very beginning of my career. At the time, I was responsible for
the COBOL software that took care of the nightly processing of income tax data.
One evening an operator (hello Oscar!) called me because the processing had
stalled. I told him to just restart the processing. Never heard anything about
it again.
RITA
is charmingly simple, and the way she makes her diagnosis is equally so.
Moreover, the outcome is easy to understand because it is binary: it is right
or wrong, there is no in between. RITA's primary area of use is hardware and
software, but I think RITA can also be successfully used in countless other
environments, even outside IT.
RITA
is a rubber chicken with a length of 51.25 cm (20 3/16”) and its operation is
very simple. You place it on the device to be analyzed or, in the case of
software, on a still packaged copy of the software, or if necessary on a
printout of the source code (that old COBOL software of mine was easily a
decimetre (4”) thick). And here’s the punchline: if RITA flies away, then the
object to be analyzed is error-free. If, on the other hand, RITA remains down,
then something is wrong. You get the idea: rubber chickens don't fly – unless
they're thrown, of course.
Moral
of the story: hardware and software always contain errors, because they are
incredibly complex. And, I always add, some of those errors have bad consequences
for the security of the object, and possibly even for the security of the wider
environment in which it is active (a hacked baby monitor is not only annoying
because the hacker is in your home, but also because the device can be misused
in a DDoS attack on an organization on the other side of the world).
In our
risk analyses, we always ask how vulnerable a particular object is to errors in
software, broken down into self-built and purchased software. Vulnerability is
determined by the measures you have taken to address a threat. The application
of the DTAP model is invariably mentioned as a measure: the development,
testing, acceptance and finally running of the software in production takes
place in separate environments, the intention being that an error will come to
light in one of these phases. Attack & penetration testing is often used
to determine whether an attacker can gain access to the object. And vulnerability
scanning regularly checks whether a product contains known
vulnerabilities. What remains after all this good work are the mistakes that
have still been overlooked. And believe me: RITA will never take to the skies.
The only question is who will discover a risky error first: a crook or an
honest person.
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- Laxity is a factor that few take into account.
- Signal now protects your privacy even better.
- cloud
computing is sucking in government.
[DUTCH]
- This American newspaper article predicts a positive effect on the US of a ruling by the European Court of Human Rights.
- there
is still something to be gained in the high ranks of the Luftwaffe
in
the field of security awareness.
[DUTCH]
- the US government is leaning toward banning ransom payments.
- Ivanti 's problems keep the NSA busy.
- the NSA also gives tips about security in the cloud.
- the beer supply will not be in danger for the time being.
- the man in the middle takes off in your Tesla.
- sometimes the opponent is in your own organization.
- many
Dutch passports are for sale on the dark web. [DUTCH]
.jpg)
No comments:
Post a Comment