Some Games Can't Be Won

Play tic-tac-toe long enough, and you'll soon realize there's no real strategy to it - no outwitting your opponent. The saying I've had for some time is that it's impossible to win at tic-tac-toe, but it is possible to lose. You can't beat your opponent - your opponent can only beat themselves. And if they make a mistake, it's not by some magical twist of strategy. Maybe that's precisely what War Games was trying to get across.

When I'm pessimistic, I think that the bad guys will always have more resources, a better economy, more attackers, and a better environment for creativity than the good guys. And the real root cause of that is that they have competing models. For security folks, they rarely work in an environment where security is the primary goal - they work in companies that make widgets, sell products, or provide a service. And security is something they're compelled by standards organizations to employ. Sometimes, if they're lucky, a security tool can give them a market advantage, but those opportunities are rare - their real competitive advantage comes directly from the things they're trying to sell. The bad guys work in an environment where doing bad things to systems is the primary means of making money. And the additional enticement of making a new cool 'sploit creates an environment where innovation is king. So the bad guys have and almost infinite pool of free labor in script kiddies, and work very hard to get another almost infinite pool of resources in botnets. So in my pessimism, I always think the bad guys will always win, we can only do what we can to try to reduce how much they win.

But when I'm optimistic, I think of securing applications more like tic-tac-toe. We can't win the security game (but that's not the goal - the goal is to win some other game - tic-tac-toe is just a small subset of it), and we just need to make sure that we don't make mistakes. But to make the reduction of those mistakes as small as possible, it's best to eliminate them as early as possible. Many argue that education is not the solution, and I partly agree. Education is not the only solution, but it's a critical part of the best solution - where mistakes happen with lower frequency to begin with, leaving security practitioners more time to find those things that weren't so much typos as engineering mistakes (our nuclear power plant is completely secure - only fuel of a particular type, with a minimum quality, and only in certain amounts are let in. But we built it on a faultline.)

Today I'm more an optimist - we can't win the game, but for a time, there's a known route to preventing loss. Maybe there's a difference between "secure" and "not insecure".