Snake Oil Won’t Cure Your Security Illness

Part two in a three-part series about the information security industry money grab.

Introduction

NOTE: I covered some of these issues in my book; Unsecurity: Information Security Is Failing. Breaches Are Epidemic. How Can We Fix This Broken Industry?

In this series, I’ll focus on three types of money grabbers, those

1. Who will do anything and everything for your money
2. Those who sell snake oil
3. Those who will sell you something regardless of it’s effects on your security.

There’s no doubt that the money grab is alive and well in the information security industry. Some companies and people in our industry will do everything they can to get their hands on your money. Some of them should get your money, while others should be put out of business because of their deceptive practices.

Clark Stanley’s Snake Oil

This stuff was amazing. A concoction, or “liniment” as Clark Stanley called it, that will cure just about anything; rheumatism, neuralgia, sciatica, “lame back”, lumbago, “contracted cords”, toothaches, sprains, swelling, etc. I don’t even know what half these ailments are, but I don’t know if I’d care either. This stuff will cure me of ailments I don’t even know I have, and it will protect me from future ailments. If I were alive in the 1890s, I might have bought some of this wonder juice.

When Clark Stanley started peddling his snake oil to the ignorant masses, there was nothing to stop him. There was no regulation to govern the safety and effectiveness of drugs until 1906. Nobody even knew what Mr. Stanley’s wonder-drug was made of until 1916, this was the year that the Bureau of Chemistry (later the Food and Drug Administration-FDA) tested Snake Oil and determined it was made from mineral oil, 1% fatty oil (assumed to be tallow), capsaicin from chili peppers, turpentine, and camphor.

People caught on, the jig was up, and Stanley eventually pled no contest to federal civil charges that were leveled against him.

Information security industry snake oil

There’s snake oil for sale in our industry. Don’t buy it. It doesn’t work (for you).

Thanks in large part to Clark Stanley, the term “snake oil” has become synonymous with products and services that provide little (if any) value, but are promoted as solutions to problems. The term is also used to refer to exaggerated claims made by salespeople.

You’d be naïve to think there aren’t products and services sold in our industry that don’t fit our definition of “snake oil”. There are two types of snake oil being peddled today, the kind that is overtly deceptive and the kind the covertly deceptive. Both are bad, and you need to watch out.

Overtly deceptive

Overtly deceptive snake oil is the kind that comes with claims that are so outrageous, you start to question everything you know about yourself. The claims seem so real, with seemingly genuine evidence, and fancy words, you ask yourself questions like “Could this possibly be true?” “Is everything I’ve known about these things been wrong?” “How could I be so wrong?” “Is my existence a joke?”

No, you’re not wrong. Your existence is not a joke. The claims are crazy.

Here are two recent examples.

World’s First Patented Unhackable Computer Ever

What?! Unhackable? This can’t possibly be true. Can it? Well, if we were to believe Pritam Nath, the CEO of MicrosafeX Company, then yes it is true. If you use your noggin and think about this for a minute, the answer is absolutely NOT! There is no “unhackable” computer. There is no “unhackable” anything. Mr. Nath is selling snake oil, and thankfully the jig was up before people fell for it.

You should read his claims on his Kickstarter fundraising page. The claims are laughable if they weren’t so sad and patently false. There were 36 reported “backers” of Mr. Nath’s snake oil before the campaign was cancelled. I’m guessing most of these people were in it for the fun, not because they took this thing seriously.

Time AI

Sounds cool. What is it?

AI is sexy, but if AI doesn’t get your juices flowing, how about “quasi-prime numbers”, “infinite wave conjugations,” and “non-factor based dynamic encryption and innovative new developments in AI”?

SOLD! Lots a big words solving cool problems that I don’t understand. Must be cutting edge stuff.

The company peddling this Time AI thingy is Crown Sterling out of Newport Beach, California. I’d never even heard of these guys before last week.

Last week, at Black Hat, Robert Edward Grant, the company’s Founder, Chairman, and CEO gave a talk titled “The 2019 Discovery of Quasi-Prime Numbers: What Does This Mean For Encryption?“. The talk was so overtly snake oilish that it prompted very strong reactions (outrage) from some people who were there.

Dan Guido, the CEO of Trail of Bits stood up during Mr. Grant’s snake oil pitch and shouted “Get off the stage, you shouldn’t be here!” “You should be ashamed of yourself!” Ballsy.

Here’s a video clip of the exchange.

🤘👏 @dguido pic.twitter.com/vOkrthMQck

— JP Aumasson (@veorq) August 8, 2019

Jean-Philippe Aumasson is a serious crypto guy, and the author of the book Serious Cryptography.

There was enough of an uproar to force changes at Black Hat, including removal of references to the talk from the conference website and a promise of better vetting of sponsored talks in the future.

More coverage:

• https://gizmodo.com/bizarre-sponsored-talk-on-time-ai-encryption-tech-mocke-1837134634
• https://www.vice.com/en_us/article/8xw9kp/black-hat-talk-about-time-ai-causes-uproar-is-deleted-by-conference

These are two examples of obvious and overtly deceptive snake oil. There’s also the less obvious, covertly deceptive variety.

Covertly deceptive

Covertly deceptive snake oil is hard for the inexperienced and/or lazy security professional to identify. It’s the sort of snake oil where a salesperson or company claims that their product does something that it doesn’t or that it will solve a problem, but it won’t. This snake oil is hard to identify because you won’t know unless you know.

One tell for covertly deceptive snake oil is the prominent use of sexy buzzwords. Common sexy buzzwords/phrases include:

• Artificial intelligence or “AI”
• Blockchain
• Digital transformation
• Big data
• Machine learning or “ML”
• Nextgen
• Data-driven

If someone uses a buzzword or phrase that you don’t understand, go find out what it means. Don’t just sit there and nod your head like you know. Discounting buzzwords and phrases won’t always work though. There are legitimate companies and products in the market using sexy buzzwords, but work as promised.

The key to protecting against covertly deceptive snake oil is to follow the advice in the closing (below); research, educate, and/or ask. Don’t ever rely solely on the opinions and research provided by the company or salesperson who’s selling, it’s biased.

Buyer beware

It’s you who makes buying decisions for you. No pressure, but every dollar you spend on security is one less dollar your organization can spend on fulfilling its mission, so you should get it right.

Don’t ever buy anything without doing one (or all three) of the following:

1. Conduct in-depth research into the product and how it works.
2. Educate yourself on the technology the product claims to use.
3. Ask an unbiased expert for his/her opinion.

If we all made good purchasing decisions, the snake oil will dry up. You will need to do more work, but in the end it will save you.