The Vacuity of the Open Source Security Testing Methodology Manual

Our paper – together with Rikke Jensen – on the Open Source Security Testing Methodology Manual has been accepted to the Security Standardisation Research Conference (SSR 2020). Here’s the abstract:

The Open Source Security Testing Methodology Manual (OSSTMM) provides a “scientific methodology for the accurate characterization of operational security”. It is extensively referenced in writings aimed at security testing professionals such as textbooks, standards and academic papers. In this work we offer a fundamental critique of OSSTMM and argue that it fails to deliver on its promise of actual security. Our contribution is threefold and builds on a textual critique of this methodology. First, OSSTMM’s central principle is that security can be understood as a quantity of which an entity has more or less. We show why this is wrong and how OSSTMM’s unified security score, the rav, is an empty abstraction. Second, OSSTMM disregards risk by replacing it with a trust metric which confuses multiple definitions of trust and, as a result, produces a meaningless score. Finally, OSSTMM has been hailed for its attention to human security. Yet it understands all human agency as a security threat that needs to be constantly monitored and controlled. Thus, we argue that OSSTMM is neither fit for purpose nor can it be salvaged, and it should be abandoned by security professionals.

This is most definitely the strangest paper I have ever written. First, the idea for writing this paper came out of teaching IY5610 Security Testing in the Information Security MSc at Royal Holloway. Where my employer likes the tagline “research inspired teaching”, I guess this is a case of “teaching inspired research”.

Second, this paper, bringing together scholarship from many different disciplines has a most eclectic list of references: security testing, cryptography, HCI, ethnography, military field manuals, supreme court decisions, we got it all.

Third, the paper is unusual, at least for information security, in how it proceeds:

While information security research routinely features critiques of security technologies in the form of “attack papers”, analogues of such works for policies, frameworks and conceptions are largely absent from its core venues. This work is a textual critique of OSSTMM based on a close reading of the methodology and pursues two purposes. First, immediately, to show that OSSTMM is inadequate as a security testing methodology, despite being referenced routinely in the security testing literature. Second, more mediated, to show that the ideas at the core of OSSTMM are wrong. As we show [later in the paper], these ideas are not OSSTMM’s privilege. It is for this reason that we chose the form of a textual critique over alternative approaches such as empirical studies to the effectiveness of OSSTMM in practice.

That said, the paper says things that I think are worth saying beyond OSSTMM. Both bogus quantification and questionable ideas about social aspects of information security are widespread in the field. Thus, while OSSTMM provides particularly striking examples of these mistakes, we think our points apply more broadly:

While OSSTMM expresses the methodological dogma that scientific knowledge equals quantification particularly crudely this is not its privilege. Rather, this conviction is common across information security, as exemplified, for example, in CVSS which claims to score security vulnerabilities by a single magnitude. Moreover, the somewhat bad reputation of security testing as a “tickbox exercise” speaks of the same limitation: counting rather than understanding. Echoing the critique of CVSS, we thus suggest, too, that security professionals “skip converting qualitative measurements to numbers”. The healthy debates in other disciplines provide material for a debate within information security to examine the correctness and utility of assigning numerical values to various pieces of data.

A mistake we criticise in OSSTMM is the failure to recognise that the moments of a social organisation are different from the moments of a computer network. This, too, is no privilege of OSSTMM as can be easily verified by the prevalence of mantras along the lines of “humans/people/users are the weakest link”. This standpoint, which is as prevalent as it is wrong, offers the curious indictment that people fail to integrate into a piece of technology that does not work for them. In the context of security testing this standpoint has a home under the heading of “social engineering” and its most visible expression: routine but ineffective phishing simulations. It is worth noting, though, that even when the focus is exclusively on technology, not engaging with the social relations that this technology ought to serve may produce undesirable results, for example leading to designs of technological controls with draconian effects where less invasive means would have been adequate.

More broadly, the tendency of information security to rely on psychology, dominated by individualistic and behavioural perspectives and quantitative approaches to understanding social and human aspects of security, may represent an obstacle. Alternative methodological approaches from the social sciences, particularly from sociology and even anthropology, such as semi-structured interviews, participant-led focus groups and ethnography offer promising avenues to deeply understand the security practices and needs in an organisation.

More on those 10 PhD Positions at Royal Holloway’s CDT in Cyber Security

My colleagues who work on the social/cultural side of (information) security together with colleagues from other departments have put together an outline for people who come from disciplines such as Human Geography, Sociology, Criminology, Law, Political Science, International Relations, Classics, Archaeology, Cultural Studies and Media Studies.

Fully Funded 4-year PhD Studentships at the EPSRC funded Royal Holloway Centre for Doctoral Training in Cyber Security for the Everyday

We are pleased to advertise positions for up to 10 PhD studentships to begin in September 2019 at the new Centre for Doctoral Training (CDT) in Cyber Security for the Everyday at Royal Holloway University of London.

We seek applications or informal expressions of interest from students and researchers with an interest in cyber security. In addition to Mathematics and Computer Science, relevant disciplines may include Human Geography, Sociology, Criminology, Law, Political Science, International Relations, Classics, Archaeology, Cultural Studies, Media Studies and more.

Building on two previous Centres for Doctoral Training in Cyber Security based at Royal Holloway, and anchored within the Information Security Group, the new CDT reflects the growth in and need for interdisciplinary research which critically engages with everyday cyber security questions. It does so by combining an understanding of technical systems with social science and humanities approaches to cyber security, personal information and growing datafication. In a broad sense, PhD projects will explore cyber security in the context of societal needs, critically evaluate the contribution cyber security makes to societal and individual securities and place discussions over the ethics, rights, responsibility and fairness of cyber security at the centre rather than at the periphery. Other academic departments involved in the Centre include Computer Science, Geography, Law, Psychology and Politics and IR.

Whilst broad in scope, the CDT is driven by two overarching strands of enquiry:

  • The technologies deployed in digital systems that people use, sometimes inadvertently, every day; and
  • Everyday societal experiences of cyber security, including how different societies, communities, groups and individuals conceptualise, materialise, negotiate, and respond to increasingly digitally mediated and technologically driven worlds

A central aspect of the CDT programme is interdisciplinary collaborations as students work on shared projects and other collaborative activities within their PhD cohort. This is encouraged throughout their studies but a key component of the first year, which is devoted to training activities and individual and group projects. Students may not have established project ideas at the time of recruitment but develop these during the first year.

The core strategic objectives of the CDT in Cyber Security for the Everyday are:

  1. To develop cohorts of truly multi-disciplinary researchers, with a broad understanding of cyber security and a strong appreciation of the interplay between technical and social questions;
  2. To promote research in cyber security that is original, significant, responsible, of international excellence and responsive to societal needs; and
  3. To engage with stakeholders in the cyber security community and wider society

We are keen to encourage applications from across the Social Sciences and Humanities. Potential areas of interdisciplinary study include but are not limited to:

Conceptualise

  • The arts and critical discourses of cyber security
  • Agenda-setting, framing and cyber security
  • Feminist cyber security
  • Social difference, intersectionality and cyber security
  • Intimate spaces of cyber security (including the body, home, etc.)
  • Everyday/routine violences and cyber security
  • Solidarity and resistance and alternative forms of cyber security
  • Narratives of security
  • Ontological security across disciplines and forms of expression

Materialise

  • Contemporary archaeologies of cyber security
  • Cyber security and the city
  • The materiality of digital mediation in cyber security
  • Media as data
  • Resistance through data, memes/gifs/films
  • Simulation and simulated affect -emotional security data  & machines

Negotiate

  • Sustainable development goals and cyber security
  • The impact of cyber security and public policy
  • Territory, diplomacy and cyber security
  • Regional and international cyber security
  • Transnational and global governance of cyber security
  • Cyber security of democratic institutions
  • Cybersecurity at work
  • Organisational approaches to and processes of cybersecurity
  • Cybersecurity profession and professionals
  • E-surveillance at work

Respond

  • Mobilities, automated and autonomous mobility systems
  • Resistance, dissent and cyber security
  • Hate crimes and affect
  • Cultural economies, crypto-currencies and piracy
  • The dark web, visibility and invisibility
  • Practices of data hacking in media consumption.

Reading Material on Gender Essentialism

In a memo titled Google’s Ideological Echo Chamber James Damore claims that “the distribution of preferences and abilities of men and women differ in part due to biological causes and that these differences may explain why we don’t see equal representation of women in tech and leadership” with the aim to show that “discrimination to reach equal representation is unfair, divisive, and bad for business.” Soon after the memo went viral, tech sites such as Hacker News started to see supportive statements. Motherboard reports that the verdicts expressed in the memo have some traction amongst the author’s former co-workers. It stands to reason that this agreement is not the privilege of Google employees, or as Alice Goldfuss put it:

I’ve read the Google anti-diversity screed and you should, too. You meaning men. Women have heard this shit before. Why should men read it? Because it’s a 10 page essay that eloquently tears away the humanity of women and non-white men. It uses bullet points and proper spelling and sounds very calm and convincing. And it should, because it was written by one of your peers.

— Alice Goldfuss (@alicegoldfuss) August 5, 2017

While I do not work in (US) “tech” (I’m an academic cryptographer at a British university), I guess the fields are close enough. Besides, gender essentialism is a prevalent idea beyond the confines of STEM disciplines. As mentioned above, the memo offers a bullet point list to support its claim:

  1. [The differences between men and women] are universal across human cultures
  2. They often have clear biological causes and links to prenatal testosterone
  3. Biological males that were castrated at birth and raised as females often still identify and act like males
  4. The underlying traits are highly heritable
  5. They’re exactly what we would predict from an evolutionary psychology perspective

The memo and its defenders accuse those who disagree with its claims as being ideologically driven moralists1, hence the memo’s title. Alas, since I read several good critiques and their source material over the last few days, I figured I might attempt to summarise some of these arguments.2 Initially, my plan was to simply dump a list of books and articles here, but reading around as someone not so familiar with this literature, I found this mode of presentation (“well, my meta-study says your meta-study is full of it”) rather unhelpful. Thus, I opted for spelling out in more detail which arguments I found particularly illuminating.3

Continue reading “Reading Material on Gender Essentialism”

LMonade GSoC 2014 Accepted Projects

The list of accepted projects of this year’s Google Summer of Code is out. For the list of accepted projects for Sage see here, for the LMonade project see below, for all other accepted projects see Google’s site. I am going to mentor William’s M1RI project together with Clément Pernet. It’s going to be a blast.

Continue reading “LMonade GSoC 2014 Accepted Projects”

Three sweet but short postdocs in France

The HPAC project has three one-year postdoc positions available:

Three research positions (postdoc or research engineer), offered by the French ANR project HPAC  (High Performance Algebraic Computation), are open.

Title: High Performance Algebraic Computing

Keywords: parallel computing, computer algebra, linear algebra, C/C++ programming

Locations:

  • Grenoble, France (LIG-MOAIS, LJK-CASYS),
  • Lyon, France (LIP-AriC),
  • Paris, France (LIP6-PolSys),

Starting date: between June 2014 and January 2015

Type of position: 3 postdoc or research engineer positions of 1 year each

Detailed descriptions:

General Context:

The ambition of the project HPAC is to provide international reference high-performance libraries for exact linear algebra and algebraic systems on multi-processor architectures and to influence parallel programming approaches for algebraic computing. It focuses on the design of new parallel algorithms and building blocks dedicated to exact linear algebra routines. These blocks will then be used for the parallelization of the sequential code of the LinBox and FGb libraries, state of the art for exact linear algebra and polynomial systems solving, and used in many computer algebra systems. The project combines several areas of expertise: parallel runtime and language, exact,
symbolic and symbolic/numeric algorithmic, and software engineering.

Profile of the positions:

We are seeking for candidates with solid expertise in software library design and developments (e.g. C, C++, OpenMP, Autotools, versioning,…) with preferably good background on mathematical software and computer algebra algorithmic. The main outcome of the work will depend on the type of the position (postdoc or engineer) and include code development in open-source C/C++ libraries such as LinBox, FGb, Kaapi and research publications in international journals or conferences.

Each location is seeking for candidates matching with the following keywords:

  • Lyon: (contact: Gilles….@ens-lyon.fr) High performance/parallel computer algebra, symbolic and mixed symbolic-numeric linear algebra,  validated computation, high performance Euclidean lattice computation, lattice basis reduction.
  • Grenoble: (contact: Jean-Guill…@imag.fr) Library design and development, LinBox, Sage, XKaapi, parallel exact linear algebra, work-stealing and data-flow tasks.
  • Paris: (contact: Jean-Charl…@groebner.org) Polynomial system solving, Gröbner basis computations, parallel exact linear algebra, algebraic cryptanalysis, distributed computing.

Feel free to exchange with the contact person of each site for further information.

How to print at the ISG at Royal Holloway

It seems all the information on printing from proper operating systems at the Information Security Group at Royal Holloway, University of London available online is a bit outdated. So here’s what you should do when using CUPS:

  1. The URL for printing is lpd://USERNAME@rhulprint.rhul.ac.uk/MA-Follow-Me where USERNAME is your college username (it’s a random looking combination of letters and numbers). The trick I was missing for a long time was that you need to add your username. Thanks, Jacob.
  2. Download the right PPD for *KONICA MINOLTA bizhub C452* from the Konica website.
  3. Now print to MA-Follow-Me, go to, say, the postroom, swipe your card and retrieve your sweet, sweet print outs.

Postdoc Positions in DTU Crypto Group

I can highly recommend working here!

Department of Applied Mathematics and Computer Science, Technical University of Denmark, www.compute.dtu.dk/english would like to invite applications for two Postdoc positions of each 18 months, both starting 1 January 2014 or soon thereafter. The topic of the project is lightweight cryptology, which regards scenarios involving strongly resource-constrained devices. Continue reading “Postdoc Positions in DTU Crypto Group”

Encouraging female reverse engineers

Thomas Dullien is running a nice competition to address the gender gap in IT security or more precisely reverse engineering:

As a field, reverse engineering has undergone a rapid change in recent years:
a rise in importance and visibility has led to a rapidly growing community of
reverse engineers. More people are doing reverse engineering, better tools are
developed, and it has mutated from a “dark art” to an almost-mainstream
endeavor.

However, as the community grows, the most visible parts  remain unchanged.
While there are female reverse engineers in the field, they are still under-
represented in absolute numbers and visibility of their work in conference
attendance and presentations.

What can we, as a growing field, do to change this? Progress can be made on the
macro level by many small and decentralized contributions on the micro level.
So, when I heard about the Syscan speaker’s honorarium this year, I decided to
put it to good use.

I asked a few friends if they’d be willing to form a panel of judges for a
women-only reverse engineering challenge, with the first (and only) prize being
a ticket to fly to and attend Syscan Singapore 2013. Luckily for me, they
agreed 🙂