Friday, March 21, 2008

In which I attempt a metaphor

So I was explaining the poisoned search results threat to several people yesterday, and I hit upon a good metaphor to explain why this is particularly serious: it increases the attacker's "shots on goal".

If you know Hockey at all (which I don't, but I've been to a few games), you know that the scoreboard typically lists "Shots on Goal" right beside each team's score. Why? Because you can't score if you don't shoot!

The more times you get to try to score, the more likely it is that you will do so, and it's the same with security. Tracking the number of exploit attempts, even if they are unsuccessful, is just like reporting shots on goal.

It happens that poisoned search results are a great way to increase your shots on goal with very little effort, and if the analogy holds, that means this will prove to be an extremely effective strategy for the attackers. I believe current events are proving this to be true.

Of course, now that I have not only made metaphor linking digital security to real life, but a hockey metaphor, at that, I expect that I have invoked The Bejtlich, and he will no doubt be forced to appear shortly and leave an insightful comment.


Richard Bejtlich said...

Hi David,

Shots on goal -- I love it. Sorry, this is not an insightful comment. I leave that to Derek Sanderson, famous Bruins hockey player from the 1970's and commentator in the 1980s. Derek used to list "keys to winning" prior to the start of each game. One night against the Hartford Whalers, his first key was "Score more goals than the Whalers." You can't make that stuff up.

David Bianco said...

And here's where my analogy breaks down, of course. In the normal scheme of things, the digital security game isn't to score more goals than the other guy. Heck, there's not even an "other guy." It's you against everyone else who cares to step up and take a shot. Seriously, it's like one of those weird fan contests they do between periods.

I keep trying to work out how I can fit the t-shirt bazooka into this somehow, but I'm not having much luck with that. 8-)