* Ryan Naraine is traveling.
Guest editorial by Ivan Arce
On January 15, 2008, the Vatican released a statement indicating that Pope Benedict XVI had canceled his visit to Italian La Sapienza University as a result of a series of protests during the previous days.
The event marked the latest milestone of controversy that so far have lasted longer and been much more bitter than the vulnerability disclosure debate! At the heart of this dispute is a person that has been widely regarded as the father of modern science and perhaps the first known hacker in modern history, Galileo Galilei.
Galileo was a man that worked comfortably swinging alternatively from pure science to applied science; he had a strong appreciation for the observation of natural phenomena and the collection of experimental data to prove (or disprove) theories, yet he firmly believed that the laws that govern the universe could only be written in the formal language of mathematics.
[ George Stathakopoulos: Security is everyone’s domain ]
He did not shy from tampering with hardware. He built his own telescopes, thermometer and microscope and often “hacked” existing ones to improve their efficiency. Galileo was no stranger to “government grants” and “consultancy work” either; he often shared his research results and ideas with peers and associates and conducted research following unorthodox methodologies that often led him to error and wrong conclusions. He was a med-school drop out, a deeply religious man and a rebellious person; but above all he was one that rejected blind allegiance to authority on scientific matters especially when theory did not match practice and real-world empirical evidence.
On February 26, 1616 two officers of the Holy Office of the Inquisition collected Galileo at the Tuscan embassy in Rome and escorted him to the palace of Cardinal Bellarmine -- the “hammer of the heretics” -- a preeminent intellectual and theological adviser to Pope Paul V. The summons was to inform Galileo of the Holy Office’s unanimous verdict on the matter of Nicolaus Copernicus and his heliocentric theory.
The Inquisition had framed the Copernican argument as two propositions submitted to the vote of a panel of eleven theologians: a) The Sun is the center of the universe, and therefore immobile; b) The Earth is not the center of the universe and thus not only it moves as a whole around the Sun but also around its own axis on a daily motion. The panel voted and found these propositions to be not just “formally heretical” but also “foolish and absurd."
[ Mike Rothman: Breaking the zero-day habit ]
Galileo’s insistence in treating the Copernican model as a real-life scenario on the basis of his observations of the moons of Jupiter instead of simply as a hypothesis was particularly troublesome. Speaking as the Pope's representative, Bellarmine admonished Galileo to abandon defending Copernicus heretical opinion as fact (…or else). Galileo's compliance with the request did little to prevent a sordid 17-year point and counter-point argument with successive church authorities that ended up with a new summons for trial by the Inquisition in 1633. At age 70, despite all the empirical evidence he collected through astronomical observations for more than 13 years, his comprehensive mathematical analysis of the “issue” and facing possible torture and death burning at the stake he reluctantly confessed, pleaded guilty and abjured of his heretical ideas. He was promptly rewarded with a sentence of house arrest and a ban on publication of his works that lasted almost 100 years and included his most famous book, the Dialogue Concerning the Two Chief World Systems, Ptolemaic and Copernican.
Galileo died in 1642 while still under house arrest. On October 31, 1992, 350 years after his death, Pope John Paul II officially declared that Galileo was right. The Earth does move around the Sun.
The affairs of the information security discipline and its community pale in comparison to the importance, relevance and impact of the forces that Galileo Galilei set in motion almost 400 years ago and the controversies and disputes the surrounded him.
[ Shyama Rose: 'Dumbing down' the security profession ]
Information security is clearly not pure science and perhaps not even a relevant part of applied or social sciences, it also stands far from the sophisticated philosophical and theological debates of our times; but Galileo’s story and the state-of-the-art of science in the 16th century has remarkable similarities to the form and essence of the 21st century discussions and debates about information security work and the personalities and arguments of the participants.
The Internet Worm has recently turned 20 years old, Microsoft’s security push is nearly a decade old, every major operating system have incorporated increasingly complex security mechanisms; formal methods can still not provide mathematical proof that common software is secure despite exponential growth in computing power and storage, we deploy and operate an immensely expensive pile of security hardware and software that fails to work correctly on a daily basis and the vast majority of click-happy technology users do not really care much about information security.
Galileo’s story can be quite somber but it can also be very sobering. Hopefully, it will take less than 350 years for information security practitioners to look and laugh at the absurdity of the present day debates about vulnerability research and disclosure, the relative security of open source vs. proprietary software, the validity and usefulness of penetration testing, our ability to eradicate software vulnerabilities by building software “The Right Way” or whether all the people in our discipline wear colored hats and can be classified using just one bit.
* Ivan Arce is the co-founder and CTO at Core Security Technologies where he sets the technical direction for the company and is responsible for overseeing the development, testing and deployment of all Core Security products.