Why aren't there any serious debates in infosec?

[gnyman]

Or is there?
I’m not taking about twitter flamewars, which flare up occasionally. I’m more thinking in the style of civilised and moderated live panel debates, podcasts, maybe something like this hour long debate on nuclear.

This is something I’ve been on the lookout for a while, but found almost nothing. So, I hope someone can help me figure this out or point me in the right direction if I’ve just missed it. The closest I’ve seen to this, is the occasional blog post which got a few proper replies in the form of blog posts in other personal blogs. But one argument and one rebuttal isn't much of a debate.

One reason would be that there aren’t any topics to debate, but that doesn’t feel like the case. There is an infamous saying (can’t recall who I heard it from) that infosec is the hardest people to work with because every time you ask someone in infosec a question about infosec you get a different response. So, it seems we disagree on numerous topics, everything from which EDR solution is the “best” all the way to ethics about responsible disclosures and the release of offensive tooling. 

Which brings me back to my original question, is there any public debates on these topics, if so where? And if not, why?

Edited November 7, 2022 by gnyman

[Zanidd]

I think, you can use this forum to spark up the debatte.

Create a new topic and see the replies rolling in 😉

[ChickenKing]

I think the reason you don't see many debates is because they can pretty much be all settled in practice. The proof is in the pudding, really. Let's say you have an opinion on how to best approach, I don't know, user awareness training. Another person has a different opinion. Sure, you can debate this, but at the end of the day one approach will generally work better, and that can be seen in practice. That's what I like about this field, if something is up for debate, an answer can usually become clear or agreed upon through further research or new information.

Best practices will of course vary between organizations, but you know what I mean 

[gnyman]

1 hour ago, ChickenKing said:

I think the reason you don't see many debates is because they can pretty much be all settled in practice. The proof is in the pudding, really. Let's say you have an opinion on how to best approach, I don't know, user awareness training. Another person has a different opinion. Sure, you can debate this, but at the end of the day one approach will generally work better, and that can be seen in practice. That's what I like about this field, if something is up for debate, an answer can usually become clear or agreed upon through further research or new information.

Best practices will of course vary between organizations, but you know what I mean 

It's an interesting idea. On a organisational level it's probably true, that there is one solution for one problem which will be optimal (at a point in time). But in a more general sense I don't think so, and debating where or when one solution is a good fit seems valuable to me.

Take user awareness example, there are different opinions on if simulated phishing is useful or not. I would assume there are people who believe it's useful, and others who'd say those resources is better spent elsewhere. I'd really like to hear a debate between these two people.

Another example I listened to recently was debating the value of EDR. I don't recall the podcast but it included a discussion between someone doing mostly red-team work and someone else who's more of a blue team. The red teamer's opinion was that EDR is mostly worthless, he was of the opinion that the money should be spent elsewhere. Hearing them discuss the topic, coming from so different backgrounds was very enlightening.

There are also much less practical problems, for example the debate about the release of offensive security tooling. There are strong opinions and a lot of arguments in both directions, but I have yet to find a proper debate on the topic.

[ChickenKing]

Good counterpoint. I definitely agree. I would love to hear more debates myself, a lot can be gained from them. Not really debates per say, but I would recommend checking out Security Weekly, they usually get a good discussion going around whichever topic they land on.

[doctor_tran]

I feel our industry admires the problem too much instead of focusing on solutions. That's probably why there isn't as much debate. It's more "look how broken this shit is" or "the users are the problem" instead of "here are some options that work in this context and scenario".

We glorify "breakings stuff and doing cool things"

 

[MalwareTech]

I would love to see an infosec debate style podcast / Twitch stream. But I think with infosec there is so many clashing personalities that it'd just turn into a heated argument (though, maybe that's the entertainment factor).

[jubjub]

I find a lot of people in infosec to get very irrational and heated when their views are tested. Also people skills aren't abundant. Would be entertaining anyway lol

[MalwareTech]

7 minutes ago, jubjub said:

I find a lot of people in infosec to get very irrational and heated when their views are tested. Also people skills aren't abundant. Would be entertaining anyway lol

I've always found it wild how heated some people will get over simple device/software preference. I see it like tools in a toolkit. I have Macs, iPhones, Android devices, My desktops and servers run all kinds of operating systems. But I'll get someone seeing my Windows PC in the background of my videos and get genuinely upset. 

[jubjub]

2 minutes ago, MalwareTech said:

I've always found it wild how heated some people will get over simple device/software preference. I see it like tools in a toolkit. I have Macs, iPhones, Android devices, My desktops and servers run all kinds of operating systems. But I'll get someone seeing my Windows PC in the background of my videos and get genuinely upset. 

I hate that stuff. Especially considering how close in feature parity modern OS are they're arguing about the smallest things as if you should need them. I love how Windows can run Linux applications pretty well now and vice versa. It really levels the playing field in terms of applications you can use.

Honestly I just don't think infosec people are any different from an average person in terms of average security practices and fanboy mentality. Which is kinda worrying for an industry meant to revolve around critical thinking but I guess people compartmentalise it (I hope at least lol).

[Zanidd]

1 hour ago, MalwareTech said:

I would love to see an infosec debate style podcast / Twitch stream. But I think with infosec there is so many clashing personalities that it'd just turn into a heated argument (though, maybe that's the entertainment factor).

Don't give me such ideas 🤣

I'd love to host that podcast, but I suck at moderating or podcasting for that matter.

[Zanidd]

1 hour ago, MalwareTech said:

I've always found it wild how heated some people will get over simple device/software preference. I see it like tools in a toolkit. I have Macs, iPhones, Android devices, My desktops and servers run all kinds of operating systems. But I'll get someone seeing my Windows PC in the background of my videos and get genuinely upset. 

The way I see it, these things are just tools.

I don't think carpenters have discussions over which hammer is best for carpentry. Each tool has its use cases, pros and cons.

Same with programming languages, OSes and hacking tools.

There is no "best tool/OS for hacking".

[Nova]

I have no idea how to people. This has been a common trait in cybersec with new people I have met and with people they have met.

[Name_Too_Long]

37 minutes ago, Zanidd said:

I don't think carpenters have discussions over which hammer is best for carpentry.

Oh, trust me, they do.

Then you get up to the "master" carpenters and they'll have dozens of hammers, each for a very specific purpose.  And they will have a detailed rationale for why each specific hammer is the best for its' specific task.

That's a trend I've noticed across professions, the further off towards the "experienced" side of the bell curve someone is for their niche, the more likely the answer to any question about what "the best" tool is will start with "it depends..."

[doctor_tran]

3 hours ago, jubjub said:

I find a lot of people in infosec to get very irrational and heated when their views are tested. Also people skills aren't abundant. Would be entertaining anyway lol

 

3 hours ago, MalwareTech said:

I would love to see an infosec debate style podcast / Twitch stream. But I think with infosec there is so many clashing personalities that it'd just turn into a heated argument (though, maybe that's the entertainment factor).

 

That's the issue, it's clashing personalities, not clashing ideas. If I wanted to see clashing personalities, I'd just go watch 90 Day Fiance. 

[Zanidd]

58 minutes ago, Name_Too_Long said:

Oh, trust me, they do.

Then you get up to the "master" carpenters and they'll have dozens of hammers, each for a very specific purpose.  And they will have a detailed rationale for why each specific hammer is the best for its' specific task.

That's a trend I've noticed across professions, the further off towards the "experienced" side of the bell curve someone is for their niche, the more likely the answer to any question about what "the best" tool is will start with "it depends..."

Yes, but they don’t have One Hammer To Rule them all. Each hammer has its use case.

[Unknown]

I also miss this and I think that one problem could be that the people who really cares the most (like people here), generally take things to a, well, little too high level so to say. At least if we want to reach the mass of people out there. And the other people they, do not care enough and think that everything will be solved by the experts (here).

Imagine if we could get people to realize that basic infosec is not that hard actually, and that everyone is one important piece of the puzzle, and to get "those in charge" in companies to realize that they have to work WITH the employees instead of just thinking they are difficult and obstinate. We sort of have to start from the scratch and by doing this i think we can avoid the trap holes debated above, with harsh words and multiples sides 'fighting' against each other and "I am more right than you".

We would probably need a combination hosting by a humanist and an infosec person. The humanist knows how people work and the infosec knows how IT security works, and this connection is very important since without humans, there would be like no problem at all regarding IT security.

I can see this at work where the clashes appear, how people sighs and do not take security serious partly because orders from above that makes things so f--ng complicated so we sometimes can not do our work and this makes people wanting to find loopholes or alternatives and this is kind of, bad. And this i think is the basic level we all need to start with. In my opinion. Changing password every month with stricts rules about how many letters, special characters and, yea, you know... is Not good for security but learning people how to create a safe password that is easy to remember and then stick with that password is Really good for security.

Sorry if this became a bit of a mess of thoughts but, this topic triggers all kind of ideas in my head, including a desire to start something to broadcast.
My brain and thoughts are rarely very linear. 😃

[shan]

If we take in to account all of the "you're doing X wrong" talks at different cons, I think we have a lot of debate around techniques and practices. It isn't in a traditional format, but that's alright.

[garandou]

I would definitely like to see more debates into reasons for why professionals/experts believe the things they do; it could offer some great insights into how they approach security. I'm always looking for what I can learn from others' experiences.

[gnyman]

So, it seems like many people agree this would be useful and they would be interesting to listen/watch.  But for some reason it isn't happening, maybe there is something I'm missing which is preventing this from happening, but I'll try to push this along to see if something happens. I think these are the three things needed to do any kind of “live” debate.

1. A topic
2. Someone who is willing to take a stand “publicly” and keep the debate civilised
3. A medium (podcast/twitch)

1. Is "easy" in that there are some subjects where people hold strong beliefs on either side, but I think it might be better to start out soft
2. Depends on the subject. 
3. I know our own  @doctor_tran has been hosting a podcast, maybe that could be one place 😉  Also the Security.Cryptography.Whatever podcast did at least one “debate” on the topic of rolling your own crypto. 

I put down some ideas for 1. and 2. from the top of my head. And it'd be great if you weigh in with other topics they think would be interesting and suitable, and possible candidates. Then we can maybe try to see if we can find somewhere to host them.

Disclaimer before anyone start debating the subjects in here (which is also valid but should maybe be done in another thread and it might be useful to do). I don’t believe any of these has a binary answer which is why I think it'd be interesting to debate/discuss them.

Subject: Is phishing simulations useful?
What: My impression is that phishing simulation has gotten a bit of bad rep and there are questions of how useful it is at actually making a business secure. Still I think this is something many organisations do and companies provide, so it would be interesting to hear arguments for and against. Is it useful? When is it useful?
Who: ?

Subject: Is it worth paying for EDR?
What: This relates to the argument I heard on the previous podcast, one of the co-hosts works more in offensive security and stated that he has never been troubled by it, so he considers it wasted money. While the other co-host who (afaik) is head of security was of the opinion that (expensive) EDR is absolutely worth it. Even if this was only briefly debated in the podcast I thought it was very useful to listen to. So with some leading questions like “Is Windows Defender enough?” I think it would be a interesting discussion.
Who: Someone who works as a red-teamer and maybe someone who works for a EDR vendor?

Subject: Bug bounties, do they make you more secure?
What: Again, a few years ago bug bounties was all the hype but nowadays I think the consensus is that they are useful in certain situations. For whom? At what point? It would be interesting to hear someone who works as a bug bounty person and someone who’s on the receiving side discuss the topic. 
Who: A bug bounty person or someone overseeing a bug bounty program and someone who has decided to or advice people against.

 

Any other ideas or is anything obvious missing from my list of what is needed to make this happen?

[Chris]

I absolutely agree, that the main question is "where should this happen?"

However, I have the feeling, that the "where" defines the "who" afterwards. So a lot of "whos" search for a "where", but no one asks one directly.

I am not into social media and creating podcast, but did a lot of audiovisual media in my past. So, although I would feel comfortable hosting that kind of sessions, but have no idea how to spread it...

But if the people might raise their hands, who think about participating in such kind of debate, we might be "loud enough" to ask the right persons (as you already mentioned some) to go the next steps here?

So, you all here, who would feel comfortable participating in such kind of a debate?

[wacked]

On 11/7/2022 at 10:03 PM, Name_Too_Long said:

Oh, trust me, they do.

Then you get up to the "master" carpenters and they'll have dozens of hammers, each for a very specific purpose.  And they will have a detailed rationale for why each specific hammer is the best for its' specific task.

That's a trend I've noticed across professions, the further off towards the "experienced" side of the bell curve someone is for their niche, the more likely the answer to any question about what "the best" tool is will start with "it depends..."

 

I wonder why I don't hear about such debates. Now of course I don't purposefully seek those out, but all trades should have that. Social scientest should debate on the best statistical methods, plumbers on the best wrenches, journalists on the pros and cons of on vs off-the-record interviews.

 

Is IT special in their willingsness to discuss this OR does it just feel like this, cuz we discuss it on the internet, in freely accessible social media instead of academic journals and during the coffee break in the tool store?