Select Page

There are a few things today in the trade media that I just straight up don’t believe; rather than doing a long drawn-out explanation of each one, I’m just going to rip through them quickly.

First up, research about an “unfixable” issue with connected cars.  I’ll call your attention to the ICS-CERT alert (for the record, it’s 17-209-01, “CAN Bus Standard Vulnerability”).

So essentially, this is saying that someone with extensive knowledge of the CAN standard, and also physical access to your car, can bring about a denial of service condition.  Sure, why not.  In addition to planting a bomb, slashing your tires, putting sugar in the gas tank, putting a potato in the exhaust pipe, or other various and sundry hijinx a bad guy could do, they could also, conceivably, haxor the CAN bus.

What gets my goat though is the fuss about this being an “unfixable” issue.  Really?  I mean, it’s probably accurate to say that it is.  To the same extent that saying my computer is “vulnerable to a denial of service condition” from a “bad guy with physical access to my machine and a pound of thermite.”  But is there any conceivable way to prevent that?  No.  Do we need an alert about it because it’s reasonable to expect someone to?  Also no. I guess you could, somehow, architect-in some DoS resistance to CAN.  But are we extending the connected car threat model now to mitigate stuff that has a direct physical-world parallel that we otherwise don’t normally concern ourselves with?  I’m not sure I buy in that this is either possible or productive.

Second, Texas Public Radio has a thing about how security has an “unemployment rate of zero percent.”  Zero percent?  Bull.  I refer you to Macroeconomics 101 and the definition of unemployment.  “Unemployment”, as I can envision my hyper-pedantic instructor saying, generally refers to the superset of:

  • frictional unemployment – situations where employable people are in between jobs
  • structural unemployment – situations where employees are unqualified for existing jobs
  • cyclical unemployment – situations where supply of jobs exceeds available workers

I thought there was another one, but if so, the investopedia don’t say anything about it, so let’s assume I’m wrong about that.  Anyway, either of the first two being zero is literally impossible.  Zero percent assumes that new workers are hired into open jobs the instant they decide they are going to enter the space (frictional), it assumes that every worker is qualified for every job (structural), and it assumes that there are more jobs than workers by a wide enough margin that it exceed the number of people who might even entertain the notion of entering the profession (cyclical).

All of the above assumptions are demonstrably and laughably untrue, ergo the statement about zero percent is clearly BS.  Which, fine… who really expects TPR to be an expert on this field or to stay within the bounds of the possible from a macroeconomics standpoint?  But the reason it upsets me is that it plays into the mythology about the skills gap, which I took careful pains to attempt to debunk the other day.  If people continue to think that “unemployment is zero percent”, it feeds a perception that is both dangerous for the industry and harmful to job seekers.  It’s dangerous for the industry because it presupposes that there’s zero slack for hiring qualified candidates and it is dangerous for job seekers because it presupposes that a newly-minted professional will have no trouble immediately finding a job.  Both of those things cause potential harm to the people that believe them.  Likewise, it feeds the perception of security as a “hot job area” which, as I’ve said before, I don’t think is a positive long term trend for the industry.

Anyway, soap-box complete.  I now return you to your regularly scheduled rant-free day.