I haven’t forgotten about you dear blog oh mine. I have 2 articles cooking about security that need a little bit more time to stew before they are ready. In the mean time, I wanted to write a quick post regarding this
To first admit my bias, I have a hard time stomaching the idea that a PhD research scientist (and CTO) knows a whole lot about street fighting. While I appreciate his ideas, he is very obviously speaking about a topic (martial arts, training and street fighting) that he doesn’t understand. Specifically, his statements on how people train “dojo style” are not categorically true. Schools all focus and revolve around lots of different training methods. Each system is done almost entirely different than another. Further more, his statement of “One aspect of street fighting, as compared to martial arts practiced in dojos and exhibited in competition is the fact that complex techniques don’t work. A quick kick to the groin usually beats the complicated judo throw.” is not based on any actual evidence as I highly doubt there is a research study done on the frequency of groin kicks vs. Judo throws. Lastly, he doesn’t really define what he believes a complex technique to be. The target, distance and timing to kick someone in the groin can be quite more difficult than at least 3 various judo throws I know (there are lots of judo throws, btw)
Now, putting all that aside, I think his article has some merit. Repeatable technique and teaching people to learn effective simple countermeasures is a great way to START teaching people how to protect themselves. I have had the honor of participating (read: getting my a$$ thrown a lot) in defensive training of nurses, body guards and police officers. In all of these cases they are only taught a limited subset of techniques to provide them some context to work from. This is done for 2 reasons, the first being related to the amount of time and frequency they have available to train and the second being related to the fight/flight response that happens in an altercation.
The latter of which is not an applicable model to justify how you train folks on secure development practices, as it’s very unlikely that you are going to be writing secure code to protect your life in real time. If you know of a job that does, hire me. I would love it. The former, however, is a fair point indeed. Given a small time frame for both training and practice, it’s better to only know a few “tried and true” methods of defense. Not everyone needs to be a martial arts expert, as simple defensive mechanisms can be highly effective in resolving an altercation quite swiftly. But even then, the analogy breaks down in the sense that unlike real life, the attacker is often thousands of miles away and untouched and affected by your defensive tactic (judo throw or kick to the groin). How do you stop someone who can just keep attacking you over and over and over again as much as they choose? Defensive programing for the web has to be more thought out than hardening your code and development practice.
Anyways. I am sure he means well and again I like the article overall… I just think that it’s kind of sullied by the use of language that I don’t think he understands the complexity and nature of.
-A
@"figurative"; 