There is an old saying that goes “Both the doctor and the angel of death kill, but only the doctor charges for it.”

I don’t know why that came to mind when I started reading the Scanless PCI site, but maybe it has something to do with their darkly sarcastic view of assessment services.

Logically we know a service provider can not guarantee survival in the face of uncertain threats. We also know that the value of security assessments is uncertain. This is not least of all because of frequent innovation in information technology and the subsequent constantly expanding markets. Does it therefore follow that all hope is lost and absolutely no value can be assigned to a security scanning service?

It is hard not to agree in general with the humor of Scanless PCI. Humor about challenges may help people focus on them more easily and elevate the chance of improvement. But at the same time, their claims go a bit too far:

Our patent-pending scanless technology is just as effective as any PCI certification on the market…

Effective at what? I have been able to derive genuine results from their competitors. While I have lessened the likelihood of compromise for clients with scanning services, sometimes even as an incident responder, I am certain I could not do the same with Scanless PCI. Granted, “protected by” logos on webpages are annoying and add zero value in my opinion, but actual scanning does have a use and is not differentiated on their site.

Scanless PCI guarantees, in writing, that you will be just as secure from hackers and other bad guys as any other competing solution on the market.

Oh, such cute snake-oil sales charms. Very nice play on the fact that no doctor can guarantee the health of their patient. Should the patient never attend another doctor? Should a doctor offer services for free if no guarantee of survival is available? The ScanlessPCI guys make light of the fact that no one yet knows what it really means to be “secure from hackers and other bad guys”. In the same vein, no one yet knows how to live a healthy, long life (although the Blue Zones theory is an interesting new approach to measuring it).

At the end of the day, I have to put this all in focus (pun not intended). I signed a form last week that said I was willing to have corrective eye surgery even though I was told the outcome could not be predicted100%. With that in mind I did not choose someone random to do the surgery, but rather the person I believed would give me the most value for my money. Risks are to be managed carefully. Just because risks can not be tested with absolute certainty that not mean we should instead operate blindly or give a zero-cost value to anyone who tries to assist. I certainly wouldn’t trust these guys a scalpel even if they said they offer the same guarantee for health as any other doctor:

Scanless PCI – The Fastest, Least Intrusive, and Cost Effective PCI Certification Available.

PCI Certified by Scanless PCI

Oh, and just in case you missed the fine print, here it is:

Scanless PCI is for compliance with the Pooma Card Industry Data Security Standard, and compliance with other standards or regulations is not offered nor implied.

Go out and get your Pooma Card now. I suspect they look something like this:

Wired has a hilarious critique of an Air Force proposal to counter DDoS attacks with…DDoS attacks.

I’m sure that DDoS attacks could be useful to the military under certain circumstances. So could sending our enemies a bunch of unwanted magazine subscriptions, or ordering them dozens of pizzas with anchovies and pineapple (blech). But adults don’t do that sort of thing.

The internet is a community venture, and DDoS is vandalism against the community. There’s no such thing as pinpoint targeting in a DDoS attack; innocent civilian infrastructure is impacted every time.

Basically, Col. Williamson has noticed that there are bad guys in the swimming pool, and his solution is to piss in their general direction. That’s the kind of behavior that rightly gets you kicked out of the pool and sent home for the summer.

Funny stuff. The only problem is that the US Air Force is already infamous for use of excessive force that destroys civilian life, let alone lifestyle. Carpet bombing and nuclear attacks have been their heritage so the Wired critique will surely fall on deaf ears.

Although nicely written, the critique seems disconnected from history. It also has a logical loophole: with the intent and capability to disable or destroy all infrastructure, who exactly would be kicking whom out of the pool?

The Air Force has been used for exactly what the author complains about — excessive force that harms civilians. Examples by the US military alone include Dresden, Tokyo, Hiroshima and much of Cambodia (e.g. 600K deaths from 3,500 sorties in 1969 alone, with 2,756,941 total tons dropped in 230,516 sorties on 113,716 sites until 1973)

This all hearkens back to strategists in WWI who saw fighting by air as just another way to completely obliterate civilian infrastructure to achieve victory. I’ve seen it blamed on the Italians, but you can be certain every military has a high ranking official who thinks like general Sherman did in his 1864 four-month “scorched earth” march of destruction. I guess you could say he was literally pissing in the pool, but as nobody could manage to send him home that summer he instead garnered the surrender of armies from the Carolinas, Georgia and Florida.