Pwnage Zero
May 16, 2016  

Vision Zero is a Swedish initiative to improve traffic safety. I think the infosec community can learn a lot from it, starting with its vision statement:

The Vision Zero is the Swedish approach to road safety thinking. It can be summarized in one sentence: No loss of life is acceptable.

Some would say that this is an unrealistic goal, and, therefore, useless. I disagree: you must set aspirational goals if you want to make a mark on the world. In any case, it’s hard to argue with the results of Vision Zero:

Fatalities involving pedestrians in Sweden have fallen by almost 50% in the last five years. The number of children killed in traffic accidents has also been decreased. In 2008 ten months went by before there was a fatal road accident involving a child. As tragic as this is, it is a huge improvement. However there is still so much more we can do to improve road safety. In Sweden, we could cut the death toll by a further 90% if we could eliminate technical system failures, failure to wear seat belts, speeding and drink driving – from 5 deaths per 100,000 to 0.5. This is what the Vision Zero is about: looking forward and creating strategies to take safety to new levels.

If we apply this strategy to infosec, we might get something like Pwnage Zero: no instance of pwnage is acceptable. For those who need a translation from leet-speak, this means that security flaws leading to complete compromise of a software system are not acceptable.

The Pwnage Zero strategy is a clear improvement over my own propaganda efforts, which have centered on eliminating C/C++. This is divisive. C and C++ have rabid proponents who don’t take kindly to any criticism (just like every other programming language/cult). On the other hand, it is hard to disagree with the goal of eliminating all security breaches.

Once you accept the goal of Pwnage Zero you have to consider how to get there, and with such an ambitious goal it is clear that business as usual will not suffice. You’ll have to do something drastic.

Consider the annual celebration of pwnage, the Pwnie Awards. What you’ll see there listed as “best bugs,” year after year, are remote code execution exploits. We will have to eliminate these—again, a goal that it is hard to disagree with. Now I happen to think that the easiest and most effective way to do this is to stop using C/C++; but this is secondary to the goal we’ve already agreed on. If someone can come up with a solution that preserves C/C++, I’m all for it (though I don’t think that’s going to happen). This removes some of the emotion from the conversation.

More insights

We can learn quite a bit more from Vision Zero. On setting goals:

Names provide shape and meaning, which is why the “zero” in Vision Zero is so important and represents a key means to shift away from the traditional traffic safety approach.

The Swedish architects of Vision Zero set zero as the “only justifiable fatality target for road traffic.” Calling out a vision of zero deaths (and, in some places, serious injuries) sends a strong message: traffic-related fatalities and injuries are not an inevitable and acceptable side-effect of the transportation system. With its name alone, Vision Zero fundamentally re-conceptualizes how we understand injuries and deaths on our streets as preventable.

As with other preventable public hazards (think measles, small pox and other diseases prevented through vaccines), Vision Zero calls us to be proactive; to identify risk and take steps to prevent injuries by designing the transportation system in a way that collisions won’t result in fatal or serious injury.

(In infosec terms: remote code execution is preventable; how can we proactively identify the risks and design and build systems that are immune to them?)

On blaming victims:

Solutions are responses to problems. Tired? Drink coffee! Need a break? Go on a walk! Traffic deaths and injuries? In the United States, individual road users–bad drivers, careless bicyclists, distracted pedestrians—have historically been presented as the problem, the cause of collisions. Consequently, solutions have focused on perfecting human behaviors through strategies like licensing, testing, education, training and media campaigns.

But in the Vision Zero framework, the road safety problem isn’t the individual, but rather the flaws in the transportation system—flaws that mean, for example, that cars can move at excessive speeds on city streets and incompatible road users (for instance, bicyclists and drivers) have to share the road.

In redefining the problem, we’re required to develop solutions that will impact the true culprit: an unforgiving street network that doesn’t take into account that people make mistakes. The focus thus shifts from solutions focused on perfecting individual behavior to solutions focused on perfecting a transportation system that failed to protect people who made predictable errors. As the Swedish architects of Vision Zero state: “In every situation a person might fail. The road system should not.” We have to design a system for people, instead of asking people to adjust to an imperfect system.

(In infosec terms: don’t blame users for bad passwords, eliminate passwords instead; don’t blame programmers for buffer overflows, use safe languages instead.)

On responsibility:

Who perfects the flawed system? As Juan Martinez from the New York City Department of Transportation articulated in 2016: Engineers, public health professionals, policy and law enforcement must take responsibility for every death. His words serve as a moving call to action; a reminder that not only do system designers have the ability to create a system in which crashes do not result in fatal or serious injury, it is also their responsibility.

Individuals also have a responsibility in Vision Zero: road users are expected to be competent, alert, in compliance with the rules of the road and unimpaired by alcohol, drugs, distraction or fatigue—and they have the responsibility to demand and expect safety improvements from civil servants and elected officials.

(In infosec terms: security professionals and software engineers and vendors have the primary responsibility for designing secure systems. Users have a secondary responsibility, they must not be negligent and they must demand secure systems.)

On infrastructure:

The Vision Zero involves planning, designing and building roads and infrastructure to increase safety and reduce fatal accidents. Safety aspects must be built into the system and included when planning new infrastructure projects.

The goal is to build roads and infrastructure that meet capacity and environmental challenges without compromising traffic safety. This is not as complex as it first might seem and doesn’t need to be more expensive than the traditional way of designing roads. On the contrary, it will reduce the total cost to society over time.

(In infosec terms: design for security up-front; use a safe language, or, if you use C/C++ you must include additional security measures such as static analysis, ASLR, CFI, etc.; the benefits of these measures vastly outweigh the costs.)