Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years, said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems still remained.
His reference was to the standard phrase offered by politicians whenever there is a mass shooting in the US and there are calls for action on guns. The status quo is maintained because of the influence that the arms industry has.
Aitel spoke for the motion while his opponent, Phillip Wylie, a well-known offensive security expert and a tech evangelist at CyCognito, argued that patching was not totally useless, but one of the many tools in a defender's armoury. Wylie's arguments were somewhat nuanced, while Aitel used clear, concise phrases, with the occasional touch of wicked humour.
The debate on Patching is useless. Phillip Wylie is at the top right, the moderator is on the top left, and AItel at the bottom.
Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched.
During his time with Immunity — which he sold to Cyxtera Technologies in 2019 — Aitel said many of his customers had been big financial firms and he had advised that any contracts they signed with software vendors also contain a clause that would enable them to walk out of contracts if any software proved to be overly buggy.
He said this could be a way to prevent big companies from being forced to continue to use security solutions even though they were a constant source of grief.
Aitel likened patches to orange juice — a common part of breakfast in the US — pointing out that for many years people had believed that it was the most useful part of one's morning meal. In the end, it had been found to be a source of too much sugar and something that made people obese, he added.
He had harsh words for Microsoft and other big software vendors whom he said had done little to actually mitigate the problems posed by poor-quality software. He also criticised PHP for its numerous security problems.
Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.
On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.
Aitel called for vulnerability management, advocating the government as the best entity to handle this. His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.
Surprisingly, the audience vote to determine the winner of the debate came down on Wylie's side, with 56% of those present supporting his stance.