Slashdot Mirror
The Rise of Feudal Computer Security
Hugh Pickens writes "In the old days, traditional computer security centered around users. However, Bruce Schneier writes that now some of us have pledged our allegiance to Google (using Gmail, Google Calendar, Google Docs, and Android phones) while others have pledged allegiance to Apple (using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything) while others of us let Microsoft do it all. 'These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.' Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. 'In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades.' In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. 'In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore,' concludes Schneier, adding that perhaps it's time for government to create the regulatory environments that protect us vassals. 'Otherwise, we really are just serfs.'"
An anonymous reader provides a contrary opinion:
"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."
"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."
This is the wrong site to post this on.
These people who fall into the vendor lock in do it on their own free will, what rights does the government have regulating their decisions?
It really makes no practical difference.
perhaps it's time for government to create the regulatory environments
Easy answer: No.
Admit it, Bruce. This is all just an elaborate setup to excuse you for using the word "Microserfs".
Choice is the ultimate power. Yes, we give up some control and say in the use of data about us to use these services but no one forces you to do so. If in fact you are concerned with such services (which abound), you can always create and run your own infrastructure and go back in time about 10 years ...
Good luck with that!
Say what you want about Apple, Microsoft, Google, etc .... It's not like they make you agree to some sort of user agreement to use their products - you know, the Take It or Leave it type of agreement where you have no leeway in protecting your interests.
God, the headline makes it sounds like we, the consumer, are powerless as to what those organizations do.
Geeze!
This is Slashdot, we don't care about historic allegories. Try a car analogy instead. I mean come on, there was no feudalism in American history, but quite a bit of cars.
I find the comparison a bit exaggerated, but I agree with the conclusions. We need legislation to cover the relation between social agents and information keepers. For example, any company should allow for any customer to migrate all her data to another service, without the information loosing its original structure. The custumers should be also safeguarded against information companies going bust with their data. Etc.
And I'm just.... serfing the web.
I thing that we're all Cerfs.
Does this mean that, having been born a serf under Apple's demesne, I will have to live my entire life as such—and my children, too! Oh my God, how did I not see this coming!
quiquid id est, timeo puellas et oscula dantes.
Yes, some of these data companies are getting a bit out of hand, but is it time for the government to step in? You, of all people, know better.
I have chosen to avoid any trust in or allegiance to Google, Apple, Facebook, or Microsoft. I have to trust my hardware, but I can switch that easily enough. I chose to trust Debian, but could easily enough switch that too. Everybody is free to make these decisions. I can use end-to-end encryption to hide my data from anyone else.
I am at the mercy of my ISP. If they fail to route properly I have no recourse and no alternative faster than 56k dial-up. Network neutrality and fairness from recipients of government-granted monopolies is where the regulation is required.
Go green: turn off your refrigerator.
I try and run my own IT Domain services (for my own files,) I will NOT use Google Docs, or similar services. I have my own Apache servers, my own CMS, my own Domain Controllers, a Dumb Phone, my games are on my own hard drive, I run my own MySQL services, I do as much as I can myself, my connections to my friends use IPSec, if I get an (Android) tablet, it will be merely something that talks to my network, that I load my applications on from my network via 802.11.
I say, declare your independence.
Is that the same Just Say No to College Hugh Pickens? Telling us where to trust computer security now?
I don't know if anybody else has noticed, but all sorts of things these days are moving to, ahem, "the Cloud", without anybody asking for such functionality. Many PC games won't work without a "Cloud Client" anymore. Steam. Origin. UPlay. Take your pick. The gaming Cloud Clients even warns you that "your save games are out of sync with the cloud" because, um, you played the last 2 sessions without, er, actually going online to do it. ---- Then there is the creative software from Adobe, Autodesk and others. DCC software is the official term for these. Digital Content Creation software. These gentlemen, too, are trying to nudge their tens of thousands strong userbase into "the Cloud", and none to subtly. It is even rumored that future releases of Adobe, Autodesk and similar DCC software won't work without "connecting to the Cloud" to run these apps at all. This is even though nobody asked for this kind of functionality. What does all that mean in English? Somebody rather powerful somewhere is pressuring Adobe, Autodesk and similar big players to create "digital backdoors" into their DCC software. So the next time you want to create a viral video that is maybe protesting political some injustice somewhere, the "Cloud" knows in advance what kind of video you are working on. ------ To cut the crap, this is all about Top-Down Control. The powers that be don't want you to work offline anymore, without them being able to check what you are doing. This may be harmless when gaming is concerned - who really cares what you are doing in game space, right? But when it comes to working with professional DCC tools - CAD tools, CG tools, Video, Print, Web design tools - the Cloud actually knows who is working on what where and for what reason with great granularity. Whatever confidentially working OFFLINE once gave you - the big players now want to take that confidentiality away. They want to know what you are "cooking" on a computer somewhere. Whether you are designing a Sports Car, or creating a website for a political pressure group, or creating a Youtube Video decrying certain injustices. ----- In all these activities, the Cloud is one step ahead of you, potentially beaming your most confidential data to a Mothership somewhere (a little bird told me that the "Mothership" may be a 2 Billion Dollar custom-built data center in the Cornbelt of the United States of A.). ------- All this stuff is about a small, self-anointed Elite of MBAs trying to bend the common man to their will. They want to know what you are doing with the software they supply - which you pay for - and they don't want you to have any say in how or when this happens. That's what the Cloud is all about. Trust us with your data. Trust us with your digital designs. Trust us with intimate things you maybe wouldn't even tell your best friend or spouse about. -------- The whole Cloud Computing paradigm reeks of EVIL. Probably because the people pushing it are, well, a wee bit evil and exploitative in character.
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
Like MS' Open Office XML (An I$O standard with patents)
Like the MP4 codec (An I$O standard with patents)
Etc.
That way the government can demand that all their products they buy follow the ISO standards and nobody is force to use it /s
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
About 10 years ago a post on /. began with, "If you are responsible for computer security, you can't be too secure. A shotgun will help." Article went on with more about guns, "if your server room is being approached by a band of swarmy thugs with boxcutters, you are to pull out the company manual saying 'firearms are not allowed.'?" Writer went on more of same theme, "If choosing a handgun, be sure your wimpy arm can handle it. A 22 slug in the gut is more effective than a 357 in the ceiling." Not sure what intent writer had unless promoting a reason for guns post 9-11. Not sure why I mentioned it here but title of this article envisions early years of "security" as practiced in ancient times with Feuds was The World. I saved article text but lost in my zillion files of saved files since the 20th century.
Regarding security, how does companies like Coca Cola been able to keep their formula secret? Obviously not stored in The Cloud. Any techniques that can be applied for other safeguards? Besides limiting it to just three people.
mfwright@batnet.com
So... we want the government to regulate security and storage, when the government is, most likely, precisely whom we do NOT want reading our mail or combing through our files. Does no one remember the Clipper Chip?
The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. I could even see the possibility of requiring that companies which offer cloud storage have a certain cash reserve to cover operational costs in the event of bankruptcy, long enough for people to retrieve data. (Of course, when one of the biggest data losses in recent history is that suffered by customers of MegaUpload, and the organization responsible for that loss was not the "feudal lord" who owned the servers, but the same government people want to "regulate" security, the problem is rather clear.)
The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities. Again, does anyone remember "This T-Shirt Is A Munition"? We've been down this road before.
Yes let's all pledge allegiance to a hyper-political organization beholden to extremists. Sounds fun!
In new market, vendor lock-in is important to vendors because competition tends to crop up fast because the customer exceptions are low and therefore easier and cheaper to meet. The bar for entry is low. Later, as the market matures and the number of vendors stabilizes, the most valuable features tend to be across all vendors. Eventually, the only way to increase customers is to take them from someone else. Also, customers will start to wise up and want interoperability. Lock-in becomes less valuable to vendors and systems start to open up.
You're responsible for your own security. You don't pledge allegiance to a vendor, you use their wares until it doesn't satisfy your personal requirements.
This sort of metaphor, while poetic, is counterproductive.
Anyone who thinks 'government has largely abdicated its role in cyberspace',
is smoking some mighty strong stuff!
I can't begin to count the ways that this submission is detached from reality.
No shit. People want government involved in literally fucking everything at this point.
But we need them to be involved in everything. Who else will protect us from people making wildly inaccurate historical comparisons online?
In the feudal example the peasants get to not be killed, starved, driven off their lands by barbarians, etc.
What do we get for using Apple vs. Google or Microsoft, etc?
Convenience? Whiz bang? Access to their advertisements?
Be your OWN feudal lord.
Regulated services at best provide consistent, mediocre service at the highest rate the regulator will let them charge; usually they provide the minimum they can get away without getting fined too much. Ask yourself how happy are you with the other regulated services in your life like land-line phone carrier, cable television provider, electric company, natural gas company, etc.?
I thought not.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
and don't forget to photograph the JCL stack in the proper order first, because if you mung that up, we won't tell you.
seems I've heard this before.
if this is supposed to be a new economy, how come they still want my old fashioned money?
HELP! HELP! I'm being repressed!
I guess this makes Bruce Schneier a courtier?
...at the end of the day, I trust Google (and even Apple) far more than my government. My relationship with them is contractual, whereas my relationship with the government is through the barrel of a gun.
It looks to me that bunching all of those vendors in one bundle is a bit risquè. In effect, some of them are selling something that they do not own.
...mmmmm, where to begin? This is Slashdot, so let's start with Microsoft. I never saw, read of heard about a suicide that lasted longer, unless the Dynosaurs killed themselves using farts to start a climate change. XP is still dominating their cash cows, and lo and behold, the serfs have fought back: "yes, come back when you REALLY will cut support. Line up over there, if we really want to retrain the whole workforce, we might as well go for open source + service contracts.....unless you offer us upgrades to windows SEVEN for 4.99$ per seat.". Final Nail in the coffin: price raises, obviously; why let a good opportunity to be LESS competitive go by?
Google, the smartest of them all: it's selling dearly to people things that they really do not own, mindspace. the gadgetry is very good, I do use calendar syncing, but I never entered via the browser since I set it up, and I use thunderbird + lightning as a client; anybody cares to bet on what will happen if all of a sudden the calendar utility ceases to be free and/or interoperable? I do think that at the Mozilla foundation they have a stock of Champagne bottles, in case it happens.
and now, the Apple of my eye. My teen daughter is quite taken by the Ipad, and it's the most expensive toy she has ever received. but "retina display"? "iphone 5"? "Siri"? it's becoming an organized religion: you have to believe, because if you approach with rationality, you get cold feet. Seriously, I know I am fifty, but looking at a puny display I cannot SEE the high definition.
But the biggest pun of all is "the government". Get serious, the only thing the governments are interested in is a." are there taxes to be had?" and b. " will these bozos provide us with private data, backdoors, snooping facilities if we ask?"
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
Feudalism was a result of technology at the time. A wealthy man or tribal or clan leader needed warriors to provide security so he could manage his people and protect them from enemies. Forging and blacksmithing technology created armor and weapons, and advances in animal training meant that a decently trained and well equipped soldier was able to kill anyone who opposed him without those advantages, thus in order to provide security said wealthy individual/tribal/clan leader needed men who had those things. Those things were expensive, and no one could afford to spend their time training to kill and afford a good horse and armor without also having some way to eat. This problem was solved by feudalism: the trained soldier was given land to manage and people to run that land for him, so he could spend his time learning to fight and afford equipment.
This changed with technology once again. Guns meant that no matter how skilled or well armored a soldier was, an average peasant with no training was a direct threat to him. Eventually guns becamse so cheap that any peasant provided with a cheap gun was a threat to a very expensive, highly trained knight, making the knight obsolete, and suddenly feudalism was a solution to a problem that no longer existed. What guns did is it put everyone on the same playing field in terms of violence, making classes substantially more equal. Thus philosophies such as "all men are equal" and "the Rule of Law" came into effect to help discern how to manage society in light of the fact that anyone could now kill anybody. So in effect, the concepts of Law and regulation removing feudalism is not true; feudalism became obsolete in light of societal changes, and the Rule of Law and regulations and all that came into effect to replace feudalism once it was gone.
That being said, it's still a stupid analogy. I use my iPhone to check my personal email on Gmail and my work email that is managed through a Microsoft exchange server as well as Facebook, back up my iPhone through iTunes on my Lenovo Thinkpad, store all my personal files in Dropbox or Google Docs. And when a new thing comes along that has a better email system or cloud storage, I can easily transfer from one to the other. That's the feudal equivalent of owing allegiance to the kings of 4 different warring countries while dealing with a babarian chieftan, knowing full well I can abandon any or all of them when a new king comes along. Not exactly how feudalism works.
Classical medieval feudalism depended on overlapping, complex, hierarchical relationships.
Wrong. It depended on simple relationships (lord {=} vassal); it started to fall apart when the relationships became complicated (look up The Hundred Years War for a nasty case of its collapse)(see the Thirty Years War for its final collapse).
Anyway, it always was feudalism. Who owned their own computers before the Altair? In the early days of the PC era, most computer users still were primarily attached to work machines. The Internet was run by personal relationships between the Great Lords (i.e., the administrators of the major Internet nodes), sealed with little more binding at the beginning than a handshake (which was how Jon Postel got stuck running the DNS root node for years). Given that users can still choose what Schneier thinks of as feudal lords, that makes users minor barons, rather than serfs (no serf could do anything except run away from their lord, or launch futile revolts once a century or so).
Would Bruce Schneier really prefer it run by men with guns and bayonets enforcing the wills of THEIR lords (swayed, no doubt by bribes or job offers for after they leave Federal service), launching wars against each other like 20th Century govenrments, etc? Please, give me benign neglect, any day.
The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
I think this pipe-dream Libertarian has forgotten, as they all do, that when and if they fail to deliver the goods, thousands or millions of people will be irreparably harmed before they have a chance to know that they will be harmed. That is what regulations are designed to address. Do you trade off some efficiency in the system? Of course. Is it worth it? Ask a serf.
With "just trust us" as a lot of provider's sole SLA assurances, one needs to consider packing their own parachute when it comes to services. This will take a lot of work even for a technical person.
Starting at the lowest level, it would be establishing a PGP/gpg web of trust with other people/entities. With that in place, everything else in between can be compromised, and the worst that happens is a denial of service attack.
Then comes the OS. On BSD or most Linux distros, you can replace almost anything on the OS without having the whole house of cards fall. If I wanted a custom init or wanted to go back to the old style /etc/rc where every daemon started from that, I could. With Windows, no real way.
Then there is the firewall. Ideally, you want this on a dedicated machine and separate from the router so if the router is backdoored or otherwise hacked, it won't allow access into the internal network. The wireless AP also hooks up to the firewall and even though it has a WPA2 passphrase, clients connecting still use a VPN to connect to the router for establishing a connection.
Not trusting someone means a lot of roll your own items, especially routers, but one can gain a lot of security this way. If one had access to a colocated ISP, that could be used for stashing one's E-mail servers and such, all behind a dedicated router PC [1]. Barring physical access, this would allow one reliable E-mail and such.
Of course, one has to tailor their solution to their security needs. For me, remote access attacks are my worst fear, as well as a crackhead breaking in (who will just grab stuff regardless). Others might fear police seizures and need to protect against physical loss.
For the tl;dr, one can have adequate security without depending on just promises... but it takes a lot of work. Next to doing this, the next best thing would be local UNIX user's groups making ISPs/email servers where people are known physically.
[1]: Preferably a UNIX that isn't x86 based, because of fear of another f0 0f bug, but allows code to run in ring 0.
Um, guns lead to philosophies like the Divine Right Of Kings and longing for Benign Despots, because only kings and despots could afford their own armies, and nothing but armies could defend against other armies.
Equal Rights and Rule Of Law had to wait until the invention of the large limited-liability corporation (e.g., East India Company, various syndicates for privateering against the Spanish back in the days of No Peace Beyond The Line, etc.). When commerce mattered as much or more than royal ambitions, then the rules and mores of commerce had to spread to everyone.
An incomplete list of types of vendors and organizations I have to trust not to be stupid or evil with my information: 1) bank 2) credit card(s) 3) doctor 4) health insurance 5) state and federal governments 6) employer Yes, I am not necessarily locked into any of these but changing some are more of a burden than others. Microsoft, Google and Apple are only recent players in this game.
While I do think there is a some truth to your basic argument, we become vassals by our own free choice. We can be with one today, and choose to walk away tomorrow.
Granted, it could be difficult. I still know people that can't give up AOL.
Have gnu, will travel.
Kind of shitty article though. I thought Bruce was going to talk about how some security researchers won't release their findings to the world, keeping the security holes secret so they're less likely to be patched, esp. those cyber-"security" teams of governments themselves... I run my own servers for my email and services that really matter to me and my family. That, and there's no such thing as a client or server, really... My, logs show that grandma just synched more photos to our private distributed "freenet" cloud. She probably did that by plugging in her camera to her PC -- the sync automatically scans her albums folder.
Oh, I might be pledging alegence to Free Software! Oh no! Why, whatever will I do if Linux becomes a fiefdom? Why, I'll Fork it, or use BSD, both of which run the important shit just fine... Also, my VOIP system connects directly between my family's houses avoiding even using a 3rd party service for in-family calling. I
I thought it was supposed to be increasingly difficult not to pledge alegence to MS, Apple or Google. It's actually getting easier to NOT do so if you ask me and mine. Woops, I'm sorry. Didn't mean to actually prove anyone's article completely wrong. I would say to Bruce that he needs to clarify that it's only getting more difficult for ignorant people who don't care about what he's talking about to avoid...
Something like FreedomBox running on hardware WE own, and the software tools that allow people to migrate their data trivially from the feudal lords and upload it onto their own devices to run their own clouds. While there is software that allow people to run such service and manage our own data, these tools tend to be harder to use than the solutions that Google or Apple may use in their services (there are exceptions). Furthermore, while the technically inclined among us may take the plunge and create our own Diaspora pods or what have you, we still have to get our friends to do the same! Since most of our friends are going to use Facebook or iCloud services for the reasons I outlined above, that almost compels us to do so as well, lest we be left out of the social scene altogether. At this point I think the way forward is to build those tools, make them compelling, and use them and find ways to integrate them into the corporate clouds, while at the same time advocating to those around us WHY they would want to use the more democratic solutions like Diaspora or StatusNet, then get them to be strong advocates for the same.
welcome our feudal overlords!
It all makes sense until this part:
and that smells like bullshit. I don't deny that the situation he describes is happening to a lot of people, but as of 2012 it still seems to me that it requires more work to get into the trap, than it does to stay out of it.
Hey, your car uses gasoline, guess that makes one or more of the gasoline drilling and refining companies, or their distribution network your "lord" now, and you are their "vassal".
What bullshit. How did a weak-ass analogy like this become a front-page story?
i think you can Yoink a copy of EVERYTHING yours in the G-hive and its in decent formats also
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Communism means goods and services are controlled by a central AUTHORITY. That centralization of decision making authority is authoritarinism. So there is no communism without authoritarinism. On the other hand, in a democratic free society people will have econimic freedom - capitalism - right up until they vote themselves largesse, which in practical application is communism. When they vote to have the government take care of them, they are also voting to give givernment the power and the money - authoritarian communism.