Slashdot Mirror
The Rise of Feudal Computer Security
Hugh Pickens writes "In the old days, traditional computer security centered around users. However, Bruce Schneier writes that now some of us have pledged our allegiance to Google (using Gmail, Google Calendar, Google Docs, and Android phones) while others have pledged allegiance to Apple (using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything) while others of us let Microsoft do it all. 'These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.' Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. 'In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades.' In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. 'In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore,' concludes Schneier, adding that perhaps it's time for government to create the regulatory environments that protect us vassals. 'Otherwise, we really are just serfs.'"
An anonymous reader provides a contrary opinion:
"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."
"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."
These people who fall into the vendor lock in do it on their own free will, what rights does the government have regulating their decisions?
Admit it, Bruce. This is all just an elaborate setup to excuse you for using the word "Microserfs".
Choice is the ultimate power. Yes, we give up some control and say in the use of data about us to use these services but no one forces you to do so. If in fact you are concerned with such services (which abound), you can always create and run your own infrastructure and go back in time about 10 years ...
Good luck with that!
Say what you want about Apple, Microsoft, Google, etc .... It's not like they make you agree to some sort of user agreement to use their products - you know, the Take It or Leave it type of agreement where you have no leeway in protecting your interests.
God, the headline makes it sounds like we, the consumer, are powerless as to what those organizations do.
Geeze!
I find the comparison a bit exaggerated, but I agree with the conclusions. We need legislation to cover the relation between social agents and information keepers. For example, any company should allow for any customer to migrate all her data to another service, without the information loosing its original structure. The custumers should be also safeguarded against information companies going bust with their data. Etc.
And I'm just.... serfing the web.
I thing that we're all Cerfs.
Does this mean that, having been born a serf under Apple's demesne, I will have to live my entire life as such—and my children, too! Oh my God, how did I not see this coming!
quiquid id est, timeo puellas et oscula dantes.
Yes, some of these data companies are getting a bit out of hand, but is it time for the government to step in? You, of all people, know better.
I have chosen to avoid any trust in or allegiance to Google, Apple, Facebook, or Microsoft. I have to trust my hardware, but I can switch that easily enough. I chose to trust Debian, but could easily enough switch that too. Everybody is free to make these decisions. I can use end-to-end encryption to hide my data from anyone else.
I am at the mercy of my ISP. If they fail to route properly I have no recourse and no alternative faster than 56k dial-up. Network neutrality and fairness from recipients of government-granted monopolies is where the regulation is required.
Go green: turn off your refrigerator.
I try and run my own IT Domain services (for my own files,) I will NOT use Google Docs, or similar services. I have my own Apache servers, my own CMS, my own Domain Controllers, a Dumb Phone, my games are on my own hard drive, I run my own MySQL services, I do as much as I can myself, my connections to my friends use IPSec, if I get an (Android) tablet, it will be merely something that talks to my network, that I load my applications on from my network via 802.11.
I say, declare your independence.
Is that the same Just Say No to College Hugh Pickens? Telling us where to trust computer security now?
Like MS' Open Office XML (An I$O standard with patents)
Like the MP4 codec (An I$O standard with patents)
Etc.
That way the government can demand that all their products they buy follow the ISO standards and nobody is force to use it /s
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
So... we want the government to regulate security and storage, when the government is, most likely, precisely whom we do NOT want reading our mail or combing through our files. Does no one remember the Clipper Chip?
The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.
Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.
The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. I could even see the possibility of requiring that companies which offer cloud storage have a certain cash reserve to cover operational costs in the event of bankruptcy, long enough for people to retrieve data. (Of course, when one of the biggest data losses in recent history is that suffered by customers of MegaUpload, and the organization responsible for that loss was not the "feudal lord" who owned the servers, but the same government people want to "regulate" security, the problem is rather clear.)
The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities. Again, does anyone remember "This T-Shirt Is A Munition"? We've been down this road before.
Yes let's all pledge allegiance to a hyper-political organization beholden to extremists. Sounds fun!
In new market, vendor lock-in is important to vendors because competition tends to crop up fast because the customer exceptions are low and therefore easier and cheaper to meet. The bar for entry is low. Later, as the market matures and the number of vendors stabilizes, the most valuable features tend to be across all vendors. Eventually, the only way to increase customers is to take them from someone else. Also, customers will start to wise up and want interoperability. Lock-in becomes less valuable to vendors and systems start to open up.
You're responsible for your own security. You don't pledge allegiance to a vendor, you use their wares until it doesn't satisfy your personal requirements.
This sort of metaphor, while poetic, is counterproductive.
Probably better analogy of "you're setting up your shop, do you buy imperial or metric tools?". Well in my dad's generation if you worked on American cars you needed imperial. Of course just to screw that up, my 90s era mostly made in the USA seems to mostly need metric tools, I would imagine everything on modern cars is metric now (and no, it was not a shared platform or rebadge)
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
No shit. People want government involved in literally fucking everything at this point.
But we need them to be involved in everything. Who else will protect us from people making wildly inaccurate historical comparisons online?
Regulated services at best provide consistent, mediocre service at the highest rate the regulator will let them charge; usually they provide the minimum they can get away without getting fined too much. Ask yourself how happy are you with the other regulated services in your life like land-line phone carrier, cable television provider, electric company, natural gas company, etc.?
I thought not.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Regarding security, how does companies like Coca Cola been able to keep their formula secret? Obviously not stored in The Cloud. Any techniques that can be applied for other safeguards? Besides limiting it to just three people.
I know how the coca cola formula secrecy works and you're not going to like the solution. Homeopathy. No I'm not kidding. Any wanna be chemist probably gets to analyze soda of their choice in quant chem analysis and I did just that about 20 years ago. The fact that its 99.9999% water, HFCS (back then, it was sugar), caffeine, salt, standard sanitation and preservation chems, and food coloring is no secret nor are the ratios. There is a strange cross between legal fiction and homeopathy that if you run thru a GCMS or HPLC setup you'll find like a nanogram of black pepper in each bottle or whatever.
The secrecy is more of a loyalty test... like if it ever came out in public that one black peppercorn (or white, or whatever) was smashed and fractionated into an entire years worth of a nations production of coca cola syrup, then they'd know who leaked, and fire the disloyal worker. In fact more likely the tell a different lie to each worker and see what gets leaked...
I have no idea how to implement this in "da cloud". My guess is a combo of OTP and steganography embedded in files or something like that. Make a million fake simulated users who simulate doing all kinds of cloudy stuff, but if you gather the 34256236th bit of the 13519th file from each user and assemble them all its the launch codes or whatever.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
The gaming Cloud Clients even warns you that "your save games are out of sync with the cloud" because, um, you played the last 2 sessions without, er, actually going online to do it.
You mean it's warning you that if you reinstall your box, go over to your friends house, or buy a new computers, your progress will be out of date because you're paranoid?
Well, you've sold me. WE MUST STOP VALVE FROM PROVIDING USEFUL SERVICES IMMEDIATELY
and don't forget to photograph the JCL stack in the proper order first, because if you mung that up, we won't tell you.
seems I've heard this before.
if this is supposed to be a new economy, how come they still want my old fashioned money?
HELP! HELP! I'm being repressed!
I guess this makes Bruce Schneier a courtier?
...at the end of the day, I trust Google (and even Apple) far more than my government. My relationship with them is contractual, whereas my relationship with the government is through the barrel of a gun.
That would explain why the computers kept failing in all the Fords I had.
I often have trouble remembering which way is out of bed in the morning.
It looks to me that bunching all of those vendors in one bundle is a bit risquè. In effect, some of them are selling something that they do not own.
...mmmmm, where to begin? This is Slashdot, so let's start with Microsoft. I never saw, read of heard about a suicide that lasted longer, unless the Dynosaurs killed themselves using farts to start a climate change. XP is still dominating their cash cows, and lo and behold, the serfs have fought back: "yes, come back when you REALLY will cut support. Line up over there, if we really want to retrain the whole workforce, we might as well go for open source + service contracts.....unless you offer us upgrades to windows SEVEN for 4.99$ per seat.". Final Nail in the coffin: price raises, obviously; why let a good opportunity to be LESS competitive go by?
Google, the smartest of them all: it's selling dearly to people things that they really do not own, mindspace. the gadgetry is very good, I do use calendar syncing, but I never entered via the browser since I set it up, and I use thunderbird + lightning as a client; anybody cares to bet on what will happen if all of a sudden the calendar utility ceases to be free and/or interoperable? I do think that at the Mozilla foundation they have a stock of Champagne bottles, in case it happens.
and now, the Apple of my eye. My teen daughter is quite taken by the Ipad, and it's the most expensive toy she has ever received. but "retina display"? "iphone 5"? "Siri"? it's becoming an organized religion: you have to believe, because if you approach with rationality, you get cold feet. Seriously, I know I am fifty, but looking at a puny display I cannot SEE the high definition.
But the biggest pun of all is "the government". Get serious, the only thing the governments are interested in is a." are there taxes to be had?" and b. " will these bozos provide us with private data, backdoors, snooping facilities if we ask?"
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
The Pentagram: Google, Apple, Microsoft, Facebook, and Twitter.
To us (the serfs) it looks like they are in competition, but they are working together to control the entire world. The Pentagram's power and control knows no boundaries, it fears no military. They have centers of operation spread throughout the world, it will not harm them if some are taken out. Look how much change they have been a part of in the world during the last 5 years. Cheap cellphones and Twitter have overthrown governments. The world governments are afraid of the power of the Pentagram. They are making demands on them (such as data collection, warrantless wiretaps), but in the process have realized that the Pentagram is more powerful than each country's government. The Pentagram can shape and mold public opinion by the way they filter the news and control the flow of information. Unlike you, I am not afraid. I look forward to a world where countries become more like cultural districts rather than entities at war.
Classical medieval feudalism depended on overlapping, complex, hierarchical relationships.
Wrong. It depended on simple relationships (lord {=} vassal); it started to fall apart when the relationships became complicated (look up The Hundred Years War for a nasty case of its collapse)(see the Thirty Years War for its final collapse).
Anyway, it always was feudalism. Who owned their own computers before the Altair? In the early days of the PC era, most computer users still were primarily attached to work machines. The Internet was run by personal relationships between the Great Lords (i.e., the administrators of the major Internet nodes), sealed with little more binding at the beginning than a handshake (which was how Jon Postel got stuck running the DNS root node for years). Given that users can still choose what Schneier thinks of as feudal lords, that makes users minor barons, rather than serfs (no serf could do anything except run away from their lord, or launch futile revolts once a century or so).
Would Bruce Schneier really prefer it run by men with guns and bayonets enforcing the wills of THEIR lords (swayed, no doubt by bribes or job offers for after they leave Federal service), launching wars against each other like 20th Century govenrments, etc? Please, give me benign neglect, any day.
Um, guns lead to philosophies like the Divine Right Of Kings and longing for Benign Despots, because only kings and despots could afford their own armies, and nothing but armies could defend against other armies.
Equal Rights and Rule Of Law had to wait until the invention of the large limited-liability corporation (e.g., East India Company, various syndicates for privateering against the Spanish back in the days of No Peace Beyond The Line, etc.). When commerce mattered as much or more than royal ambitions, then the rules and mores of commerce had to spread to everyone.
An incomplete list of types of vendors and organizations I have to trust not to be stupid or evil with my information: 1) bank 2) credit card(s) 3) doctor 4) health insurance 5) state and federal governments 6) employer Yes, I am not necessarily locked into any of these but changing some are more of a burden than others. Microsoft, Google and Apple are only recent players in this game.
While I do think there is a some truth to your basic argument, we become vassals by our own free choice. We can be with one today, and choose to walk away tomorrow.
Granted, it could be difficult. I still know people that can't give up AOL.
Have gnu, will travel.
Kind of shitty article though. I thought Bruce was going to talk about how some security researchers won't release their findings to the world, keeping the security holes secret so they're less likely to be patched, esp. those cyber-"security" teams of governments themselves... I run my own servers for my email and services that really matter to me and my family. That, and there's no such thing as a client or server, really... My, logs show that grandma just synched more photos to our private distributed "freenet" cloud. She probably did that by plugging in her camera to her PC -- the sync automatically scans her albums folder.
Oh, I might be pledging alegence to Free Software! Oh no! Why, whatever will I do if Linux becomes a fiefdom? Why, I'll Fork it, or use BSD, both of which run the important shit just fine... Also, my VOIP system connects directly between my family's houses avoiding even using a 3rd party service for in-family calling. I
I thought it was supposed to be increasingly difficult not to pledge alegence to MS, Apple or Google. It's actually getting easier to NOT do so if you ask me and mine. Woops, I'm sorry. Didn't mean to actually prove anyone's article completely wrong. I would say to Bruce that he needs to clarify that it's only getting more difficult for ignorant people who don't care about what he's talking about to avoid...
Something like FreedomBox running on hardware WE own, and the software tools that allow people to migrate their data trivially from the feudal lords and upload it onto their own devices to run their own clouds. While there is software that allow people to run such service and manage our own data, these tools tend to be harder to use than the solutions that Google or Apple may use in their services (there are exceptions). Furthermore, while the technically inclined among us may take the plunge and create our own Diaspora pods or what have you, we still have to get our friends to do the same! Since most of our friends are going to use Facebook or iCloud services for the reasons I outlined above, that almost compels us to do so as well, lest we be left out of the social scene altogether. At this point I think the way forward is to build those tools, make them compelling, and use them and find ways to integrate them into the corporate clouds, while at the same time advocating to those around us WHY they would want to use the more democratic solutions like Diaspora or StatusNet, then get them to be strong advocates for the same.
i think you can Yoink a copy of EVERYTHING yours in the G-hive and its in decent formats also
Any person using FTFY or editing my postings agrees to a US$50.00 charge
I for one do.
See, we've been here before. It's like living through 'Window of Opportunity.' We've done this, and have done this so often, that it's driving a number of us completely nuts.
Allow me to lay out what will (in all probability) inevitably happen:
Congress will pass a bill giving some 'rights', while taking away a number of other 'rights.' Pundits on one side will declare that the new law is a travesty, while pundits on the other side will talk about 'how this is a little better, but there is still much work to be done.'
In a few years time, there will be rumors of some major scandal involving the oversight committee. Someone has been paid off, or owns stock in a company that is profiting obscenely from the new law, or someone's buddy owns the stock or is being paid off; or that the law enforcement has been (once again) forgetting that they need to get a warrant before searching people's stuff, or that government officials have been spending their free time looking through people's private stuff. The oversight committee will, of course, at first deny that any kind of 'lapse' has occurred, before reversing their position, and coming clean. There will be calls to disband the committee, and return the previous rights to their owners, but the government will instead replace some of the people on the committee, and possibly grant them more power.
At some point in the far off future, in the length of time it takes for a corpse to stop smelling, the entire enterprise will be disbanded. Congressman Bob will reintroduce a bill to bring back the committee, but publican opinion may be against him, and the whole matter dropped.
Something like that. We've been here before, we know that the people doing these things are not the right people to be doing them, and yet the dumb will continue pressing that button for a 'quick fix' that doesn't work. The more intelligent types will try to find the source of the problem, but probably come up wanting.
I am John Hurt.
"Music, movies, TV, and podcast subscriptions. All tied up in Apple's little ecosystem. A very pretty noose to keep people chained to its hardware.
Imagine, just for a moment, that your Sony DVD player would only play Sony Movies' films. When you decided to buy a new DVD player from Samsung, none of those media files would work on your new kit without some serious fiddling.
That's the walled garden that so many companies are now trying to drag us into. And I think it stinks.
On a mobile phone network in the UK, you can use any phone you want. Hardware and services are totally divorced. It promotes competition because customers know that if they have a poor experience with HTC, they can move to Nokia and everything will carry on working just as it did before.
But, if all of your contacts, entertainment services, and backups are chained into HTC - well, then you're just shit out of luck if you want to move.
I want to see a complete separation of church and state here. Hardware should be separate from software. Software should be separate from services.
I want to watch Nokia movies on my Samsung hardware running Google's Android, and then back them up to DropBox.
That's how it works - more or less - in the PC space. I don't understand why it doesn't in the tablet and smartphone space? Why would I buy a tablet that only worked with content from one provider? Whether that's Amazon, Microsoft or Apple - it's setting up a nasty little monopoly which will drive up prices and drive down quality.
I know, I know. The mantra of "It Just Works". I'm mildly sick of having to configure my tablet to talk to my NAS, and then get the TV to talk to both of them. That situation isn't just due to my equipment all coming from different manufacturers - it's mostly due to those manufacturers not implementing open standards."
http://shkspr.mobi/blog/2012/11/i-dont-want-to-be-part-of-your-fucking-ecosystem/ [shkspr.mobi]
Communism means goods and services are controlled by a central AUTHORITY. That centralization of decision making authority is authoritarinism. So there is no communism without authoritarinism. On the other hand, in a democratic free society people will have econimic freedom - capitalism - right up until they vote themselves largesse, which in practical application is communism. When they vote to have the government take care of them, they are also voting to give givernment the power and the money - authoritarian communism.
I need to point out that the order of events in the OP may be backwards. Consider: since they (as noted in the OP) are all using the same basic technologies to achieve the same basic results (wealth, power, etc,) they will tend to come to the same sort of solutions. After that they will simply copy or steal the more successful of the detailed solutions. No central authority yet, same result, we are pushed into the Cloud. Once enough serfs are in the cloud then the Central Authority will arise.
This would tend to lead to the conclusion that control of the Cloud is very important. Hence the idea of regulation seems to make sense again.
This begs the question of who The Cloud belongs to. If it belongs to them, then we shouldn't trust it. If it belongs to us, then they shouldn't be able to control it.