The Rise of Feudal Computer Security

Hugh Pickens writes "In the old days, traditional computer security centered around users. However, Bruce Schneier writes that now some of us have pledged our allegiance to Google (using Gmail, Google Calendar, Google Docs, and Android phones) while others have pledged allegiance to Apple (using Macintosh laptops, iPhones, iPads; and letting iCloud automatically synchronize and back up everything) while others of us let Microsoft do it all. 'These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don't like. Or we can spread our allegiance around. But either way, it's becoming increasingly difficult to not pledge allegiance to at least one of them.' Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. Today we users must trust the security of these hardware manufacturers, software vendors, and cloud providers and we choose to do it because of the convenience, redundancy, automation, and shareability. 'In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm (PDF). Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades.' In this system, we have no control over the security provided by our feudal lords. Like everything else in security, it's a trade-off. We need to balance that trade-off. 'In Europe, it was the rise of the centralized state and the rule of law that undermined the ad hoc feudal system; it provided more security and stability for both lords and vassals. But these days, government has largely abdicated its role in cyberspace, and the result is a return to the feudal relationships of yore,' concludes Schneier, adding that perhaps it's time for government to create the regulatory environments that protect us vassals. 'Otherwise, we really are just serfs.'" An anonymous reader provides a contrary opinion:

"The proposed analogy is wrong. Rather than feudal lords being replaced by a semi-accountable, presumably representative government, asking the government to take over would be going back to the having just AT&T as the sole provider of telecommunications, with private ownership of phones prohibited. It would be a reversion from an open and competitive market (where those who fail to provide security can be abandoned freely, the exact opposite of a feudal situation where serfs were forbidden to leave their masters and breaking oaths of obedience would lead to hit series on HBO) to a single "provider" which cannot be abandoned or ignored.

Monopolies, in general, suck, and without an external force to shore them up, they tend to be short lived. I remember when Lotus and WordPerfect and dBase were "unassailable", and people were wondering if the government should force these companies to be more "competitive" somehow. Then it was Windows, and particularly Explorer, that was going to control the world because "no one could compete". Now it's Google and Apple. Either these companies actually provide the security they promise, or they lose business to someone who will. The fear of the "feudal lords" failing to offer the security they promise is a false one, because they have no actual hold if they fail to deliver the goods.

The role of government in this arena is making sure that companies are held accountable for broken promises, that they pay the costs for data loss and security breaches. ... The government should not be determining what security is acceptable, because governments and regulations cannot possibly keep up with ever-changing realities."

let the fools who dont know history suffer

These people who fall into the vendor lock in do it on their own free will, what rights does the government have regulating their decisions?

Re:let the fools who dont know history suffer

[spire3661]

The government is ALREADY involved in literally everything. Better ot realize that and shape it to our own ends, rather then pretend it doesnt exist.

Re:let the fools who dont know history suffer

The government is a collective implementation of society. It has the rights that the whole of society gives it to look out for the common good. Rather than having to have individual people make their own mistakes or get individually conned, the government is an institution granted the rights to protect *your* rights.

It isn't the government regulating your decision; it's the government providing an environment in which as many options as possible are safe for you to choose from, so that you can specialize in something else and still be protected without having to worry about being swindled or conned out of giving up your own rights that have already been recognized by the collective society.

You can certainly argue that it's an idealistic framework that often doesn't meet such a mark in practice, and you can argue that the government can wind up doing its own share of swindling, but it's wrong to implicitly suggest that the government needs "rights" to be valid about doing what it does.

Just ask Vint

I thing that we're all Cerfs.

Re:Exaggerated

[Redmancometh]

Legislate away the right to proprietary technology? You're so far left you fell off...of the wing?

Where should regulation be focused?

[characterZer0]

I have chosen to avoid any trust in or allegiance to Google, Apple, Facebook, or Microsoft. I have to trust my hardware, but I can switch that easily enough. I chose to trust Debian, but could easily enough switch that too. Everybody is free to make these decisions. I can use end-to-end encryption to hide my data from anyone else.

I am at the mercy of my ISP. If they fail to route properly I have no recourse and no alternative faster than 56k dial-up. Network neutrality and fairness from recipients of government-granted monopolies is where the regulation is required.

Re:"We really are just serfs."

[Chris+Mattern]

Well, except for Vint. He's a Cerf.

Re:"We really are just serfs."

[Anne_Nonymous]

Bend over, Apple demands primae noctis.

Nah, let's just standardize on them

[denis-The-menace]

Like MS' Open Office XML (An I$O standard with patents)

Like the MP4 codec (An I$O standard with patents)

Etc.

That way the government can demand that all their products they buy follow the ISO standards and nobody is force to use it /s

Re:Exaggerated

[vlm]

The custumers should be also safeguarded against information companies going bust with their data.

Talk to the construction trades about being "bonded and insured" (before or after talking about unionization, and talking about apprenticeship, of course)

Its a simplification, but if you contract out to a bonded and insured contractor who goes out of business (lawsuit, bankruptcy, death, whatever) the bonding company will pay to get "someone else" to do the work for you at no additional cost. Obviously the risk to the insurer depends on the scale of work and the health of the contractor and length of job... I would imagine the mighty GOOG would pay less for bonding than a dotcom.

Stupid metaphor == poor thinking

[mveloso]

You're responsible for your own security. You don't pledge allegiance to a vendor, you use their wares until it doesn't satisfy your personal requirements.

This sort of metaphor, while poetic, is counterproductive.

Re:What a load of crap!

[DeepBlueDiver]

In fact anyone capable to run his own infrastructure already had most of this services more than 10 years ago.

Webmail, file storage accessible from anywhere, files synchronization between computers thru Internet, remote encrypted backups... all of this is quite trivial to setup and can be tailored to your needs in such a way that you won't even think of going back to "generic" services.

Don't get me wrong, all this "cloud" thing has been great to bring to the masses what we nerds always had. But I have yet to see one of this services successfully replacing what I already provide to myself with just an Internet connection, a router, a NAS, and tiny server.

Re:Say what you want.

[Kjella]

The problem is if you don't like any of their agreements, you just can't use technology. Yes we have a right to choose which product we want to use, but we are not offered the ability to use anything without handing over some fundamental right in the long run. The only option is to become a Luddite and live in a cave. There is no Gypsy option yet for technology and associated cloud services.

Oh please, you can do pretty much everything if you either a) host it yourself or b) rent some space in a co-lo. I don't store my things "in the cloud", I store them on my HDDs with backups just like I did before the cloud and social media became the new hype. You don't have to blog on Facebook, you can easily get a free blog on your own terms. If you don't like Spotify then iTunes and Amazon didn't go anywhere. And if there's no free alternative to iEverywhere or gEverywhere it's because nobody's bothered to build it on top of Linux and Android - last I checked the source code to both was free and so was the SDKs so free free to start, rather than whine about it.

Most people just don't want to manage their own computers, least not in the sense you and I mean. They're perfectly happy with an Apple or Google "appliance" that runs 100000+ apps. Why point fingers at the corporations when 99% handed over control voluntarily? It's like saying democracy needs regulation because 99% make stupid decisions. You can't regulate people into caring about the things you care about, because you'd have to be blind and deaf to not have noticed the wailing every time Facebook changes their privacy policy. Yet people keep using it. Same way there's nothing preventing people from installing Linux, but 99% don't do it anyway. Most people simply don't care if their computer comes as a big binary blob.

Re:What a load of crap!

[bananaquackmoo]

Take drop box. Show me two apps one server and one client that uses the same client app across multiple platforms that allows for easy, secure syncing to not just one server, but any server I choose?

I'll take that open-source bet. http://owncloud.org/ I'm already running copies.

Have to stay on top, I use all in some capacity.

[VortexCortex]

Kind of shitty article though. I thought Bruce was going to talk about how some security researchers won't release their findings to the world, keeping the security holes secret so they're less likely to be patched, esp. those cyber-"security" teams of governments themselves... I run my own servers for my email and services that really matter to me and my family. That, and there's no such thing as a client or server, really... My, logs show that grandma just synched more photos to our private distributed "freenet" cloud. She probably did that by plugging in her camera to her PC -- the sync automatically scans her albums folder.

Oh, I might be pledging alegence to Free Software! Oh no! Why, whatever will I do if Linux becomes a fiefdom? Why, I'll Fork it, or use BSD, both of which run the important shit just fine... Also, my VOIP system connects directly between my family's houses avoiding even using a 3rd party service for in-family calling. I

I thought it was supposed to be increasingly difficult not to pledge alegence to MS, Apple or Google. It's actually getting easier to NOT do so if you ask me and mine. Woops, I'm sorry. Didn't mean to actually prove anyone's article completely wrong. I would say to Bruce that he needs to clarify that it's only getting more difficult for ignorant people who don't care about what he's talking about to avoid...