Slashdot Mirror
The Security Industry Is Failing Miserably At Fixing Underlying Dangers
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
Nothing to see here, move along.
It seems like his solution is: Simply don't release code that has bugs in it. Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.
I read the internet for the articles.
Anybody may write programs, and it looks like there's hardly a nitwit who doesn't. I've said it before, I'll say it again: The stream of crap won't cede unless the software industry is made liable for software defects.
Being able to provide code patches also allows for low cost distribution to consumers for upgraded features for their products (tablets, pcs, etc.). Part of what makes computer technology so powerful is the ability to change rapidly. The cost of this is also in terms of bugs and security vulnerabilities.
"Okay, you do it."
We really need to let Darwinian processes cleanse the Earth of the non-technical, non-producing parasites. Armchair commentators first. Managers second. Lawyers third. The list goes on.
"We have no consequences for sloppy design and we don't hold organizations accountable for bad things."
Clearly Eugene Spafford must be put in charge immediately, since none of the rest of us have figured any of this out!
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Another "expert" with an opinion but no solid solution.
Sorry but I just ran out of fucks to give.
Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
The software companies make money by releasing upgrades with new features. The software users pay for security breaches, why would any rational software business give up the chance to make money in order to save money for someone else?
But there sure is a lot of money in selling threat paranoia.
Plus software vendors are apparently immune from product liability, so they never bear any costs for defects that lead to poor security or for implementing security poorly. If they had liability for this I think you'd see a lot fewer security defects, but probably a lot fewer features as well.
If they actually fixed the problems that caused the vulnerabilities, they'd be out of a job!
how will you find time to do it twice?
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
... substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.
I do have a to agree in that the current development style/strategy (agile development) is less geared towards solid development and more on features and getting stuff out there. I think the article is just saying that they should do less of pushing out features and new things and more on good programming/fix known bugs. Of course putting out a bugless program is near impossible, but there's a difference in better prevention versus better clean-up.
please... let me sleep... a little more... yay, no longer annonmyous coward.
Sell the cure and it is over !! Sell the pill and it goes on FO-EVAH !!
How is anyone tasked with securing information services supposed to stem the tide when software development cycles lack security awareness?
An average IT guy can't do anything about it but patch and firewall. We, as an industry, have gotten quite good at that. What needs to be done is to enforce penalties when a software development organization does not live up to due care. These lack of bounds check shenanigans should have died decades ago yet they persist for want of an incentive.
and forcing us to buy it through their Microsoft tax, we will never get away from this problem. Microsoft intentionally creates horrific software in order to create a market for anti-virus and other worthless products. Also, they know that most people will simply buy another computer when their Windows crap quits, and it always does. The Republicans are happy for the increased consumerism due to the constant trashing of perfectly good equipment. That is their way.
The purpose of an industry is to promote the industry and to make money from it (not necessarily in that order). To eliminate itself by fixing errors, or doing anything for the general benefit of the consumer instead of for profit, is counter-productive. What the hell did you expect?!?
Underlying dangers: the user?
What we should do is research safe alternatives for languages (http://www.rust-lang.org/), more sandboxing of who can access what (SELinux, AppArmor), and better and simpler libraries (LibreSSL). No plugin Auto-run for untrusted sites.
Antivirus is cool and all, but its not as good as fixing the bugs. Unfortunately it is more profitable.
Anti-virus is not a solution to the real problem!? Whaat? How can this be?
Working in this industry at several giant companies, the view is simple - the company works for the stockholders, the stockholders demand ever higher returns, and NOTHING the company does is nearly as important as increasing the short term stock price. So what money is spent on R&D will be spent chasing new "shiny" features and the absolute bare minimum level of security and bug fixes required to "continue leveraging the brand". In the mean time, the business will focus on increasing the productivity of its remaining workforce, and continue to look for new ways to innovate through outsourcing, off-shoring, right sizing, acquisitions, virtual workforces, and anything else that looks good on paper for short term gains while not requiring hiring new FTE (Full Time Engineers), at least domestically.
Yes there are bad products, an increasing quantity of bad products. And an increasing quantity of things to fix more than once. And an increasing number of exposures and so forth.
But, SW has never actually been an engineering discipline. So there's no real way to make things better off the blocks or fix them once they're out. But key problems really have to do with people not things. People are the weak link. And as long as you have to rely on people it will remain the weak link. A better approach would be to take a more holistic approach to allow for vulnerabilities of a given scope and size and build around them as it were. For example if you know that your servers won't get patched very well then fence them off so they can't hurt very much even where they're badly broken. If workstations are infected because people are retards who click on anything, fence them off too so even when they do they can't propagate their own mistakes.
Moreover, you have to understand that not every vulnerability means the same thing. Some things simply won't hurt your company the same way something else will. Heartbleed while a big problem and very pervasive is still only going to point to 64k ram volatile memory blocks. Blow your stuff out before it gets there. Not every unpatched system not every firewall rule will actually hurt your company or conversely its fix help you.
You need to understand that being 98 or 99% healthy is ok too.
The "Security Industry" makes money for the shareholders selling "stuff". Any time they see a problem, they will treat it as an opportunity to sell more stuff, since that is how they make money. If the problem is because the customer has already bought too much stuff, they will still try to sell the customer more stuff since THAT IS WHAT THEY DO.
So if you want to be secure, what do you do? We all know: You get rid of crappy software, simplify your systems, remove unnecessary cruft and hire developers, network systems people and architects who can build you what you need securely. You do NOT hire the cheapest meat puppets who can find the company website and spell "javascript" and you don't outsource your security to the lowest bidder.
This requires real effort on the part of the company paying for all this: They need to recognize that the "Security Industry" and their shiny, happy sales droids are just parasites ripping off the public with the "latest and greatest security stuff that will really protect you this time I promise not like all the other times, I really really mean it THIS time!".
They really need to understand that the RIGHT way to GET Security is to design it in, have the right people building and managing it and proper oversight over all of it. To do that you have to treat it as a profession and a core part of what the company does, not as a "service" or "product" that can be "bought in" or "outsourced" to a low bidder.
Security needs to be treated as a profession in any company with a significant cyber presence, just like the accounting them, the legal team and the core business functions. Pretending it's "just something that we can buy from a vendor" is short sighted and ignorant.
Sometimes the "writing on the wall" is blood spatter...
My friend had a huge fish tank. When it started leaking he put some glue on the seam. Then he tried duct tape, and more duct tape.
When it became a big enough mess, he drained the tank and cleaned it properly.
We are currently in the "add more tape" phase of the problem. It does not help that there are a lot of tape vendors who like selling terrible solutions to the problems.
Don't bolt on more - Natively, hosts = better than browser addons @ many levels (efficiency + added speed, security, reliability, & anonymity + fix DNS security redirect issues):
APK Hosts File Engine 9.0++ 32/64-bit:
http://start64.com/index.php?o...
(Details of benefits in link)
Summary:
---
A.) Hosts do more than:
1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen...
B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).
C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... w/ less added "moving parts" complexity/room 4 breakdown,
D.) Hosts files yield more:
1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).
---
* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).
* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.
* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth...)
Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)
APK
P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"
...apk
Thanks to all of this, and the NSA/GCHQ Orwellian Internet world, I no longer do any commerce online.
Online for me now is chatting, posting, blogging, /., emailing, sharing source code.
I no longer do any purchases, or access any online systems that deal with money (banks, credit unions, etc), via the Internet.
Even in the real world, I try to only get my cash via walk-up to a bank teller. No more ATM use. No more credit card/debit card use, if I can at all help it.
Is trying to do a cash-only lifestyle a total time suck, and inconvenient? Yep.
I am certain I can still be a victim, but I am doing what little I can to not be an easier target.
"Always look on the bright, side of life..." -- Monty Python
Uh, Linux geek since 1999.
The company doesn't work for the stockholders. The company has a mission, and the stockholders who don't agree with it are simply not your stockholders in the first place. They don't bother. The founders of a company are free to set the mission as they see fit. The mission doesn't have to be 100% profit- or ROI-oriented. It's perfectly possible to have a public corporation that's after greater things than money. Just because for example Microsoft isn't set up this way doesn't mean it's a law of nature. Far from it.
A successful API design takes a mixture of software design and pedagogy.
The title (of both the slashdot post and the original article) is misleading.
The article cites one Eugene Spatford who observes that, "software makers churn out products riddled with vulnerabilities." That's not the security industry's fault.
He goes on to tell us that law enforcement is inadequately equipped and that criminals protect themselves by bribing government officials. That's not the security industry's fault either.
Of the tools the security industry does use regularly he says that, "We’re using all these tools on a regular basis because the underlying software isn’t trustworthy." Again that's not the security industry at fault.
And the solution?
"... an investment in computer programming education and a major move by software manufacturers to embed software security concepts early into the development process."
Sounds reasonable to me. Also sounds like a task for the software development community generally, NOT just those specialising in security.
Never trust a man in a blue trench coat, Never drive a car when you're dead
Human error may always exist, but I think the point is that people aren't learning from their errors. With software, you can find a problem, fix it, and then iterate until all the problems that can be encountered are handled. if you build in robust modules there is a point where you start to see less and less errors being introduced into the code. That isn't currently happening. If we really want to, we can build truly bullet proof code modules but it would take a substantial change in the way things are done.
Suggesting that human error will always exist that therefore there isn't any point in trying to reduce or remove it is lazy and stupid.
HA! I just wasted some of your bandwidth with a frivolous sig!
In all fairness to "software engineers", this discipline is so new it is a joke to call it engineering. Civil engineering is centuries old with more than a few huge heaps of rubble created when they pushed outside of their bounds of knowledge at the time. Lots of exploding steam engines and crashed airplanes before best practices were codified in those disciplines. Real engineers have to pass a professional exam. You could try the same thing for software engineers but the exam would be meaningless almost before anybody could take it. That tells you the discipline is too new to called engineering however comforting the title may be. Give it another 50-100 years until it settles down. Right now, programming is more of a craft than an engineering discipline.
That has been obvious ever since MS DOS.
Sorry, and I know I'll be very unpopular for this, but the blame is on YOU. Yes, YOU. You there who always have to buy the latest and greatest turd that someone puts into a shiny, sleek piece of plastic and calls it the NEW $whatevergadget. As long as you buy buggy, crappy, spyware-attracting, insecure shit just because OHHHH! SHINY! you get what you deserve.
Welcome to capitalism. If I can sell you a piece of turd that stinks, why should I waste money on perfume?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I use to have a retirement account with a certain financial services company. They stored my password in plain text. To recover your password they would physically mail it to you. This kind of stupidity should be illegal. It should be criminal and the company should have to pay fines for being asshats.
Companies don't fix underlying problems because management doesn't see any value in doing so. They also see no risk in having insecure products. Until there are real financial penalties for blatant incompetence regarding security nothing will improve.
When I worked for a large defence contractor, as a KM admin and trainer, I found the single greatest risk to the security of the system was the attitudes of middle level managers and project managers who's background was not in IT. They would consistently side with vendors when issues with proposed solutions were raised because I could not sell the idea of the risk to them as well as the vendor could sell the idea of trivialising it.
Why bill for prevention when you can bill for cure? Nobody, very few ever see a dietician before a Dr. exact same story, much higher consequences. People are reckless and willing to pay for catastrophe than maintenance, business just follows the market - if people pay to eat deep fried snickers bars and don't pay for kale what are you going to do?
I've got over a decade of working on networked, embedded devices. With the exception of content security, I have never in my recollection been on a project where a significant effort was devoted to the security of the system.
I've worked for a company who made devices which process electronic payments. I asked them about security and whether they ever did an audit. The SW veep's response was "We use SSL."
No one wants to think about it. Security is a hard problem and it blows budgets. Forgetting about security during development rarely(never, really) costs anyone a job.
Marketing and management need to require it before the money generates the will to fix it.
http://www.masturbateforpeace.com/
Up until about 1985 phone sales thieves were more than welcomed to Florida as long as they did not make sales within the state. Local politicians were only concerned with money being brought into town and had no concern about losses by people in other states or nations. Although there was a bit of a crack down it really remains somewhat true today. Cyber crime on an international level may well benefit towns in other nations. After all the thieves buy pizzas at local restaurants and cars at local car lots. Trying to get other nations to spend money stopping cyber theft is not likely to have great success. When we see nations like Russia or China allowing a lot of cyber crime we would either have to put trade sanctions in place or cut their access to the net which would be quite difficult. Organized cyber criminals will simply move to other nations and keep right on doing what they do just as some American phone sales scams are conducted by American sales people working in Burma and other nations. That call that sounds like your neighbor may be quite international these days and it may be your neighbor all those thousands of miles away.
Target customers should have filed a class action lawsuit. The evidence is pretty clear that Target flubbed the dub. Let Target look over its shoulder for responsible parties it can sue for damages. Let those look for scapegoats, as well. The buck stops somewhere. Someone didn't plug holes or a software has an exploit or an operating system is porous. In other cases (see Snowden, see Manning) the problem is non-hardware/software related. The justice department should have filed charges for dereliction. The custodians of the data have got to have an incentive to lock the freaking doors.
It little behooves the best of us to comment on the rest of us.
engineers have the power to say no to boss about stuff and have licenses on the line.
Target outsourced all / most / some of there IT
and it seems like at least that some of software alerts may of got lost at help desk India
I work in network security. We make an IPS. It's a box that sits on the network and blocks attacks. We can't do anything to fix the fundamental issues at Oracle or Microsoft, we can just ameliorate the impact.
So the problem is the software industry in general, not the security industry in specific. Although, as long as CIOs fall for things like NSS's extortion racket, senior management is nowhere near blameless themselves.
The major source of security issues is the bloated, complex software that we use. So as a first step how about a new standard "Secure HTML". It would look a lot like HTML 4.0 but with many things removed. Of course no JavaScript, IFrames or CSS. Very simple formatting. Content on a page would need to come form the same domain (no request forging). Links of page would always show the off page address, in plain ASCII. Etc.
Just enough to provide functional web pages without glitz. The goal being to make the entire browser code no bigger than the original Mosaic code. So that it can be thoroughly reviewed and made really bug free.
Normal users would not touch it. But for anyone with access to a SCADA system, for example, it could be mandatory. That cuts down one major source of infection.
How big is the truth table for 8GB of ram plugged into a 64 bit CPU? Don't we have an awful lot of combinations that we want NOT to do? I know the
problem isn't this simple but aren't we getting beat by the laws of larger and larger numbers?
People will run malware for pennies.
The programmers, sysadmins, and netadmins can only do so much. If you completely lock them down, the users can't do their jobs effectively and/or whine and complain and not buy your software or use your service.
People do pay more for bulletproof software and systems, but most people aren't buying airliners.
very few ever see a dietician before a Dr.
Does Dr. Oz's talk show count?
The problem is that basically all software is connected to the Internet in some way these days and a lot of the makers of software do not qualify as part of the "security industry" and really have no clue and no interest in making things secure.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A good place to start would be to ban any languages that allow buffer overflows and the like, i.e. pointers, non-automatic memeory management, unchecked array indices, etc. Ban as in illegal.
Systems today are too complex for the users, and even the supposed administrators to understand... And all these added layers of extra "security product" just compound the problem. Many organisations are simply unaware of all the risks because they have no idea how most of these things actually work.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Of course, if some morons decide instead of to fix problems to try to exploit them -- and to create a market for them, the problem sure is to grow even more.
"Yes, this car may be tipping over very easily, but we might need this to assassinate some foreign dignitaries, so we don't hell the manufacturer".
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
Very nice post man - "the worm is turning" around here (even amongst the diehard "Pro-*NIX" types), apparently.
* It's nice to see debating things based on the merits (or demerits) - as Elon Musk recently said how things ought to be, after he left a consortium of big name companies who used dirty tactics to further their interests (sockpuppets on forums etc.) & facts on a subject, rather than zealotry...
Heck - Android shows you HOW "other OS would fare" if used as much as Windows is - I've said that for years now... & some of what you state is SOLID about Windows too - both can grow from such valid critiques though.
APK
P.S.=> I did what you did the other day (Me, the "poster child" for Windows fanboy practically on this site), & got a totally unjustifiable downmod -> http://linux.slashdot.org/comm... even though I was stating things about Linux that were good & complimentary (it HAS come a long ways since I first tried it in Slackware 1.02 back circa 1994, that's certain) - however, I have a pack of "troll fanboys" that *try* to downmod every post I make (& folks there wondered WHY I don't create a "registered 'luser'" account here... that, is part of the reason why, here are more from that very exchange -> http://linux.slashdot.org/comm... )
... apk
It's simple, when ever you hear a developer pass up C for something stupidity overloaded and abstracted like Java, C++, C# or Python, you lose security. When ever you put an IT "professional" in place that doesn't understand how the operating systems work and thinks that Windows is the suitable for the server, you lose security. The fact is when ever you decide to take the easy road out of no-where, chances are you're introducing security flaws. This is a two step issue, first at the development level and second at the IT level.
This has nothing to do with the security industry, and everything to do with people who prefer to buy the cheapest product rather than a better quality product.
Further, this will continue to happen as long as the software industry maintains it's age-ist view that 'younger is better'. Younger people are not going to have the experience level of older people, which means they will be much more likely to make all sorts of mistakes that older people (who had also made those mistakes when they were younger, but learned from them) won't.
Between the two, there is simply no hope at all that we can have products that are anything more than mediocre quality.
I am an infosec veteran and largely agree with the notion that the bad guys are winning. After reading through the comments section, many seem to be of the opinion that "secure" software means that it cannot be defeated by anyone. Thats never going to be the case. Every security system can be defeated, especially when people are involved, which probably accounts for all of them. There is no such thing as a perfectly secure system.
It's not the "Security Industry" who is failing, it's the security *market* that is non-existent. As long as customers would prefer to pay less for more whiz without paying a premium to prevent risks they don't really believe in, nothing will change. We programmers can say whatever we want about what should be done, but until the people who cash cheques from the customers see a marketable demand, it ain't happening.
Since the vast majority of IT security problems in the corporate world are primarily the result of PHBs refusing to fully implement, or outright ignoring the proper security practices recommended by their security experts because doing that (read with a whiney voice here) "makes using the computers too hard". I suggest that every time a PHB overrules their IT security guy, the PHB should get his eyes poked out and all his fingers cut off his hands. Soon after enough PHBs are stumbling around blind and gripless, the rest of them will perhaps finally start to get the message.
https://www.youtube.com/watch?...
C++, properly used, is a lot more secure than C. For example, array or string overflows are eliminated by use of std::vector, std::string, and using the .at() subscript notation rather than [].
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Buffer overflows should always be managed by the programmer and never by the compiler. When the developer trusts the compiler over his own ability then he will always introduce security flaws. When the developer trusts himself over the compiler then he will most of the time write better and more secure code. The problem with object oriented languages and any language which attempts to bounds check for you is that it turns developers into lazy moneys and takes all the work away from programming.
...this will continue to happen as long as the software industry maintains it's age-ist view that 'younger is better'. Younger people are not going to have the experience level of older people, which means they will be much more likely to make all sorts of mistakes that older people (who had also made those mistakes when they were younger, but learned from them) won't. Between the two, there is simply no hope at all that we can have products that are anything more than mediocre quality.
THIS.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
Huh? Are you saying everybody should hand-code assembly without any sort of framework?
Buffer overflows should be managed by the language. Any security feature that the language can handle should be handled by the language. This frees the programmer to think about what's going on on a larger scale. Humans are really not good at making sure every instance of a common pattern is handled correctly, and compilers are.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
No, I would never make such an insane statement but it's extremely important that as a programmer you trust your own abilities over that of a compiler.
A great test to give any interviewer for a job is to give them a piece of C code which has had things like bounds checking removed, structure attributes removed, pointer checks removed and so on and see if they put them back in before they finish the task at hand. I can honestly say from experience and having to go through these type of interview submissions that 90%+ of the time, the programmers who don't put checks back into the code, write piss poor, frame work managed style code. What kind of confidence are you going to instill in me when you don't even take the time if wrap an array check with an if statement? Usually when I go back and ask the interviewer why it's left out I get the classic, "Well why doesn't the compiler make sure you don't write off the end of the buffer? That seems like a design issue and I shouldn't have to manually do it!"
It would be really hard to look a client in the face and tell them that there brand new million dollar embedded system failed because someone, an object oriented programmer, decided that the array or list would check itself before corrupting memory.