Slashdot Mirror
Ask Slashdot: How Are So Many Security Vulnerabilities Possible?
dryriver writes: It seems like not a day goes by on Slashdot and elsewhere on the intertubes that you don't read a story headline reading "Company_Name Product_Name Has Critical Vulnerability That Allows Hackers To Description_Of_Bad_Things_Vulnerability_Allows_To_Happen." A lot of it is big brand products as well. How, in the 21st century, is this possible, and with such frequency? Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough? Or are the product manufacturers simply careless or cutting corners in their product designs? If you create something that communicates with other things electronically, is there no way at all to ensure that the device is practically unhackable?
Is software running on electronic hardware invariably open to hacking if someone just tries long and hard enough?
This is 10% of the problem
Or are the product manufacturers simply careless or cutting corners in their product designs?
This is 90% of the problem.
The problem is that we aren't using safe-by-design programming languages like Rust enough. If we used Rust more, then many types of bugs and security flaws wouldn't even be possible. As more and more software developers follow Mozilla's lead and start to use Rust to build their software systems, we will see many common types of security flaws vanish.
It would seem that programmers are more concerned with WHAT they have to do, and not overconcerned with HOW they do this..... They just the the job done.
Good security usually means re-architecting whatever legacy garbage fire has been burning in off in the corner for the last 12 years and that costs money. The insecure software is still generating revenue in it's current state and there are no consequences for poor software security. #Equafax
Who cares, we have arbitrary deadlines to meet. Ship it broken! We can fix it later.
and government spooks
How are bugs still possible? That's how security holes are still possible too.
A day goes by when Slashdot originally misses the story they end up posting a week later.
Beware of the Leopard.
Security issues? Um, have you met the requirements? Yeah? Does it work? Yeah? The security issues aren't in the spec, release it.
The good news is much like Charlie Rose gets embarrassed off the national stage, hopefully companies that don't take security seriously will be forced into bankruptcy.
>> are the product manufacturers simply careless or cutting corners in their product designs?
Yes.
I've been a software security guru for more than ten years, and none of the companies I worked for, whether Fortune 100 or commercial companies shipping commercial software, fixed all the vulnerabilities we found before shipping. (Some set the bar at "high" and some as "critical", but no one halted the presses for "medium".) For all I know, most of the vulnerabilities we found perished on a disbanded team's backlog years ago to the delight of hackers everywhere.
But the bigger problem would be the code that shipped that we never saw, whether it was an intern's "hackathon" project shat onto the web, something that crawled out of a pool of H1Bs, or a third-party app grafted in to fake reporting enough to get past the demo with the big client. I have more horror stories than I can relate involving things like this.
The root is that our corporate laws allow liability (for defective products, in this case) to be completely separated from ownership (stockholders). US companies can fuck customers up the ass with barbed wire, and nothing happens to anybody within the company management or ownership as a result.
I don't respond to AC's.
Our software needs password access to our servers.
I know, let's store the password as a variable in our code.
Great, how do we get the latest version of our code?
It's in the company repository.
Alternatively,
We're getting a permissions error.
Just chmod everything to 777. (Yes, I've seen this done. Yes, I know it's a bad idea).
That can be simply listed as (in the order that I see them):
- Microsoft as an OS vendor (I know I'll get attacks from various ACs that think any criticism of MS is unfair but they are putting 'way more energy into sucking user's personal data into their servers than protecting said personal data)
- Large service companies with poor security for customer databases (I just saw Uber had a big hack last year that they've been trying to keep quiet).
- The 10% of so of the user population at large which don't have the intelligence to question email/text/phone/Facebook/etc. requests for their personal information.
The remaining 10% would be poorly defined standards (for example IoT) where the possible vectors and impact of security intrusions have not been thought through.
Mimetics Inc. Twitter
How Are So Many Security Vulnerabilities Possible?
Do you life in a house or apartment? Go around and look very closely at every aspect of the structure. As you go, make note every flaw you find, however tiny, but paying special attention to things that could be avenues for entering the dwelling from the outside even if everything is locked up. Now imagine 1,000,000 people all working constantly to find ways through those vulnerabilities without you realizing that is going on. Now imagine everybody in your city has an identical dwelling so that when one avenue is compromised, they all are.
That is how.
I like how the article just previous to this one reads, "Sacramento Regional Transit Systems Hit By Hacker."
Indians.
Next question.
As compared to say bridges or ships? These can be designed with more abstract mathematics, notably calculus.
The mathematics behind software is discrete (rather than continuous as for many mechanical mechanical things), so alas no calculus. We do have some tools for discrete system abstraction, but they achieve this by being domain specific rather than a general abstraction.
This lack of abstraction is not a new problem, we just see it in the area of security because that is what is important to humans at the moment.
yes, every time i see something like this.. i go.. hmmmm.. makes one wonder..
if every who thought about or wrote a program, and that programmer was a white hat hacker we could have bliss and live happily ever after... or one could really do harm if on the dark side, yet karma is a wonderful training tool, so just wait and see..
for me, i am a white hat... ;-)
my favorite is to redirect sql injection attempts to www.fbi.gov with the attacker IP in the URL and a text string along with to say go get them...
Companies treat security as something that just takes care of itself once you put a password on a site to gain access. Every company with any data has a security risk, but how many companies have a CSO? How many have a senior engineer overseeing security. Everyone is follows the big buzz words like "cloud" and "big data" and have a buzzword bingo "strategy." Not so much when it comes to bolting the doors.
Security is really hard. It's especially hard when so many insist on trying to reinventing the wheel, which countless developers do all the time.
No one cares about security.
Seriously do you really care about it either? When was the last time you challenged the lock on your own front door? You just trust that it will work because why would you? It's old tech, easy to defeat, and only serves as a request to please do not force your way into my house. If somebody wants in, they are getting in.
Same goes for software, most people implementing the security are not security focused or even experts. They only implement the security other people have provided, but if that is already insecure how can you build something on top of it that is secure?
We essentially do the bare minimum security to keep toddlers out of our system... sorry scratch that, toddlers are stumbling into them. Take a look at KRACK, discovered by accident because one security expert finally said... I wonder if I did this instead.
And to take a great well known parallel... the TSA, its all theater, and to keep that theater under control you don't make jokes, your first amendment rights are suspended at the Airport after all.
Every corner you look at in life there are vulnerability because it is just too fucking inconvenient to have real security!
I hope you know who your janitors are... maybe they are 007's in disguise. That's right, you never take notice of the people that surround you able to wreck your life the moment one of them goes off the rails. Movies do a terrible job emulating real life but they also do a good job of pointing out just how much disrespect people treat real security with! You go through life trusting that people are going to do their part and are never fully prepared for them going off the rails.
So people say they are concerned... but only so far as their liability is concerned.
Companies do not care about security, because they see no value in it. They rush their own developers to release software, and never ask them to focus on security.
Developers do not care about security. They never face the consequence of their negligence on it
Consumers do not care about security. They shop for the cheaper or the most hyped product, not for the one that was correctly engineered. How could they know it really was, anyway?
This is one of those questions you'd quickly discover the answer to if you tried to write code. Software is complicated and security is rarely the primary concern when shipping a product, and hackers have virtually infinite time after a product is launched to find problems.
Asking how software could still be vulnerable in the 21st century is a bit like asking how cars can still breakdown in 2017. It's a complex machine with thousands of parts, built on a limited budget, it's not going to be perfect.
All complex software has bugs. But not all software respects your freedom to run, inspect, share, and modify the software so you can decide how to handle whatever problems arise with the software. You ought to be allowed to fully control the computers you own. Free software (software that respects your software freedom) is a means to grant people that control and treat people ethically with regard to computer software. Nonfree (or proprietary) software denies users the freedoms of free software. Nonfree software is often used as a way to hide vulnerabilities and malware; a choice which certainly hurts users. When the software's operation is a secret, users aren't granted permission to know what the program does when it runs. This means users who run such software have less control over their computer. If users aren't permitted to improve the software and distribute improvements to others the users are helpless to make their computers better serve their needs and help their community do the same. That's no way to treat other people.
It's not a matter of who writes the software (oh no, this software came from Russia or whatever other country the empire currently objects to), it doesn't matter what the software purports to do, it doesn't matter how comfortable you are with the software nor how much you paid for the software. You don't deserve software freedom any less for one kind of software or another. The development methodology is not the most important point either. The key point is that in order to treat people ethically with computer software you have to treat them as equals and let them decide for themselves how they'd like to handle running, inspect, sharing, and modifying the software. Offer bug fixes gratis (to be nice and show that you care about what you already distributed) and offer consulting services for a fee if you wish (and charge as much as you can get for your services). But you can quickly and effectively earn trust with your users by respecting their software freedom.
Digital Citizen
Becuase humuns fowl everthing up,
Table-ized A.I.
Computers are complex. Maybe over time we've come to take that for granted, we're so used to them. But there are many layers of technology underlying any system that's in use these days. It only takes one vulnerability in one of those layers for a hacker to take advantage. Sit back for a moment and truly consider how many lines of code (yes, machine code too) are required to enable even just the display of this web page. Drill down into every element, every piece of hardware, every layer of software. It's complex as f*c&. Making sure that every single one of those layers, every single line of code is completely unbreakable ... it's really not as simple as it might first seem.
It's like building anything ... there will always be a point of weakness. The strongest steel in the world can still be broken if you apply enough force or if the manufacturing process allows a flaw to creep in. Nothing you make is ever completely and utterly unbreakable, and that goes equally so (if not more) for IT systems that are build on platforms that other people develop before you. Apply that across your multiple layers of hardware and software and there are probably an unlimited number of ways in which a system can fail.
For me the question is fundamentally wrong. I would ask: "Why don't we all understand that security vulnerabilities can never be eliminated?"
Another aspect I think matters is how management at these companies treat a programmer = a programmer and make people disposable in layoff rounds. They lose all kinds of expertise and team synergy that can't be quantified and the replacements even if they're just as good will take a long time to get up to speed and the previous code/knowledge, them thar be dragons... (don't touch ANYTHING!)
Please, before you post on Slashdot about code vulnerabilities, make sure you have at least programmed a "Hello, World" before. This post reminds me of the time a frustrated boss demanded to know why the game AI I was programming didn't "just use common sense."
More vulnerabilities are happening because there is a *massive* increase in software in consumer products. A bazillion products now have codebases that didn't before - ovens, toys, even my damn Christmas tree. Combine that with professional and social media that's always looking to dredge up outrage, and an increase in bad actors who realize that public outrage can work in their favor, and boom! You have a constant stream of stories about security holes. Why is that hard to understand?
Engineers are increasingly educated about new security threats - we evolve much faster in dealing with new challenges than almost any other type of worker. But yes, things get through, because this shit is hard - much harder than clueless internet whining. Also, because we're on the front lines of two wars - against those who tear down what others build, and against those who squelch innovation to preserve their own fat-cat positions - that is exponentially more intense than it was even a few years ago.
Expect the future to get *much* bumpier than this.
Almost all security problems boil down to the absolute lack of support for the principle of least privilege. None of the commonly used systems have anything approaching this concept. The crude approximation available is to put each resource in a virtual machine and tightly limit its connections to other virtual machines that need to access it for a specific resource... then watch those like a hawk for traffic spikes etc.
The other thing that could help immensely is to install Data Diodes, which are gateways specifically designed to NEVER let data flow in the non-desired direction, guaranteed by physics. The come in pairs, they have a normal network connection on one side, and one of the pair can only transmit, the other can only receive, usually via a single fiber.
This stuff can be fixed, I've been saying so for at least a decade now (go ahead, search my comment history here and elsewhere)... ya'll are slow on the uptake. I figure another 5 years before it starts sinking in, and at least 10 more to get it done.
the stupid fucking cute and oh so thought provoking bullshit ... take the domain off auto-renew. let it die. /. yesterday's news today! yay!
It's mostly because of the hippies in the 1960's and 1970's, who believed security was a government plot and "Data just wants to be Free!!".
Many people were influenced by this attitude and often don't even know it. The result is:
"If Engineers built buildings the way Programmers write programs, the firse woodpecker that came along would destroy civilization!"
If you don't always check for error return values, then this is you... 8-}
When people go to jail for endangering other citizens it will change, until then this is how it is.
...that's why.
1. Planned obsolescence.
2. The customer is very often the actual product for the big players.
After this point I'm just going to start making shots in the dark...
Nobody has any faith in the system anymore. Or if they do. They don't really care about what they are doing. What do the hardware/software people get out of the deal? Couple that with the fact the top dogs WANT insecurity built in as a feature for them.
Really truly, aside from all that... My friend told me a story many years ago now. She had a friend who was a Drug using fella (nothing wrong with that in of itself, IMO) who would go around scrapping copper for extra dosh. He didn't just go after scrap copper, though. He would go after the grounding lines for telephone poles. This is the kind of (behavior) that is just a symptom of our entire culture. The real wheels that are spinning things are often lubed up by this sort of behavior.
Security in the internet of things? It used to be an internet of the people by and large, and we are losing that, and now these, "things", suddenly matter? Hell no.
Some homes in the world don't even have locks on their doors. A friend of mine was one of them. I walked right into their house one day to see if they were home and they weren't. The thought of stealing some money even popped into my mind. I didn't though. Why would you steal from a friend? They weren't home, so I left.
Nobody gives a fuck about securing shitty products that do shitty stupid pointless things touted as miracles in a country where a high functioning socio-path named steve jobs is regarded as some sort of savior. Mean while we look at some one like RIchard Stallman as some sort of nut jub, when in reality his only real crime is probably just being a goody two-shoes and giving a fuck about something other than convenience (ethics, liberty, and such).
Nobody at these mega-corps gives a fuck. And even if they do actually have a spiritual connection with the work they do, or even just find value in what they do, how in the fuck are they supposed to do their job when they have to have military grade fucking security just to keep the cogs turning and greased up? It's insane...
the people can't effectively govern themselves anymore cause their is barely anything worth governing anymore to begin with. I don't mean the U.S.A. or elsewhere is in a state of anarchy. It's just that... The resolution of society is so high and sharp anymore, the weight of each individual pixel/person is so miniscule it's hard to appreciate the actual constitution of the image as a whole.
how hard would it be for the most advanced military in the world to just crack every damn business they could, then use that as a means to sell them better security? It's like picking our pocket and selling your own watch back to you. Palms get greased and security goes up.
nobody cares about that crap they are making/selling, cause it's all absolute shit to begin with...
we can inject nano particles and change DNA... but we can't create a car sturdy enough to last 20/30/40 years? We could, nobody wants to put themselves out of business, though. Maybe, there's better things to be doing than business and a lot of people just don't know what that is yet?
(I'm pretty sure making love is one of them, though. That's a start, maybe. Nothing comes in at a close second, perhaps.)
If you look at how powder Drugs are sold on the black market. They usually come from the source rather impure to begin with, then it's just cut-in, sold to the next guy, cut-in, sold to the next guy, all the way till the customer is reached. Well when that chain gets long enough, the customer ends up with nothing but cut-in filler and no drug. And if they know their Drug well, enough, they'll know they got sold baking powder. And that the only thing left anymore IS baking powder.
Management: Why hasn't it been released yet?
Development Team: Because it's not finished yet
Management: Well we promised XYZ partners that it would be released by now
Development Team: You promised who WHAT?!?!?!
Management: Have it ready by the end of the week
Development Team: We have many weeks work left, AND THEN we have to have it go thru Cyber Testing
Management: Cyber-whats-it? That testing is only going to cost us money and put us behind schedule even more - skip it and ship it - NOW!!!
And they you read moronic articles about how developers should be held accountable when the shit hits the fan.
then you don't care about user's privacy.
https://github.com/mozilla-mob...
Dominant companies set the scene by having designers that produce rubbish designs. Then you have a race to the bottom by managers and coders not understanding the designs, knowing bugger all about the problem domain, and thinking that whatever pap they get running (and this as soon as possible) is fit for purpose.
1.) Feature-creep (adding "new hotness" & not checking it well OR thinking it thru completely as to what might be exposed) & it can LEAD to-> 2.) BEING TOLD BY MGT. "GET IT OUT THERE NOW & DON'T WORRY ABOUT A BUG WE CAN PATCH LATER" (this happens & it infuriates devs (did me) but it has SOME merit in a sense - I was told, point-blank, that IF/WHEN a bug's intermittent (usually caused in my experience by data that was 'malformed' (keypresses & filtering beforehand stops this & SO DOES DBA's CREATING VIEWS) 9/10 times & not so much the code itself) ISSUE THE CODE, patch later (usually 'later' never comes like performance tuning in an industrial environs UNLESS users complain).
* I'd be WILLING TO BET that other devs here have seen those 2 scenarios - I know I have (retired now though for 10++ yrs.)...
* That's just "in general" scenarios - now, on security SPECIFICALLY? The "cracker/hacker" types ARE GETTING STRONGER (by far) nowadays - for instance/e.g. - whitelists (sometimes thought of as 'superior' vs. blacklists like hosts/firewalls) = EZ TO BLOW BY (do it by hiding underneath another LEGIT allowed process (as a lib/dll)).
APK
P.S.=> Sometimes it's "rookie devs" too but that just "comes w/ the territory" (or rookie DBA's too) - it usually changes once you learn more from "seasoned pros" (I know I did - I was lucky to be surrounded by GREAT ONES in my career & other arenas in my life, like sports in the NCAA too)... apk
If you can use it, somebody else can figure out how.
Thought experiment time:
You are the manager of a small (read: limited resources) software company deciding how to spend your engineering hours for the next release. A group of potential customers have decided that features X,Y, and Z are very important to them. If you choose not to implement those features you are unlikely to win that business. Security fixes will not win you any sales and 99% of the time will not lose you any sales. To make them you have to give up X, Y, or Z.
Decision time!
The fix should be obvious. Make this business's customers care about security. Being hacked needs to be more than a minor one time cost on a quarterly balance sheet - it needs to be devastating. Hoarding vast amounts of data needs to become a liability, and the decisions to keep around something so radioactive should be approached with careful deliberation. Insurance products should emerge, complete with security audit stipulations.
There are likely lots of ways of doing this. The most obvious to me is to put some serious legal/financial liabilities on leaking data. Unfortunately, I expect doing this suddenly would cause economic turmoil as companies everywhere scrambled to harden their systems. Companies with more resources are most likely to have a head start on this already and may not even take a profitability hit. Many small companies would likely be put out of business completely, as the above thought experiment shows.
Security is not free. It is neither free in that it requires lots of man hours of time to develop & code, and that security has no impact on the user experience.
You can do end to end encryption of all traffic, encrypt at all states, require multi-factor auth, require physical devices, require secure portal software. But all of these have operational costs as well. But in the cost of compute and in the usability of the software.
If you had to access gmail through a specific secure application, with 3+ factor authentication, and it was really really slow, would you use it?
There is no system of professional licensing, etc for so-call "software engineering" like there is for say, civil engineering.
When shit goes wrong no one is responsible.
We need to treat our digital infrastructure just like our physical infrastructure. For critical projects, someone should be signing that the code has been written and reviewed using industry-standard techniques, just like there are industry-standard techniques for designing a bridge or calculating the margin of safety on an AMSE pressure vessel.
It's time for large sections of the software industry to grow up from the do-whatever-we-want era of the 70s and take responsibility for being a critical part of peoples lives, just like civil and mechanical engineers did 100s of years ago.
Aptitude doesn't get ahead, it doesn't lead to controlling resource allocation, it doesn't lead to making great things.
Social skills and willingness to take risks while simultaneously being blind to the potential consequences yields wealth, which controls resource allocation, which makes shit things.
We have a fundamental issue with the nature of our societies which prevents us from having nice things, no amount of PM or skill can change this.
I'm not saying the least suited for wealth will always have it, but the most suited likely never will given our current methods.
I think most companies don't know how to produce reasonably secure software cost-effectively. They aren't motivated enough to spend a ton of money on security. So they give up on trying all that hard, to varying degrees.
Some companies try educating programmers a bit about security. That's good, but not sufficient. Programmers are constantly learning new frameworks, new libraries, new languages, new systems they have to integrate with ... They aren't going to be security experts too.
In my experience, the main cost-effective way to improve security is to have a security professional consult with developers at three points in the process of a software project. Then integrate part of what's learned into automated parts of the DevOps build and release process. One hour from a security person at each of these three points can really make a difference, not only in the current project, but in future projects. Have the security person join a meeting and be part of the discussion at these three points:
The initial overall design / architecture
This will allow the security professional to point out spots where security issues commonly occur, "be sure to use TLS (ssl) for this connection". It will also catch major architectural decisions that lead to big security problems that are very hard to fix later (such as an ISP planning on managing customer modems over their public IPs).
Finalizing the design details
Similar to the above, but at a finer-grained level
Pre-release testing and approval
Around the time you're starting integration testing, your security person can review the implementation based on notes they took in the two earlier stages. For some of these code-level things they can add to your existing pipeline, so from then on Git will warn you immediately when you try to commit code that follows a dangerous pattern such as use of std::process::Command with variables influenced by user input, or improper reuse of mutable buffers. (Here I use Rust terminology, the same errors can be made in most languages. Few bugs are langauge-specific).
Not only will this catch issues in the current project, but everybody learns from the interaction in order to avoid creating similar problems in the next project. Instead of studying 2,000 pages about security, the developers are being made aware of the specific issues that they tend to create in the specific domain the company is writing software for.
This process allows one security professional to effectively serve many programmers on many projects, much like your database expert might work with developers on many projects. You can get a lot of security improvement for not much money.
* Before somebody says "2,000 pages is ridiculous. Security is easy, all you need is the OWASP Top 10â, I'm a member of OWASP. I know very well the quick "rules of thumb" we publish. I've personally read over 10,000 pages about security and I don't know anywhere NEAR all that there is to know.
From TFA summary: [...] "How, in the 21st century, is this possible, and with such frequency?" [...]
Answer: Human Malevolence.
Computers are still pretty new. Quantum computers should fix the problem ?... maybe... :)
[($)]
There's a bunch of reasons:
1) Code complexity -- nobody has a fucking clue what all is happening with code because it's built on a shit pile of abstracting layers because the devs can't do anything without training wheels
2) Devs are human, and lazy -- and after more decades in the industry than I care to count, "works for me" is far too frequently still what developers say
3) Companies are cheap and deadline driven -- they don't care if there's bugs, just ship the fucking thing on time and ensure we have a good quarter
4) Companies don't give a fuck -- between the EULA you signed, and cutting costs, security is at best a secondary priority
5) The gazillion monkeys which is the internet ceaselessly try everything, and in some cases exploits are just a kit you buy on the darkweb (you all remember script kiddiez don't you?)
And probably a whole lot more I can't easily summarize.
In a world driven by the almighty quarter, and the almighty marketing machine, and ran by people who have no personal liability except their quarterly bonus ... the fucking name goes on before the quality goes in as long as it ships on time. From the PMs all the way up the to fucking CEO, as long as it ships on time and you can tell a good story to the shareholders for this quarter, not a goddamned other thing matters.
Many many years ago, software was smaller, programmers were much more intimate with what it did, there were way fewer threat vectors, and people had the time to release good and stable software because you couldn't just whip out a patch and download it; these days it's all about releasing a version, booking revenue, and we'll fix security issues later.
Only there is never any time, resources, or money later to fix the shit you did several releases ago, because you're too busy adding more pointless features and security holes for the next release. Because management says so and because they don't give a fuck about something as boring as fixing bugs and optimizing code.
Good software has become un-glamorous, because nobody has the luxury of spending time on improving what you have, just slapping on whatever buzzword du jour and shipping it.
Why are there so many security vulnerabilities? Greed, laziness imposed by greed, incompetence imposed by greed, laziness not imposed by greed, and incompetence not imposed by greed, and way too many fucking moving parts for any one person to have even the slightest idea of what all the pieces do.
Some of the worst programmers I've ever met can't do anything without a framework, library, toolkit, or structure to help them build it -- and in many cases, they simply wouldn't know how to implement without someone having done most of the work for them.
There's a place for frameworks, but there's also a place for people who can write code without relying on them, or who have at least done so enough so as to understand what they're actually doing instead of relying on someone else to have done it.
Even if everything you say is true and even if all of those things are fixed, you cannot fix the bugs in the human brain that allow them to give up secrets. There has to be human trust somewhere and it can always be abused.
The stuff you talk about is all necessary of course, but the humans who are running the show will always be corruptible and they will always be corrupted.
So your advice is only half-baked because you don't really mention any plans for what to do after your data is gone. It's going to happen so you should figure out what you will do when you discover a breach. Do you just pull the plug on your internet at once? Do you know how to do that? Do you tell the cops? Do you call your insurance company? Do you call the press? Do you even know who to call? Crickets from the high-paid consultants.
Company A builds product X. They design it with security in mind. They code it with security in mind. They test it a dozen ways from Sunday. They are constantly trying to break it and fix it every time they can. They want to charge $20 for using their software to recoup their investment.
Company B builds product Y that directly competes with product X. They give security a passing interest. They throw together the code and ship it as soon as it works in 90% of the cases. They don't bother testing. If a bug is reported, they might fix it in 6 months if they get around to it. They want to charge $1 or give it out for free.
Guess which product almost everyone chooses? Can't say I blame them all that much because it is nearly impossible to tell which product really is more secure when you buy it. Software companies will begin taking security really seriously when customers won't buy it because they didn't. Maybe we need something like Consumer Reports for software.
Most programmers think code can be made secure if they only have better compilers, debuggers, or follow better practices. They are fundamentally mistaken about the nature of the problem.
This article lays out the nature of the error far better than I can. Please read it and then THINK:
https://medium.com/message/eve...
And then consider: âoeIt is difficult to get a man to understand something when his salary depends on his not understanding it.ââSâ"âSUpton Sinclair
Management. Costs of security takes away from their pay, shareholder value. Thats less jets, holidays, gambling, yacht time.
The security services want an easy way in they can use the cover of average malware for.
The police want a way in so they have contractors hide as malware.
The security services and police need a way out of a system, network with the data they find.
The method used by police, contractors, security services finds its way into the hands of cult, faith groups, criminals, the media, ex, former police, political groups.
Lots of groups, people have reasons for wanting to get into another network, computer.
With the funds to buy methods, the data moved looks like the action of malware or a protected US police investigation https://en.wikipedia.org/wiki/... . Code litter is left to show its just malware thats been seen before or the work of another nation (Marble Framework).
Big brands have to be ready for existing or future lawful demands by nations, their security services. PRISM ready.
https://en.wikipedia.org/wiki/PRISM_(surveillance_program). That open door, trap door, back door lets a lot of other people, groups in once secret Police/mil/security services methods get passed around, sold, rented, given away, shared with people of the same faith.
So what is/was the ANT catalog keeps working https://en.wikipedia.org/wiki/...
The cost of creating a secure system is often in management, lawyers, compliance to US, UK, EU laws.
Some money then has to be found to code the network, service, system, OS. Low cost workers are found, the final gov/mil paperwork is the only part that has to be worked in the USA, UK, EU.
Quality slips, the police/mil/security services back door, trap door, junk encryption, extra keys then get handed around.
Too many people in too many other nations have seen the easy way in.
Another part is corruption enquiries. Police, mil, special forces who are doing a good job need to be able to collect on bad contractors, the judiciary, organised crime, politicians. If the networks are too good its hard work to secure global collection on a nations corrupt officials.
Everyone has a good reason for a trapdoor, backdoor, junk encryption, poor standards, rushed products, police support.
Malware and criminals, faith groups, cults, the media, skills people just follow the networks left wide open.
The mil also likes plain text networks as it made sending raw data globally much more easy. The network was secure from collection to sorting at a secure base.
Plain text stayed as the method to work with and then contractors got to sort data away from a base, secure site.
Gone was the physical site security of the 1960-1980's and contractors now have data in plain text on networks open to the internet.
Plain text is all they are allowed to work with but their own network security is junk or was never set up with any skills.
Plain text also allows the clandestine agencies to search many different US wide networks to find skills and staff with clearances they need.
No need to ask for a key, say why or have searches questioned. No new Iran–Contra https://en.wikipedia.org/wiki/...–Contra_affair questions later, no looking over crypto use logs.
The removal of union staff on site saw an expansion of networks to cover what staff on site had to look after. More new remote site networks got left wide open.
Nobody wants to pay for their own secure networks to cover a city, state, part of the USA so that new low cost "internet" was used as a very secure network.
Years later that consumer OS, junk network get found by skilled people, groups mapping every network their area.
Obscurity did not work years later with no upgrades.
Watching staff. If networks are too secure how can staff wi
Domestic spying is now "Benign Information Gathering"
I know quite a few CEOs and VP level execs. They are very focused on revenue. They are spending all their time trying to land new customers and grow the business. Security is a cost: generally: you have to pay money for it, either to security vendors or in headcount, and there is no corresponding revenue that you get. So it goes to the bottom of the priority list. Somewhere in their heads they know that deferring it is a bad idea, and the cost of a security breach is something they don't even want to think about, but there is always a new revenue target to hit, another customer to land, etc., and so the security stuff get put in the "maybe later" pile.
Let's be honest here, its no secret that security is not glamorous. As the guys with money start to realize their customers deserve better and to avoid lawsuits, they will invest. But that's just a start.
Let's be honest here, I cant work on the same coding project my whole life, and frankly, go for it, design and develop until your hearts content, develop away my little minion, you wont be able to stop everything anyway. This does not mean you should not try, and try you must, but realize if someone wants your car, they will get it.
Was it created by humans? Then chances are it will be broken by humans.
Its hardly just a software or hardware issue, its humans.
As a software engineer for 15 years and project manager for 3 I can explain it simply: we're fuckups and nobody pays check on us to make sure we're not fucking up.
See subject: Use of faulty 3rd party libs/dll or toolkits - a fault developers using others' libs & faulty libs devs!
E.G.-> A competitor to APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ in Hostsman (doesn't do as much as mine ala hardcoded favs you spend MOST time @ online speeding them up via FASTER local RAM access vs. remote DNS + protects you vs. DNS security issues or DNS down & dns requestlog trackers - they used SQLite (browsers do too) & IT TURNED UP A HUGE BUG!
I was asked by Malwarebytes' Steven Burn "Why don't you just use SQLite & be done w/ it?"
THIS IS WHY!
I wrote my code myself by hand (never a bug in that program above to date since 2012).
APK
P.S.=> Depending on OTHERS WORK weakens you not coding a job yourself (you have MORE CONTROL of it via source you wrote yourself totally)... apk
Speaking as a secure software expert, you can develop secure software. Doesn't mean it's easy though!
Why is it hard? Performance and security is hard. The only language that provides both is C++ and that's only if you use the advanced features.
Libraries are in general shitty due to lack of security management.
What we need are "security manager"s, "security auditor"s, and "security scientist"s in addition to programmers. A security manager would oversee software development from an architechtural viewpoint and manage the software developers/patches. Security auditors would review new code patches for vulnerabilities before submitting thier opinions to the security manager. Generally each patch would be independently reviewed by at least 3 security auditors, and the manager would be able to draw conclusions from the opinions of the three auditors. A security scientist models the threat model that the application is designed to protect against and develops the practices that the code base needs to follow in order to be secure.
IMO they are back-doors they don't want closed. Look at adobe flash how many holes have been patched over the years. Windows, them too and many more So ya back-doors they don't want to shut. Too much data they want to take that has nothing to do with making their products better. But will make them plenty of money
Jack of all trades,master of none
"Does it compile? Then it ships!" per-quarter profit margins demand it!
Laziness and Usability.
Usability really comes back to laziness most of the time.
The other obvious issue is that the chaining of independent "design compromises" is often what leads to full blown compromises.
Often companies make 'security teams' that go in and tackle the security problems so the other developers don't have to. This helps with things like, say, bundling third-party libraries with known CVEs, and answering security concerns *when the developers bother to think to ask*. However, so long as your rank and file developers don't think about security and how an attacker would go at their code pretty much all the time, there's no way a security team is going to be able to keep up with the 'organic' code, which contains many design decisions that no one even thinks to bring up for security review.
XML is like violence. If it doesn't solve the problem, use more.
Laws of physics or materials don't change (for mech engineers) - things change in computing like mad by comparison
E.G. - As new gTLD's were added, it made ME have to go & add them to my code for APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ to test endings of lines in hosts for VALID tld - otherwise remove it & MINUS me doing that, my program would have missed a TON of malicious sites on new gTLD's (many have $1 price for domains w/ 255 subdomains beneath 'em - gTLD WAS ATTRACTIVE TO MALWARE MAKERS more than ANYONE!) & gTLD busted a LOT of others' code!
APK
P.S.=> No bug's turned up in my program to date since 2012 but I wrote my code myself not using 3rd party libs/dlls (All per my point here https://ask.slashdot.org/comments.pl?sid=11386999&cid=55600479/ I noted as a 24++ yr. professional dev. )
... which includes sql injection, buffer overflows, and lots of other problems.
Companies do not care about security, because they see no value in it. They rush their own developers to release software, and never ask them to focus on security.
It's not that they don't care about security (although they often don't). It's because, in the competitive environment, the "invisible hand" separates the companies into "The Quick" (pun intended) and "The Dead".
For each new computer-based market opportunity there are typically far more companies trying to get to product than there are niches for them. The first one, two, or three will get through the "window of oppotunity" and take the market, and the rest will be left out when the window closes - perhaps to die, perhaps to move on to some other opportunity, rinse, and repeat.
To get through the window before it closes, development has to be fast. Something has to give, and practically EVERYTHING that gives makes security holes. So the Pointy Haired Bosses tell the workers to get the product to market and THEN worry about fixing the security holes.
Some of the developers make things secure anyhow. Most of them find the window closed when they're ready to ship, because the ones that did what management told them already got to market with the features working and the infrastructure made of swiss cheese. They took the whole market - before the bad guys discovered the holes, exploited them, and the media finally noticed.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
... but the one posed by the article's title comes close.
Given that most widely-used OS'es start from a base of languages that are not secure with manually-managed memory management, that most OS and application programmers are not (and I'm being charitable here) security experts by any means, and that software processes to mitigate these issues are still often pushed aside for "business" reasons when not deprecated in the name of agility, a better question is "How do we turn out software that stands up so well to constant battery?" The answer lies in oftentimes heroic actions on the part of a software team as well as endless iterations of testing and defect fixes. Neither set of actions is particularly transferable or scalable, but with constant influx of cash from customers for whom insecure software is better than no software at all and a constant flow of fresh programming minds, they are certainly and sadly sustainable, which is why such practices persist.
That is all.
If you look at the code stacks, you'll actually see that *most* code wasn't written this century. (OSes, libraries, toolchains, lots of production applications)
We as programmers build on the work of those that came before us, *most* programmers these days don't understand security and it's the best we've ever had:
'70's: "Wow look, it printed Hello, World"
'80's: Hey we got those two completely different systems to talk to each other over a serial link (or token-ring if you were really unfortunate)
'90's: Hey neat, vendor X is now supporting the IP stack, I can now contact one of the (small number of) servers on the internet
'00's: hey someone is port scanning my system, I'll block them, maybe think about a firewall
'10's: [management] "deploy, deploy deploy", WTF am I getting hacked every 5 minutes ?????
Because security is a cost center while new features are a revenue center. The executives who ultimately decide priorities, budgets and schedules are taught to minimize costs while maximizing revenue. The results are, obviously, highly predictable if supremely disappointing.
There I said it. It allows for lazy programmers who have no clue what they are doing. .net, python, rust, and the list goes on
Java,
This was Microsoft's stand for the longest time, it cost too much for the extra time it took to test.
"It all comes back to one programmer being careless," Paller said. "You wrote a program, asked someone for input, gave them space for a certain amount of characters, and didn't check to see if the program could take more. You are incompetent, and you are the problem. One guy making that mistake is creating all the work for the rest of us." https://www.cnet.com/news/stud...
The sad thing is "doing it right" doesn't take longer and can even go faster. An easy example is SQL injection attacks: use parameterized queries, and you have no problem with them. It takes no extra time to do that, and it eliminates the attack vector.
"First they came for the slanderers and i said nothing."
Another thing to think about to understand it is that for thousands of years, people tried to make secure locks; every time locksmiths figured out how to open them - pretty easily. Security is very hard. Offline, it's okay that Pop-A-Lock can open your lock for $20. That's the accepted level of security.
Online, people thousands of miles away can use computers to try to crack the security on tens of thousands of victims, while the attacker is sleeping. They don't need to be skilled attackers, they just get hacking tools (software) from the relatively few people who are skilled. Popular web sites can be attacked a thousand times per day or more. Not even Chuck Norris can fight off a thousand attackers every day and never lose. On the WEB security is very hard. You MUST have layers of security, because somebody will break through the first layer, and the must have well-disciplined operational security.
* Medeco has finally done a reasonably good job of making physical locks that are hard for a locksmith to open. Not impossible, but hard. Breaking a window is still as easy as ever, though.
and his fan boys think that security is something that just happens after you fix enough bugs. They ignore the fact that no software has ever been bug free and it only takes one obscure security bug to make a program insecure while one regular obscure bug is irrelevant to the overall quality of a system. So rather than give up a few percentage points of performance to neuter whole classes of security problems, they play whack-a-mole one bug at a time. They have already given up performance by writing in a semi-high level language like C, but that was mostly to make it easier for them to develop new features. Preventing potential security bugs from ever being a problem, doesn't get them either fame or fortune.
Admittedly, Linux and its benevolent leader organizational structure is fairly unique as far as software development is concerned, but the attitude that security is just the result of fixing enough bugs rather than careful design and use of appropriate tools/methods is fairly widespread. Plus the lack of any incentives to spend time on security or give up any potential performance is also pervasive.
Unless attitudes (incentives?) change, we will continue to see a long stream of problems.
Instead you rely upon languages to handle the safety and optimizations your lazy ass couldn't be bothered learning in the first place.
And you wonder why someone else guts your shit - they understand the basics which you failed to learn.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Most processors are designed around the memory-tape stack+heap architecture that is fine in principle (it works and is efficient) but memory security has always been an afterthought. In early computer designs, you weren't concerned with intentionally malicious code - you were dealing with mistakes made by your own users. If the stack smashed into heap, or you pointed to the wrong address, or loaded too much data into an object - you would find out the hard way and avoid doing it again. The external threat does the opposite, and intentionally sends signals to trigger errors and poorly documented features while keeping the system operating. The hijacking of these types of platforms is possible because access to shared memory space has been granted to everyone and everything - and it shouldn't. We foolishly rely on our operating systems to enforce things that should really be established at a lower level. Ideally, all external interfaces to a computer should have dedicated and isolated memory spaces with no direct interaction from the CPU... perhaps something like.. http://www.poxix.com/eal
And I'm fairly confident that this is typical across the tertiary sector.
Now, I'm not claiming for a moment that university is the only way to learn IT skills, or that learning ends the moment you get your degree (despite what many of our students seem to think sometimes). But a lot of our students come out of university and start writing production code with NFI about whether it's acceptably secure or not.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
then decides to try to play whack-a-mole. They don't design security in from the start like Linux and especially Red Hat.
Maybe because also every company is doing Agile Scrotum, and they're Not Doing Agile Right(tm).
That's true . In fact we can SAVE developers tons of time working with them to be more secure. Security isn't just confidentiality. It's making sure the software works correctly - even when someone is trying to make it break. Fixing bugs takes a lot of time. Following security best practices means the software won't mess up even when someone is trying to make it mess up. That implies it won't mess up when people are using it normally - far fewer bugs to investigate and fix.
It's also availability - avoiding DOS by making sure an application won't crash, even under heavy load. Ever had to re-architect something because it couldn't handle the load? Ever had to do that as an emergency because it can't handle the load *right now*? Had the whole network go down because one switch had a power supply failure? Consulting with your security person at the architecture design stage can help ensure the design is able to scale, and doesn't have single points of failure that can bring the whole thing down. Following good security practices means most emergencies are eliminated because it's designed to be robust enough to keep working correctly - even if someone is attacking it, and certainly when nobody is attacking it.
Wait until the Qbits get here. I think the concept of security is going to change by 10^1000. There can't be any such thing as a
"password" that is knowable by humans. Your winkie little deterministic, classical physical computers are in deep shit.
For most software, there is no consequence for shipping an insecure shitstain.
Therefore vendors cut corners and take risks as they are highly unlikely to be held to account for the consequences for their actions.
90-95% of cyber attacks/intrusions can be shut down by:
- patching OS quickly
- patching Apps quickly
- not running as root
- only installing Apps from trusted sources
- not using Flash/Java/Office Macros
- Using multi-factor authentication whenever possible
- having a daily backup
(Ie pretty much every iOS user)
You can bag Apple as much as you like, but their process appears to work: after 10 years, with > 1 B devices, thereâ(TM)s been virtually no malware on the iOS platform. Nothing else mass market gets close.
(1)
You should run all your critical software from non-writable (ROM) memory.
Nonwritable = noninfectable.
In that respect we should go "back to the eighties". In those days they built computers that could not get infected. The computer industry has to give up the concept of a patchable OS.
(2)
I agree with DogDude. (Same story; have been shouting this for years.)
If they can't give me a working OS (+browser+file editors+mailer etc) on a ROM I want my money back.
-- Zomboid
The primary reason is that software quality is down the drain. We actually know how to write software two orders of magnitude better than what we have now (the metric being bug count). There'sa single-digit number of companies in the world doing it. They are successful, and the business case is ok (less maintenance cost and issue-related costs down the road), but only if you look at it long-term and with a dominance of short-term thinking, well, we have the mess we have today. Startup culture especially is the enemy of software quality, because within 2 years you must be big or bust. That prevents investments in long-term quality and time-to-market is also critical, pressing on the timeframe.
The second reason is that we have abandoned academic (i.e. provable) software design. Again, there are a few exceptions, P3KI for example has a formal proof (disclaimer: I know the guys behind it) as do a small number of other projects. But most "security practices" are basically made-up. Maybe they are good, maybe not, you don't know because they're based on intuition, not proof or facts. A guy named Bell a couple years ago rightfully lamented this fact, and he has very high credentials (google "Bell-LaPadula model").
The third reason is that bad guys are lazy, incompetent and/or busy. It is incredibly easy to break into most systems, but most of the bad guys these days are in it for the money. That means they look for ROI as well, which means they attack only the weakest targets. That is why most of the stuff we see on the malware side, or on the hacker side, is not exactly rocket science. In 15 years of career in the field, I found a true zero day on a compromised machine once. And that in turn means that from a protection perspective, you can be quite secure with a more or less minimal level of security. Because as soon as you are not the weakest target anymore, 99% of attacks will bypass you and hit someone else. There is no incentive to really improve security baselines, because it doesn't pay out.
It's a shame, really. We made jokes about the quality of windows in the 90s. Now the joke is on us.
Assorted stuff I do sometimes: Lemuria.org
The fire code is written by the National Fire Protection Association, a group formed by insurance companies, in order to reduce their losses from fires. Underwriters Laboratories (UL Listed) who check products for fire and electrical safety - same thing. "Underwriters" means insurance companies. Insurance companies are professionals at analyzing and reducing risk and they do a VERY good job of it. They use very advanced methods to determine risk. I'd LOVE to see insurance companies get involved in IT security, the same way they are involved in fire safety. Ever noticed car commercials advertising their high IIHS safety rating? IIHS is Insurance Institute for Highway Safety, insurance companies testing cars to make them safer.
> Insurance can pay out on the promises, and the insurers themselves are borrowing against still future promises to pay, which when they come due can be rolled over or hedged and thus the cycle continues ...
That's not how insurance works. The insurance company uses mathematical models to determine that of they insure 10,000 customers with a given risk profile, about 1% of those customers will have a claim. The average claim will be about $3,000, suppose. That's $300,000 the insurance company will have to pay out this year. Divided by the 10,000 customers, that's $30 per customer in claims. Each customer also costs $3 for mailing invoices and such, so the average cost per customer this year is $33. Therefore the premium they charge is $43. $10 gross profit per customer.
Insurance companies aren't betting hoping they don't have claims. They have a million customers, of course they'll have claims. With a million customers, the law of averages kicks in and they can predict rather accurately how much the total claims will be this year. So then they set the premiums (their prices) for the year a bit higher than their costs.
The one big thing that can screw that up is a major flood. A major flood could have a million people making claims all at once. That's why insurance companies don't sell flood insurance. Only the government sells flood insurance. (In the US at least).
If you hire a music major as CIO, like Equifax, everything is possible.
What do we do when we need a new CPU? We go to one of the hardware sites and look at the performance tests. And then we compare the performance with the price, and choose the one that fits us.
Where is the security focus on this? Exactly where we asked for - nowhere.
But but but, we say, this should of course just be there. Well, no. It doesn't work that way. If you choose based on security, then much more effort will be spent on security. If you don't they won't. It will never be forgotten, of course. And obviously all manufacturers try to give us secure products. But when it's not the main selling point, then there is a limit to how much we will get.
And it's exactly the same for software.
It's the old saying: Cheap, fast or effective - choose two.
For many years, Java was basically the only way to write software that ran in the browser. It was with either Java or try to get web site visitors to install your custom plugin for your site. That's how Java got critical mass - developers who knew the language, books, libraries in Java, etc.
At that time, Java was only used in the browser because back then it was dog slow, inconsistent, and just generally not a good programming language - but it was the language browsers supported, so it was the language you had to use.
Java has gotten a lot better as a language since then.
I've been doing sec, both telecom and and comp for a long time. To be quite honest, I've left the business...for good. We can have all the technical discussions we want until we are blue in the face. The bottom line is, for me at any rate, I couldn't deal with being redundant and experiencing the same *blonde coma look* from management not taking these issues seriously and considering security breaches a 'cost of doing business'. There's no punishment, so companies don't and won't, change their business practices. I became fed up with the inter-department fiefdom wars and sysadmin/netadmin 'not in my job description' attitude. Those of us that have been doing sec long enough have experienced this. If you do security and you say you've not been a victim of it, then you're a liar and you don't do sec. Just like if you've been doing security long enough and you've not made enemies or mutual, personal, grudges...then you're a liar and don't do security.
Recently I was asked what it would take for me to put together a team and get back into the business and I said, "nothing would." When asked why not, I replied... ;-)
"People on the net, and in the security community in particular, are very territorial. These days most of the people that do security that are good and really good, do so behind the scenes. The one's with the faces that everyone sees, are either known and highly respected through their research or have made a name for themselves based on past exploits. As a whole, these days, security people are loyal to themselves...their fiefdom...gold...and lulz (which I had to explain). I further said, "It's going to take a Pearl Harbor level event to bring the entire security and dev community together with a singleness of purpose for a long, focused, duration...because at this moment...the war is already lost and trying to convince yourself otherwise is a waste of fscking time."
A little background on me:
1. In '80 I was already writing code in COBOL, Fortran, and Assembly, while my peers of the same age were learning goto loops in BASIC.
2. NORGCA11, was my personal play ground from '82-'88 and I was not a PacBell employee
3. Jello shots all night in the PBI NOC
4. SN is and always will be the GOD of IDS
5. VMS anyone?
Historically, data security has been mostly based on the concept of walls. Build a wall around the data center, build a network wall with routers and firewalls, build an access control "wall" requiring authentication... etc etc.
Today, though, data doesn't stay in a data center, on a particular platform... data goes everywhere. SaaS, PaaS, Cloud, Big Data/Data lakes, mobile devices, and whatever comes out next. We can no longer rely on the typical methods that made us "safe". An organization may have spent the past 20 years, developing "layers of security" to protect their systems... and now data has simply jumped the gap, and gone wandering about in the 21st century.
This is why the data-centric security model is beginning to really gain traction. With data-centric security, you apply the security to the data directly (encryption/tokenization), protecting key sensitive fields in a data set. A single centralized policy should be defined determining which business use cases need the real data, and which specific data they need. Then that policy is enforced everywhere, from the SQL server in the data center, to the mainframe to the cloud to your favorite SaaS provider or S3. Access to the key material is handled separately from the system, so that there is full seperation of duties between managing a server/database/Cloud service etc and managing access to the data centric policy. This means that "oops, my S3 wasn't properly secured", results only in leaking tokenized or encrypted data... with no access to the cryptographic key material. "Oops, someone hacked my DB Admin account", results in the attacker seeing only encrypted/tokenized data.
This allows an organization to begin to distort their security resources and layers to focus on the smaller group of business use cases where the real data must be available. Additional security controls, training, auditing can be focused on the users, systems and processes that are capable of accessing the data.
Human error, software and hardware bugs will always exist, protecting the data itself is the best way forward.
Hoping for some unaccountable process to help users is no substitute for software freedom. Hoping is apparently flatly incapable of addressing purposeful choices to not fix remotely-exploitable problems (whether bugs put there by accident or weakening something on purpose like Microsoft did with the Skype protocol to make it easier to spy on Skype users).
Proprietary software is often malware and there are plenty of instances where the proprietor goes unpunished despite years of anti-user aggression (Apple's iTunes being vulnerable for years allowed spying, Microsoft Windows ignored user privacy settings, Google admitted it tracked user location data even when the tracking setting was turned off). Each of these problems and many more could have been fixed for virtually everyone by sufficiently skilled and motivated users if the software involved were free software, but users were not allowed to inspect the software, improve the software, or distribute improved variants to others.
There are no guarantees of program security so a useful perspective focuses on how users can improve the chances they'll get software that does what they want. Hoping for something better is foolish, passive, and completely unnecessary.
Digital Citizen
Yes, the big issue here is that it's common knowledge consumers by and large refuse to be bothered to get educated
This is an enormously pernicious argument: The whole sales shtick hinges on "intuitive!" and "no training needed!"
Considering that consumers have been bombarded by that shtick for a goodly while, you really can't with any good conscience continue to blame consumers for doing exactly what they've been told to do: To shut up and consume. If you ever wondered why you should be careful what to ask for, here's an example: The industry asked for consumers, and got them. Turns out they're uneducatable, but that's how you wanted them!
So no, this is not the big issue. But it does show something else: A tendency to point fingers at things that aren't quite the real culprit. In other words, muddled thinking.
At this point it's instructive to look at an argument put forward by the late great computer scientist E.W. Dijkstra, who said that talking about "bugs" externalises the problem. Call them "defects" and it's no longer some external force of nature that crept into your code, allowing you to deny that the culprit is in fact you the programmer.
We actually also do that when we talk about "hacking" in the "modern" sense of "probable badness someone might possibly do with a computer somewhere in the vicinity". For if you go look at how the word is actually used, it really is used for just about any random thing that might be shown in poor-to-bad light. To the point of no longer carrying any useful meaning at all, except that vague sense of dread, that's actually more effective on consumers than on techies.
Yes, this also happens every time slashdot posts another story about the external cyber bogeyman, "hackers", who do unknown and unknowable things to your computer in the form of "hacks", thereby asserting the dangers of "hacking", whatever that may be. Slashdot with its current crop of editors certainly isn't the only culprit, the industry does it too, just about every journalist, even the government is guilty of this: The law against "computer hacking" outlaws it, but doesn't define what it is. That's bad law if there ever was one.
The point is, by externalising the threat, why, you can't own the failure and thus you can't be held responsible for the consequences. This is how the computer security industry marketeering is structured: The cyber bogeyman cometh, in fact is already lurking under your bed, so give us monies for a protective blanket.
Let this sink in: The computer security cottage industry does not exist to solve the problem.
They are consultants, in the demotivator poster sense. That is why they come up with the smallest tidbits of "security bug", give it a pre-announcement, an announcement, a press release, a fancy name, a website, and build a media circus around it. It's all about the show, not about the solution. They don't do big ticket things, they don't do real solutions. They do small stuff and selling subscriptions to keep the monies flowing. That has nothing to do with fixing things, but everything with making a good show of valiantly failing so there's always another day to try again.
They're selling security blankets out of new cloth for emperors. These are the security specialists. And you expect the non-specialist vendors to do better? They'll just give some monies to the specialists and claim they've done their "due dilligence" and that's the end of their culpability. (What other industry is big on this, and why is this so? Yes, the reasons are related. But I digress.)
Let me repeat: The computer security cottage industry does not exist to solve the problem.
and the bulk of the major software development companies out there aren't don't have leadership ethical enough to be able to resist taking maximum possible advantage of their naivety.
To the point that they promote the naivety in their marketing. Successfully, too.
Of course ther
And why are so many faulty pieces of software, websites even developed/used by people/companies with much more than enough resources? Incompetent, ignorant, careless, etc. attitudes systematically promoted at different levels by a system infected by arbitrariness since quite a few years ago when the big amounts of money came in and, with it, all the people only seeing software development as means (which they don't know/like) to an end (= money); a situation which, ironically, might have been tremendously beneficial if everyone had focused on what they are good at.
You can take as a reference my personal recent experiences. I am a senior programmer with a very heterogeneous background currently exclusively interested in working under high-quality/technically-demanding conditions. I am more than willing to prove my knowledge, skills, attitude at work, even by spending a relevant amount of time, but I am systematically not allowed to do so!! All what I find are random tests mostly focused on ridiculously small amounts of time (this is exactly how you can assess what a person knows! By setting up completely unrealistic conditions and forcing that person to get trained in that specific format, cheat it or prove irrelevant-for-the-job skills), abstract questions expecting very specific absolute-truth like answers (!!), looking at your public contributions in an extremely simplistic way (analysis performed mostly via counting stars, likes and emojis) or any other ridiculous resource meant to provide the fake impression that a person without knowledge can seriously assess what an expert knows. And all that without forgetting about random assumptions, prejudices and any other arbitrary output basically defining a system where the gatekeepers only let in those saying exactly what they want to hear: mantras of either very low applicability or requiring a proper analysis which never happens. Basically, unkowledgeable people deciding who are (not) knowledgeable?!
I have many other experiences on different fronts but all of them depict the same ridiculous reality: a so relevant field requiring a relevant amount of knowledge and a very specific attitude which is being managed at almost every level by people with virtually no knowledge and not even liking anything of that (thinking that the technical skills are secondary?!). Having so many problems you ask? I wonder why we are not seeing much more than that. In fact, I am pretty sure that there are lots of problems which either don't get any publicity or haven't been discovered yet. Lots of problems is the normal outcome of a highly specialised critical subfield cluelessly managed by unknowledgeable people. I am not saying that the software development industry has no place for non-technical skills, but all these people should synchronise their activity with the reality and never forget that the ultimate goal of their activity is to make sure that the technical aspects (about which they know pretty much nothing and might even not like) are being adequately managed.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
My guess: Agile.
Especially when used as a silver bullet (ok, mostly due to cost saving, so "highly polished lead bullet" is probably a better term).
Ok, obviously not all problems stem from this. But one has to wonder how many flaws are introduced by having a couple of chat sessions with some customer and cobbling something together until he is happy (by how the screen looks), i.s.o. a proper design that keeps the need for security in mind.
...over, and over again.
Good software developers re-use mature code. Naive software developers don't.
It takes years and years of experience (for some reason) to understand how important "The Unix Philosophy" is. Startups like Uber don't want to pay for that expertise, they just want to produce a product as quickly and cheaply as possible so that they can start raking in cash. Startups are not focused on the long term at all. If they were, this kind of shit wouldn't happen.
Most of my software developer colleagues got their education between 2005 and 2010. Yet when they learned about databases and SQL they did not learn anything about SQL injection. Neither did I, but my education was in the late 1990'es. I did, however, already know about injection exploits because I read about them in a book around 1993. I don't know how old the book was, but other parts were outdated when I read it.
That SQL injection and preventing it (probably the easiest exploit to prevent) is not a part of learning about databases and SQL 20 years later, is a sign that nobody cares. Every new generation of developers need to learn by making the exact same mistakes as the older generations.
If you take a minute to look at the bulk of major incidents in the last year, it's mostly poorly configured Mongodb and S3 buckets.
Which, among other, is also due to the fact that :
- most of the major incident happen over the internet, and target huge online services where server hold gazillions of juicy information.
- Mongodb is an exemple of technology that is widely deployed online (so chances are it run on the targetted server, unlike say, an obscure piece of home grown PHP code on your own homepage), and that is relatively new, immature and thus still have plenty of exploitable bugs to get discovered (in addition to the fact that it is still in "let's add more feature" phase of development, instead of "maybe we should start paying a bit of attention toward security") and thus is a likely target
(As opposed to the linux kernel, which is very likely to be also running on the server, but has a little bit more maturity, and a lot more scrutinity to it).
- thus mongodb is likely to show up a lot in major incidents.
No SQL Server, MS Exchange or IIS in the list.
Sorry, waht are thes ?I have been hear about them yet ?~
Some new modules for Node.js ?~ Could you point me to their Github ?~
There's the occasional ransomware but given the market share of Microsoft products, it's not bad at all.
By "markter share" you mean "got completely obliterated out of the cloud/bigdata/server market" ?
Outside of the desktoip, and a few corporate on-site servers, Microsoft has become completely irrelevant.
Most specifically, it has nothing to *directly* do with the kind of big data caches that are attacked during "major incident", except maybe running one of the cloud service - Azure - that they might run on.
Thus of course, you'll rarely find them mentioned on the big data leaks.
Microsoft is still dominant on the (office) desk and office server.
- you'll find it targetted a lot by ransomware, etc. but that not a big major incident, just a huge constant flow of lots of small/mid incidents.
- it might play a role in stealing critical document from 1 specific user (e.g.: credentials or documents necessary to forge a successful social engineering attack), which then eventually could lead to a massive data breach.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The elephant in the room is that we are building on almost 50 years worth of insecure software that runs on insecure hardware on even less secure operating systems connected to an even less secure network... Honestly, it is amazing that all of it works, let alone be as secure as it is. Safe by design languages are going to help a lot, but it will take 20-30 years for enough of the stack to be rewritten.
-- $G
One of the first things I learned in Computer Science 101 was to test properly. If you do a proper internal and external testing you can actually prove that your code will do exactly what it should under any circumstances. There can no be any overflows or unexpected behavior because the tests will already have tested that and revealed the problem.
The problem is - even a very simple program requires hundreds of tests. A slightly more complex program quickly ends up with many thousands. I wrote a simple chess program (simulates just the board and validates moves, not any AI to make moves) and the number of tests required to test it was in the neighborhood of 300.000 tests. Doing such testing on an OS or major application requires billions of tests and that is simply not feasible. Then you cut corners and approximate, testing only a tiny subset and catch maybe 80-90% of the issues. But the devil is in the details and that's where the hackers find their gold.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
The MBAs have pushed software products to market without adequately testing and troubleshooting. The bean counters want to reduce the expense of research and development when it comes to software and hardware so the result is a crappier end product with security holes. The whole thing began when these business types discovered a vertical market based on support of the shitty software. They would just force a product still in beta onto the public, have the public buy the product and do the testing, and have the public pay for "support" when the inevitable problems arose. From a business standpoint, it's genius. From a moral, ethical, and quality standpoint it rings of a scoundrel.
Several reasons. One is that the imperative languages we use are inherently vulnerable to TOCTOU (race condition) errors. We should be using design level languages. However, while design level languages and architecture level languages have cropped up in academia from time to time, programmers - who are largely self taught - have not learned of these and don't want to know about them anyway, because it is more fun to just "code".
Another problem is that all of the incentive today is around producing more features fast. This is because software producers are not liable for damage caused by vulnerabilities. Until that changes, nothing will change. Most programmers know very little about application level security, because their employer is not telling them that is the priority. There is no incentive - if there were, programmers would respond.
It all starts with bad programming languages that give you enough rope to hang yourself with, or a gun to shoot yourself and others in the foot with. I'm not even a Rust fanboy, but consider Rust for future projects, as it is probably the safest language today (at least from a security point of view). And even better languages are coming.
At one time I worked for the NUSL in New London testing classified software for exactly this issue.
It easily triples the cost of development to offer an assurance of correctness without any feature checkmark to show for it.
When you are expected to offer more new features than the competitor each product cycle, without pressure from some regulator, testing is virtually entirely a time and money sink.
Simply, the *potential* we have at our fingertips, with respect to computers, etc, is VAST. Our knowledge of how to use those systems, however, barely scratches the surface of the surface.
When someone with greater knowledge of those systems comes along and makes the layperson look like a digital chump, bad things tend to happen: either the more knowledgeable seeks to "break" the system, using it for something the laypeople don't tend to think the system can do, or the laypeople get bent out of shape with their ignorance displayed for all to see. In the latter case, people get defensive, try to implement rules and regulations to return the use of those systems back to their own comfort level...
The computer architecture is by design insecure and we are only applying bandaids at best. Without a fundamental redesign of the computer hardware architecture, there is no way to totally secure a computer...unless you unplug it and put it back in its box.
I would propose that while there are certainly a number of bona fide bugs out there that are simply legitimate oversights that just don't get caught, greed and laziness make up for the vast majority.
Greed and laziness are what drives the business side to make schedule demands that cause corners to be cut. And since security isn't a visible feature until it breaks, guess what gets cut first?
And then there is maintenance of security - the patches, security bug fixes, and so forth. That is a zero sum gain task for any admin or developer. It adds no visible value. And eventually the powers that be start asking questions like, "Why do we pay all these guys who neither write shiny new code nor install my printer nor do anything else that I can see?" But when these guys fail, guess who gets the axe?
Check your premises.
The reality is that as devices do more so does the potential for it to have flaws. The eternal cat and mouse will always be a part of technology no matter how devoted people are to creating secure software and devices. The other fact is we are dealing with multiple devices with many different OS's and software/apps. So while it may seem we have more exploits we really just have more stuff affected.
I sometimes ask the same sort of question. A lot of classes of vulnerabilities seem completely unnecessary. For instance, buffer overflows. Why is it possible to overflow a buffer? I think the kernel should just refuse to do it. It is easier to fix something once than ten thousand times, and asking companies and coders to "care about security" is trying to fix it in ten thousand different places. We don't see buffer overflows much anymore since the behavior of the systems have changed after twenty or thirty years of exploits. Now I'm sure this is at least in part due to my own ignorance of how the kernel works. I also suspect that the countermeasures are expensive and thus were not included in the interest of performance. End rambling old man tirade.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
> The one big thing that can screw that up is a major flood. A major flood could have a million people making claims all at once. That's why insurance companies don't sell flood insurance.
Maybe true for floods (and for high-risk areas in e.g. Germany you won't be able to get insurance either), but for other cases this is solved by insurance companies that do nothing but insuring insurance companies against the most exceptional claims. They have a HUGE amount of capital.
The reason for not offering insurance isn't necessarily that the risk is not manageable, it is rather that the cost of doing so would result in a product nobody would buy anyway - especially as at this price level you would have a self-selection effect, driving the prices and risk up even more. Would you buy a flood insurance that costs e.g. 30% of your house's value per year?
When Windows NT4 came out, security and even reliability took a gigantic dive as compared to 3.51. Why? Because Microsoft merged the Kernel and GDI memory spaces in an effort to improve graphics performance. It worked, but it horribly compromised security, as now a hole in the graphics driver meant a hole in the kernel.
This attitude is pervasive throughout computing. We are willing to sacrifice 90% of our security for a 10% improvement in performance. I, for one, would prefer to see a credible microkernel-based OS built for security first. If that means I'm wasting 10% (or even more) of my cycles, so be it. At least I'll be able to trust my computer.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Driverless vehicles are such a bad idea.
Rick B.
I would assert that it is a 99/1 ratio. Security is a solvable problem, and we have had rigorous, solid, time-tested methods of security since the 1960s and 1970s, be it physical security, network security, or security of a computer.
I did an "Ask Slashdot" about a similar topic a few weeks ago, but it was more inclined to why companies have no interest in security, because (to them) security has no returns.
The problem is that we already know how to do segmented operating systems, windowing systems that have varying levels of security, application security, solid encryption with good key management, secure tunnels. All mainstream x86-64 and ARM CPUs come with AES in hardware and a hardware RNG (even if you have to run it through Yarrow like FreeBSD does, just in case.) The issue is that developers cut corners. Why use a 4096 bit key, where big-O for this is O(n^3) when you can use 64, 64 bit keys for a fraction of the CPU? Why use all 14 rounds for AES-256 when you can use just one? Why use a salting/hashing mechanism when you can just store the password as plaintext? Who will notice? Who will care?
Then we get to more fundamental things. Why should developers care about security at all? If they don't make their deliverables for sake of security, they get admonished for it in public at the daily stand-ups, if not eventually fired. If their code causes people to sue the company, then the lawyers are the ones handling that... not the devs. Even if there are consequences, they are less than not making the sprints.
Then, we get to the bottom line: There is profit to be had by insecurity. If a CEO finds out their company got hacked, they can short their stock, wait a few months, announce it, and profit tidily. Insider trading laws are easily skirted around, especially if there is a few months delay between the transaction and the announcement.
To;dr, security is not a matter of "can't". It is a matter of "won't".
The level of complexity in any non-trivial software system is so high it becomes impossible to test it all and guarantee its functionality. If hardware was able to reach the same level of complexity, nothing would work.
Sure, it is possible to make code very hard to hack, but:
a) it's much more expensive
b) you can't use the available open-source your competitors use so it means your product takes much longer to get to market, and
c) nobody really cares about it.
The lock on your house can be picked by a kid with two paperclips and training from Youtube. Are you going to go get a much more expensive lock that can only be picked by a professional? Wouldn't a burglar just kick the door in instead? You should keep your money in a regulated bank with government insurance rather than in gold bars protected by your front door lock.
The real question is "Why are so many companies storing gold bars in their hallways?" or really "Why are so many companies storing so much data that can be stolen and used to harm their customers?". If you securely delete data from your systems then you are 100% sure that hackers who break in next year can't get it. Companies are run by short-sighted idiots who know nothing of technology risks and buy into marketing that tells them customer data is "super useful" in spite of ample evidence to the contrary.
It is far cheaper to hire a contract place like Tata or Infosys to use their Java or C++ programmers in their offshore shop than it is to get a dev team which knows Ada well, and is able to program securely.
For one, there's a full stack of APIs that are insecure. Something as simple as sprintf() and/or sscanf() in the C programming library tend not to use bounds checking by default, the user has to explicitly remember to use them. Then there's things like SQL injections, etc. The various tutorials teaching people how to code guide them towards the insecure practices that cause these problems as well.
And, you can't fix these problems until you do a full-scale rewrite of the insecure APIs, breaking 30+ years of software compatability.
I'm a software development professional and I only know well a few corners of the software and operating systems universe.
I've met people much smarter than myself, who knew several times what I know about every technology under the sun, yet nobody has in their heads the entire technology stack - from silicon to circuits to logic to BIOS to CPU instructions to operating system to multiple levels of abstraction on top.
I've been thinking about this a lot lately when I get frustrated with my own devices and my own software: everything you build, no matter how carefully, is interfaced with several things that you know only the most tenuous bits about.
Not even the most well-informed security experts can keep up with all the services and modifications that are live on a typical laptop or regular desktop. It's too much - nobody has the time, let alone the intelligence, to see it all and fit it all together.
It's sheer quantity - there are so many ways software can go wrong. There are so many ways your computer can be accessed from the outside world. There are so many ways you can mistakenly click on something that compromises your machine.
And everything else people say is true - many devs are lazy or in a hurry, many are incompetent, and many software vendors have no idea what they're unleashing on the world - they're just desperate to release the features that matter to them.
I honestly believe until we go back to massively simpler architectures in both CPU design and OS design, this will be a simple, basic, ominpresent fact of life.
The problem is lazy coders not doing input checking and cheap management not understanding that input checking is important. If all coders did input checking all the time in their code, 90% of vulnerabilities would magically disappear.
Mark Minasi wrote a book called The Software Conspiracy. People just don't give a shit about secure software.
And most people just don't know how to write secure shit, and don't care about learning.
How many developers know about OWASP or have taken and finished all the training materials OWASP offers? Why haven't they?
I cannot speak to your "Data Diodes," which sounds like a marketing term for a firewall (several types of common network interfaces have, for performance reasons, separate send and receive lines) or your virtual machine idea which resembles a micro-kernel architechure with container based applications.
Concerning principal of least privilege itself, it can be applied to end-users or "system/application resources/providers," e.g., services (which I shall use a blanket term). From a programming point of view, this involves having a sufficient granularity of privileges which then can be assigned to roles, groups, users, etc. The one configuring and managing the security of the system only gives access to users and services that require it: an end-user might need to the privilege to change the current display settings or a service might need the privilege to access the filesystem while temporarily inheriting the privileges of the caller. Those would be given the privileges they require, and no other. As another consideration, from a programming view, let us say that the service needs the privilege to check the status and potentially start another service, but only while initializing. The original service would be given that privilege, but as soon as it is done initializing it, it would, in more colloquial terms, waive its right to further check on and start other services.
One of the first difficulties is cost versus benefit. If the business needs the application in one month (to use the extreme, yet common excuse of "otherwise we miss the market and goes closes doors"; although "we'll fix it later when we're caught up" is pretty common as well), if there are exactly two users of an application in the specifications with reasonably well defined roles. The might decide to forgo the cost of a granular system for a fixed role system. As long as there are only two types of users, this is not a problem. If users' responsibilities become more specialized or overlapped, then the business will need to make the decision on how much it is willing to spend in money, time, and development resources to change the system, assuming that it even has any to spend. This is even before considering the impact of changing the security model has on any user, application, service, or business process downstream. This also does not consider the human element of "I'm the boss/VP/CEO, I should be able to change the database or log into any system any time I want" or similar scenario.
Even with such things, principal of least privilege is not a silver bullet. A common task for a user is to open a file. Let's say, for example, that the file is clip art file and a "non-privileged user" cannot import it into their document and the program crashes. The user submits their ticket. We'll say that a IT helpdesk (arguably with sed -e 's/p/l/gi' been applied) member just has finished a dozen requests that requires escalated privileged roles carelessly remains logged into their separate superuser/admin account to work on that ticket. The ticket worker opens the word processor and tries to import the file. But then the clincher, the clipart file type is from an earlier era that where it was necessary to speed up the drawing by having it directly include kernel calls and the word processor just used the original library to display the file in the appropriate part of the document. The file displays normally, the worker emails the user stating they cannot reproduce the problem, and a newly spawned minimized shell task just downloaded and ran an installer for malware. Yes, the worker was careless and maybe the wordprocessor developer could have put some type of protection, but then why spend the cost of doing so if the library does the job and the problem was not detected since the developing company's developers and QA are not familiar with the fine details of the format or bugs in the library's implementation.
All software can contain bugs, but most bugs would be harmless, if most software were NOT written using C/C++.
Thanks to C/C++, tiniest bug anywhere in any software, allows a hacker to take control of a computer system.
The same problem does NOT exist in the newer languages, but almost all software is still written using C/C++.
... because I know the answer.
I got my first computer in 1978 (TRS-80) and I've been doing digital shit ever since.
Appreciate that computers were standalone devices and like every other innovation (think cars and seat belts), people, including me, were very poor at predicting the future where every goddam computer in the world touch every other goddam computer in the world.
Going back to 1978, the OS had no need to self-protect because the only method of input was the keyboard and the only output was the monitor.
That "air gap" beginning set us up for failure in the future.
Once floppies hit and computers first got "social," the tech-savvy lulz peeps feasted on the vulnerable core of the OS.
Hobbyists launched the PC, and that culture exists today where the user is expected to be knowledgeable regarding consumer electronics.
From the business side, it's damned near impossible to retrofit OS for security and even harder to roll out a completely new, secure OS.
Security is expensive, even when it comes to keeping up with patches, and consumers want inexpensive stuff.
The next step is litigation against the vendors and gatekeepers of the data.
It little behooves the best of us to comment on the rest of us.
There are a number of reason that all contribute to this sad state of affairs, and unfortunately it won't get any better until something drastic happens, on the calibre of software developers becoming regulated like other kinds of engineers.
Ageism - There is a major preference to hiring young people over old. Young people are cheaper and are willing to work more ridiculous hours. The problem there is you push out the people who have already made the mistakes and learned their lessons, causing the same mistakes to be made over and over again.
Education is frowned upon - There's a major shift towards people who are "Self-taught", etc. While having a degree isn't a guarantee that a person is any good, it's a hell of a lot more likely that they are. It's a Dunning-Kruger issue. I've run into a number of self-taught people who had absolutely no knowledge of all sorts of critical concepts that a competent developer should know. How to write de-coupled code. How floats work at the silicon level. The importance of Big O notation. How to write certain algorithms efficiently. And the resulting code quality is understandably shit. Just look at Facebook's mobile apps... last I checked they came to approx 750MB for a f__king messenger app and a newsfeed viewer.
Lowering the bar - Companies et al are constantly trying to lower the bar for new people to get into development. This feeds into the above, because it means it's easier for people who know little to slap something together. The problem is that this leads people to think that they actually know what they're doing when they don't, and the resulting mess is there for all to see. Wordpress is a great example. Not just the main package, but their "community" of breathtakingly shit-tastic plugins that is a ginormous graveyard of poorly written abandonware that do a great job of contributing to Wordpress's reputation for being a security nightmare.
Old is busted, new is hotness - For some inexplicable reason, everyone seems to be convinced that new is always better than old. Software is the only industry where people not only reinvent the wheel over and over again, they *revel* in it, and other developers eat it all up, even when that technology isn't time tested and has an excellent chance of getting trashed after barely a year or two. Javascript is a fantastic example of this.
Silver bullet paradigms - People flock to agile and continuous delivery as if they will somehow magically solve their development pipeline problems. But it does not and cannot replace spending a little bit of time planning out a vision of your product, etc.
Finally, companies are not held accountable for their products unless someone dies, and even then only maybe. Too many companies treat software developers like factory workers instead of professional engineers, which helps facilitate all of the above, and as long as they can get away with no accountability to their customers, they have no incentive to do things properly.
Software:
o) Easy to use
o) Low development costs
o) High security
Pick any two...
It is possible to produce incredibly high quality software. The design, implementation, testing can all be made extremely rigorous. You can test over every possible environmental condition, fault condition, do 100% unit testing and even testing that aims to evaluate 100% of every possible code path. And, for some applications such as aircraft avionics systems, that is exactly what manufacturers do. For a "simple" system that might mean a few million $ NRE; for a more complex one such as avionics you could be looking at $140M NRE just for the design, implementation and testing, plus big bucks for the high reliability hardware to run it on.
That's a huge investment. In the case of the avionics set, the NRE for a new military avionics system (before you've even bought the actual system for a single plane) costs more than an entire offshore patrol vessel for the Navy. The spend is done to prevent bad software killing people. Even in these systems, problems can happen.
And even that avionics set is a ridiculously simple piece of code compared with the amount of code there is in something like Windows, or Office, or Flash, or Android. It's simply mind boggling to imagine the amount of testing that would be required to get a fair percentage of code path execution coverage.
Your average software house simply can't afford to spend this. They aren't making products that could kill people, the customers want their software as cheap as possible (especially the stuff that goes in essentially disposable devices like an IoT lightbulb) and there just isn't the demand.
You mean of those REPORTED?
If you think that this is even possible, please learn about the halting problem.
The insurance industry is nothing more than a legalized mafia protection racket. Our healthcare system wouldn't be such a disaster if insurance wasn't involved. "Hey, you need our protection. [Little Billy holding baseball bat.] You wouldn't want little Billy here to have an 'accident' with your kneecaps. Pay up or something bad MIGHT happen to you."
Good software developers evaluate the source code to the software they use BEFORE using it. Unfortunately, good software developers are hard to come by.
Certification programs are much more effective at producing better results. For example, FIPS 140-2, while a tad obtuse and certification is expensive, only lets the best crypto software reach a certified status and policy dictates that the U.S. government can only use such software.
As you know, CGI programs run on the server. To do something in the *browser*, you had to use Java, or maybe Flash.
> And the Applet never caught on for too long.
Only for five years or so, but long enough to achieve critical mass since it was the only real option. ActiveX (formerly known as COM, formerly known as OLE) was very much not designed for the browser in the first place, and only worked (kinda) in IE, so it wasn't a real option for internet sites. It was used a bit for intranet.
I am generally in the camp that says, this phenomenon is a result of programmers being educated, learning their craft before the internet was a big thing. Or they were educated/trained in a fashion that did not stress security focus on application development.
It's not like it's difficult to oops. It's super easy to think to yourself 'this will work fine,' and as soon as it's done, yer QA finds a million problems. Programmers while awesome, aren't very good at seeing their own mistakes. Just as a novelist needs another pair of eyes to proofread their work, programmers need QA and code audits to check their work.
This is where the REAL problem lies. QA is not really a thing anymore. Why pay a QA department when you have droves of sheeple on the internet that will happily test your product for you. Hell, often they'll PAY YOU to play with your garbage. So QA is pretty much nonexistent. I'd have to assume if you got no QA, you probably don't do regular auditing of your code either, since that costs money and time.
As a side effect of sheeple QA, some of your more serious 'flaws' might go unreported. Some sheeple are wolves and will hold their findings to themselves to exploit later when you least expect it. Or sell the exploits to others to make a buck.
So bottom line, if you want quality applications, you have to pay not just the programmers, but a QA and code auditing process too. And until companies bring back *REAL* QA, this will continue to be a serious problem that won't get better, instead it will just get worse.
As a side note I also want to point out, there's a lot of one-man development going on in the app-space, especially around smartphones. This is another major problem. As pointed out above, programmers aren't good at seeing their own mistakes. One-man development suffers even more from lack of proper QA and auditing.
Insurance is something that pays to cover risks, things that probably won't happen to you this year, and the expense would be more than the customer afford to cover out of their own pocket.
For example, home insurance will replace your house if it burns to the ground. You buy insurance because you couldn't afford to buy a new house out of your own pocket. You don't insure against needing to replace a toilet paper holder, or paint the walls, or weed the garden. These are ordinary, expected expenses that you just pay.
Car insurance will replace your car if it gets totaled. The average driver doesn't expect for their car to get totaled, and can't afford to pay for a new one with their own cash. Car insurance does NOT cover gas, oil, tires, spark plugs - ordinary, expected expenses.
Modern US health care plans get involved in every little $30-$60 doctor visit, and all the bureaucracy and red tape doubles the total cost of simple things like a checkup or vaccine. That's NOT insurance. Insurance is for unexpected events that you can't cover from your own bank account. An annual check-up, or flu vaccine, is both expected and affordable; it's not an insurable risk.
We used to be able to buy medical INSURANCE, coverage for *unexpected* events too costly to pay from your own checking account (ie major surgery or catastrophic illness). That was fairly affordable. For the ordinary, expected health care expenses you kept a few dollars in the bank, and later in a specific bank account called a Health Savings Account. Over the years various things have forced more and more crap to be covered by "health care plans" - you can't just buy medical INSURANCE anymore. That's added a lot of paperwork expense to what used to be a $25 visit for a sinus infection. Now you have $25 worth of doctor time and $30 spent on paperwork with the healthcare plan and government, so it costs $55.
Intellectually inferior people pushed into positions by "equality"
Anything we do is prone to mistakes. End of.
indians
Too many programmers are brought up on bad code, and copy and paste examples that are going on the internet. It's not ideal, and until we demand good code examples all around it's going to continue to happen.
you're an idiot.
they cheat.
don't be a fool, for all of your life.
Intel and everyone else is compromised by cloak and dagger types who want Total Information Awareness and complete supremacy in the digital space. As long as they value access and control over robust secure infrastructure, everything will stay exploitable. Good luck building your own chip foundry to fix the problem.
Ever work for a software company? Any company for that matter. There is something called a deadline. Pack as much as you can and get it all working before some date. As you get closer sometimes things are removed. Not just software, happens in the auto and other industries. Then it's released.
No magic yet. Things still have to go through old fashioned testing and code reviews.
aka https://en.wikipedia.org/wiki/...
Casteism
Car maintenance such as replacing warn tires helps prevent crashes. You don't have the Walmart deal with your car insurance company every time you get tires or an oil change.
Maintenance of your home's appliances and electrical helps prevent fires. You don't call out your home insurance company to replace a worn $5 outlet - you go to Home Depot, spend $5, and get a new outlet. If you did ask Home Depot to fill out forms and bill your home insurance company, then wait to hopefully get paid, that$5 receptacle would cost $15. All that extra processing and time waiting to get paid costs money.
Have you ever noticed that your doctor's office probably has one doctor, one nurse, and two or three people handling paperwork for the healthcare plan billing? Want to make a guess why a visit to the doctor costs twice as much here as it costs in cash countries?
They aren't motivated enough to spend a ton of money on security.
Money can not buy security. Reducing the resources available will definitely detract from security. There is no simple answer relating to security that fits within our "modern" corporate environment.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen