Ask Slashdot: Is the World Better Or Worse Because of Security Tech?

Slashdot reader krisdickie is a developer for embedded devices (and many other systems), and spends a lot of time being proactive about security. This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my team) would have been X times more productive or have come up with some amazing new concept or feature, if we didn't have to deal with implementing security measures.

In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?

Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?

Seriously?

[RobbieCrash]

What an asinine question.

Of course we're worse off because there are bad people in the world. If everyone was a magical completely altruistic person who did nothing but make the world a better place, the world would be a better place.

Necessity is the mother of invention

[Kobun]

Human 'bad actors' are only one source of adverse conditions for computing. Many security features double as stability and error-checking features. I think that the author's question is ultimately a silly one because of Hanlon's Razor - "Never attribute to malice that which is adequately explained by stupidity". I think most people have seen terrifically destructive users who had no malicious intent behind their actions. Even in a utopia, humans are still human.

We had our decision point in the 80s and 90s

[ctilsie242]

In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.

However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.

These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.

IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.

Simple answer: Yes.

Aka "both". But by and large, worse, and this will worsen until we fix two things:

The atrocious state of our technology, IOW the "hyoooooooge" technical debt. That mountain is so big we don't know where to start looking at it. But it's still there. It's become so big it has its own abyss, staring at you. That makes it even harder to look at.

Our willingness to be oppressed by technology. It doesn't matter if it's because of some "security" threat or other ("for the childrun", "terrists", you name it), government convenience (e.g. face recognition, not just China but the US and Europe already as well, but also SSNs and many other tricks, many seemingly innocuous), "user friendlyness" (yes, think about that one for a bit), faux-"security" ("secure boot" isn't about security), or any other reason. It always comes down to "who is in control?" and if it's not you, it's someone else. And if it's someone else, then the tech doesn't exist to empower you, but to empower them and by extension it becomes a temptation to use it against you, IOW a tool of oppression waiting to happen. Not because of any ideology, but because it's there, it's easy to use, it's powerful, and power corrupts.

So yeah, by and large the net effect is negative, will remain negative for the time being, and the people to do something about it, well, that's squarely us. So get to it, you slackers.

Re:I'd - sadly - say better.

[dgatwood]

It's not even that. The answer to the question of whether security makes things better or not in general is straightforward: It depends on whether the cost of the security is enough of a nuisance to exceed the projected lifetime benefit. And that largely depends on context. I'll explain by analogy.

I grew up in a small town in West Tennessee. Lots of folks around town routinely left their houses unlocked. It was that kind of town. There were a few thousand people, and everybody knew everybody, or if they didn't know somebody, they knew someone who did. In that context, it didn't take much security to keep things safe, because most people are good people, and if somebody from outside the community was wandering around, everybody knew that the person was an outsider if nobody out of a group of three or more people recognized the person. Thus, a bad person from elsewhere would arouse enough suspicion to be noticed, and would probably be thwarted in whatever nefarious deeds he or she was planning, unless it was just minor mischief like TPing the house of somebody that nobody really liked much anyway.

Now, I live in the Silicon Valley. I know two of my neighbors. Thanks to work and church, I know people from various parts of the area, but they don't live nearby I'm reasonably confident in leaving things lying around at work for precisely the same reason that I was reasonably confident back home—because everybody knows each other. But if you were to ask me if I could leave valuables lying around anywhere else, the answer would be "heck no," because nobody knows anybody, statistically speaking, and so everybody is indistinguishable from a potential insider or outsider. Even though most people are still good people, the odds of a bad person getting noticed are much lower. And with so many more people, the number of bad people is much higher even if the percentage is the same, which only compounds the problem.

The same problem exists with technology. Prior to the Internet, when computers were basically devices that you interacted with locally, security didn't matter that much, because most people are good people. When computers became more connected, that became a problem, because even if most people are good people, the bad people can get to your systems from anywhere in the world, so it only takes a few bad people to ruin everything. And because the pool of people potentially accessing your system is so much larger, the ability to distinguish good people from bad people is diminished.

So to make a long story short, computer security is a necessary response to the realities of a more interconnected world. Would things be worse without all that added security? Yes. Does the security actually make the world better? No. It just keeps things from unraveling in the presence of interconnectedness that does make the world better. The real question is whether that distinction matters.