Slashdot Mirror
Ask Slashdot: Is the World Better Or Worse Because of Security Tech?
Slashdot reader krisdickie is a developer for embedded devices (and many other systems), and spends a lot of time being proactive about security.
This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my team) would have been X times more productive or have come up with some amazing new concept or feature, if we didn't have to deal with implementing security measures.
In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?
In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?
What an asinine question.
Of course we're worse off because there are bad people in the world. If everyone was a magical completely altruistic person who did nothing but make the world a better place, the world would be a better place.
Keep on knockin'
https://robbiecrash.me
Yes.
admin/admin passwords, not rolling out patches, leaving anonymous FTP open... what can go wrong? this article was written by a dumbass
This is not a one-case-fits-all item.
What kinds of measures specifically are being spoken of? Does it help or hinder end users doing what they wish? Are end users even a consideration or is this solely to keep a stranglehold on the device from a manufacturers perspective?
As with many things there will never be a single answer, what is presented is a set of varying trade-offs whose value will change depending on the desired goals and whose perspective it is desired from.
Human 'bad actors' are only one source of adverse conditions for computing. Many security features double as stability and error-checking features. I think that the author's question is ultimately a silly one because of Hanlon's Razor - "Never attribute to malice that which is adequately explained by stupidity". I think most people have seen terrifically destructive users who had no malicious intent behind their actions. Even in a utopia, humans are still human.
Not better or worse, but as it should be.
Sadly, because we, somehow, have allowed this great infrastructure we call "the internet" to be as filled with (security) holes as a collander.
At this point, we re just imitating the Dutch boy quickly plugging holes in the dike while at the same time realizing that we'll run out of fingers long before all of the holes are plugged.
The choice people have to make is if it frees us or enslaves us.
My ism, it's full of beliefs.
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.
These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.
IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.
It probably increases usability in the same way that car safety measures increase usability of cars. As someone already mentioned, it forces systems to be designed in such a way that they are also proofed against users "shooting themselves in the foot" at a moment of even a tiniest incompetence.
Any guest worker system is indistinguishable from indentured servitude.
I know that when I first started hacking around with Linux in the mid 1990s that I had an easy time experimenting with networking compared to somebody just trying things out today.
Samba was out and all the security in it, and in Microsoft products that used SMB, were loose and easy to use. NFS was a breeze to use, so you could boot up a machine with an NFS install floppy diskette and put a whole freenix (I like NetBSD) on a system quickly.
A lot of that has changed now. It's even a hassle now just to get two 'doze computers to talk to each other's shares these days. This is bad when it's a closed network and finding the server drive or accessing the printer is no longer just a matter of clicking the 'Network Neighborhood' icon on the desktop.
Security is, obviously, necessary. But my way of thinking is that the security should be incorporated at gateways. Home networks should be protected by hardened gateways and firewall appliances. People should have traffic monitoring equipment built into their local networks. Gateways to the 'whole internet' are usually done through NAT these days, so security should be lax within local networks and tight at points where they connect to the world.
Security only matters when there is an intruder about. I live in an area where if I forget my tablet out on the back porch it will always be there the next morning. The most risky intruders are coyotes out in the field.
Aka "both". But by and large, worse, and this will worsen until we fix two things:
The atrocious state of our technology, IOW the "hyoooooooge" technical debt. That mountain is so big we don't know where to start looking at it. But it's still there. It's become so big it has its own abyss, staring at you. That makes it even harder to look at.
Our willingness to be oppressed by technology. It doesn't matter if it's because of some "security" threat or other ("for the childrun", "terrists", you name it), government convenience (e.g. face recognition, not just China but the US and Europe already as well, but also SSNs and many other tricks, many seemingly innocuous), "user friendlyness" (yes, think about that one for a bit), faux-"security" ("secure boot" isn't about security), or any other reason. It always comes down to "who is in control?" and if it's not you, it's someone else. And if it's someone else, then the tech doesn't exist to empower you, but to empower them and by extension it becomes a temptation to use it against you, IOW a tool of oppression waiting to happen. Not because of any ideology, but because it's there, it's easy to use, it's powerful, and power corrupts.
So yeah, by and large the net effect is negative, will remain negative for the time being, and the people to do something about it, well, that's squarely us. So get to it, you slackers.
The logical value of (A or (not A)) is always True.
I am simplifying somewhat here because "better" is not the opposite of "worse" (we must also consider "equal"), however the probability of the situation being exactly equal is zero, so you get the same result.
You could also ask if it is better AND worse, and the answer would still be yes. Just as you could say Slashdot is both bad and good. There are plenty annoyances, but hey - after 20+ years I am still here reading, so it can't be all bad.
Some of these polarizing yes-or-no questions are just dumb.
First we have to ask ourselves, what is security?
Security, as in locked doors, encrypted drives, encrypted mail and digital wallets?
Or...
Security as in personal security (the rights to roam free and pursue our own dreams), free from oppressors, freedom of speech, information freedom.
In a time of fake news where it's possible to manipulate another country just by doctoring the news and opinions of the masses, this is certainly not good.
Another bad is that if we take away our freedom of speech, we get less say - and the power handed to a privileged few, aka "your" chosen government.
Internet gave us a lot of freedom. We could exchange information faster than ever before, play games with our friends overseas, book travels and earn money no matter were you where in the world.
But it also blinded us, with information this fast, there was no time for peer reviews of the news, what source can you truly trust? "Likes" almost became the new "law". Getting likes was almost like the new religion, and nevermind the reliability of the actual sources, just as long as a bunch of likes came along, and the rest thought "meh...might as well join the crowd", and what crowd? These are just numbers. A very real but dangerous development.
Time to take a step back - and understand that we should keep this technology free, putting too many locks on it also censors our freedom of speech, but security starts with us, we need to educate ourselves and not trust everything blindly. Turn off the net, breathe - go out there, say hi to your neighbor once in a while, talk amongst yourselves.
What this world is coming to - is for you and me to decide.
Time spent protecting operating systems from possible bad behaviour of applications is time wasted.
The current state of Operating Systems is akin to having only single phase AC power, but no fuses or circuit breakers anywhere in the system. Because applications are trusted with everything, any bug can result in the wholesale mis-direction of everything down the wrong path. Most (but not all) of our problems with security result from this misplaced trust.
It's probably going to be another decade before capability based security becomes mainstream, but I hope discussions of it in places like ../ can help bring it forward sooner.
The problem is that the intruder doesnâ(TM)t have to come from outside, but most likely will be a naive user on your own network who clicks something they shouldnâ(TM)t have on a poorly secured computer. So: The basic protocols are still around, so you can still learn the basics of how to set up network services within a lab environment; nothing has really changed there. But donâ(TM)t stop learning once you know the basics; thatâ(TM)s the main lesson here. When you can reliably create a file share, learn how to manage user accounts and groups, and how to apply the principle of least necessary privilege.
Security mainly boils down to âthink about the consequences before implementing somethingâ, and âclean up your own mess to avoid introducing accidental consequencesâ. If a developer lacks these habits, they will write broken software from more perspectives than just security.
Much of the internet is built on a model of reasonably open trust. This proved to not be a mistake, but a particularly galling one, which has required patch after patch.
The problem, as I see it, occurred starting in about the mid 90s. At this point, what the internet actually was, was clear to all. Making assumptions of trustworthiness in 1985 was still quite reasonable: it was possible that all meaningful internet connections were to continue to be monitored for bad behavior manually and actioned when appropriate. It wasn't what was happening, but it wasn't lunacy.
In the mid to late 90s, once the majority of the really gullible things were beaten out of everything, things appeared to be kinda looking up- we were at least on the correct trajectory. Queue another massive overdose of functionality. The early versions of IE would just run any link as appropriate. You could provide a link to C:\windows\notepad.exe, and clicking it would run notepad. Or a deltree on your C drive. Unix land, while not as degenerate, was still busy taking URLs as commands, browsing all over the root filesystem, and generally behaving like amateur hour. Every new tech that got added was riddled with security problems that were reasonable obvious, and they were still adopted at absolute lightning speed.
Technologies were obsoleted almost as fast as it took them to hammer out their bugs. The idea of passing code from server to client caught on, but unlike the prior iterations of this, there was no reason to actually TRUST the server- sure, you might trust microsoft.com, but do you trust $RANDOM_ADDRESS.net?
Something like SPECTRE wouldn't even be that interesting if the underlying assumption wasn't that you were downloading and running code everywhere you pointed a browser to.
The security overlay on all of this can be heavy at times. It is also frequently misguided, which makes much of the ire. See pretty much anything related to passwords for a great example of something that doesn't buy much security at the cost of a massive amount of usability (and goes backwards if it starts asking what school you went to, and then gives access to anyone who can guess that, a fact you cannot change). Even automated systems like SSL can ultimately be mangled by someone dedicated to the task.
Overall, much of the security burden is based around some bad choices early on, but almost everything that weighs us down now is a result of continuing to make bad choices.
As a cybersec professional of many years tenure (and now an exec at one of the major firms), I have to admit I've asked this same question many many times. If we didn't need to put so much effort into security, and instead put it into features with direct customer benefits, wouldn't we all be better off?
I think the OP approaches the answer to his question when he refers to preventing bad things from happening. A basic part of engineering is system robustness, resiliency and safety. We don't question the effort we put into assuring those things. We manage, in a variety of ways, the potential impacts arising from possible system failures.
With cybersecurity, we manage in a variety of ways the potential impacts arising from system vulnerabilities exploitable by bad actors. It's work we'd be doing anyway.
anonymity and security,
can't have both
if criminals know they will be identified and caught they will be less likely to offend.
Go well
It's a rather open ended question, but here's an anecdote to consider. A lot of free and open-source software is written in Java. However, our security administrator set an aggressive policy on Java because of past Java security holes. Java-based applications run about 20x slower than they would without the aggressive scanning done on it by our security software. It makes such software virtually useless. We either pay more for alternatives or go without. (I personally believe the security scanning software that starts with an "M" is poorly designed, but that's another topic.)
I cannot reliably say if our org's policy is too aggressive, because not getting things done may be just as bad as being hacked in the longer run.
Another oddity is that Microsoft is also leaky, but because we need some software to avoid going back to paper and pencils, Microsoft gets a pass that Java doesn't. It's crazy. Sometimes it feels the 90's were more productive because we didn't have consider security stuff. (That and stupid Web "UI" (non) standards.)
Table-ized A.I.
Everyone has failed so hard at the first three levels of OSI through shitty programming that they rely upon several more layers of OSI to cover up for even shittier programming now.
Security comes through good programming practices, thorough testing, and sticking to KISS ideas.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
The problem with security is that it's used as a pretext for surveillance and spying. We get backdoored CPUs so our data and devices are no longer under our control. All in the name of security.
I'll choose freedom over security any day.
Knowledge is power; knowledge shared is power lost.
This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my species) would have been X times more productive or have come up with some amazing new culture or technology, if we didn't have to deal with obtaining agricultural products.
In a utopian world, where there are no metabolic processes, we would have likely forfeited many of the farms and fisheries that have been put into place to prevent starvation from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of fending off starvation?
Point being: OP is a euphoric tard. Security is a natural consequence of game theory, you might as well stop coding if you don't want to deal with it. It's no different than food or water for base survival - it's a result of existence.
... that's for sure.
https://youtu.be/0rR9IaXH1M0
We suffer more in our imagination than in reality. - Seneca
Cares would totally be much cheaper if we could make them from cardboard or something and like do away with brakes and all that shit.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
No. And in this case "no" means you really shouldn't be asking this kind of question. The world is not better or worse, a specific application is, a specific scenario is.
Exactly.
It's also making stuff harder to repair, because new vulnerabilities mean you lose the ability to fix it yourself.
Think about a fingerprint reader. In days gone by, they were simply cameras and you got an image from them, then run your algorithms on them. But nowadays it's such a big deal that fingerprint data must be encrypted and if your hardware supports it, sent over a secure bus to a secure processor, using PKI encryption to ensure both endpoints haven't been compromised.
All this because a bad actor can replace a fingerprint reader with a compromised version that perhaps either stores an image of a fingerprint for later replay attacks, or transmits it to a third party (via RF or other means - fingerprint readers are large chips). So now the device itself needs to tell the other end that it hasn't been changed out with a malicious version. But as we see, it breaks repairs - you cannot replace anything the fingerprint assembly is bound to anymore.
You're bound to see this with other things like recognition cameras, touch screens and other things eventually too. Touch screens and displays are next - soon you'd want authentication functionality done in a "secure mode" where the user OS no longer authenticates or locks the system - it simply calls out to a "secure OS" that verifies everything is in order (no security-critical hardware was been replaced or otherwise tampered with) then pops up the lock screen. And until the secure software releases the display and touchscreen, the user OS cannot display or get input. But again, it means break your screen, you need to get an authorized repair (can't have screens transmit everything you see to a third party, or selectively take screenshots when they recognize something being displayed).
And why would you do this? Well, it would make those grey box things no longer functional - if the secure OS has the screen and touch locked out, it makes it hard to break into the user OS - you're at the mercy of whatever the user OS may give you over that one port - without the code, the user OS can display a "do you trust this device" dialog that never can be shown or interacted with because the secure software has taken control of the display and touch hardware, and thus the user OS prevents access to user data.
All this means though, the inability to change screens.
"I can't help but wonder though if I (and my team) would have been X times more productive or have come up with some amazing new concept or feature, if we didn't have to deal with implementing security measures."
No, security has to be baked in at the design stage and would have no deleterious effect on the implementation of amazing new concepts or features. It's patently obvious that in the rush to get out new features the innovators failed to come up with a design that can't tell the difference between executables and data and don't run executables downloaded over the Internet through opening an email attachment or clicking on a malicious URL.
There are plenty of non software products where designers must incorporate elements of design that to protect users. For example: durable goods, small appliances, bridges, stairs. Vehicles, etc. Software should be no different.
And NOWHERE is there a lack of bad actors.
What a spectacularly stupid question.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The places where shrill and paranoid 'high tech security' are mandatory tend to burn themselves up.
Over time, secure and well adjusted people will come along and build anew on the scortched patches of land.
Some would say that containment and provision of weapons and combustibles to the 'problem spots' is a sufficient means of correction.
Warner Bros and Disney will keep pumping out movies while the people who work on it are slowly drained of their time and wealth by the companies they work for, and the people who buy the worst of their products will keep producing "a market" for that slop.
Worse than that, disney keep selling the same movies again every few years, each time targeting new kids with the same old crap rather than making any effort to create any new content.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
'More complex' can be the answer, but simplification also sometimes works.
Tearing out unneeded layers can improve security.
A piece of 'scorekeeping' equipment I work on for a sporting activity transmits to large displays for spectators and a judge's stand reciever . Originally I wondered why there wasn't more security in place, it just uses vanilla zigbee radio channels. Then I noticed that the communication protocol is simplex... and only the instrument that makes the actual measurement has transmit capability once the handshake has established a channel.
NOTHING can tell the difference between
1> a program deliberately written to do something bad,
2> a program that does something bad by mistake
To make this determination requires solving the halting problem. You can not pre-determine the intent of a non-trivial program. This is the root cause of most computer security issues.
What you can do, is to pre-determine which side effects of running the program you are willing to allow. Most systems place NO limits on side effects of a program, however capability based systems do exactly this thing.
Bull. Music, art, dance, board games - these things exist in practically every culture in the the world, and have for at least several thousand years. Poverty is no great impediment to entertainment. Even in our hunter-gather days it's estimated that the average person only spent a few hours a day in survival-oriented activities. Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Sure it's a timesink - but there's no need for constant labor, it'd be a complete waste. We could give every person on the planet adequate food, shelter, and medical care using only a small fraction of the current global productivity. After that, pretty much everything else is about either increasing future potential or entertainment.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The fact that you had time to post that waste-of-space comment of yours proves that you are one of the "pampered first worlders".
I agree with your point "computer security is a necessary response to the realities of a more interconnected world." That said, in many cases, I feel the deeper issue is, as in my sig, the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
I write about those ironies in regards to militarism here: http://pdfernhout.net/recogniz...
"Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much about the implications of all that computer power and organized information to transform the world into a place of abundance for all. Cheap computing makes possible just about cheap everything else, as does the ability to make better designs through shared computing."
But if we think about computer network security and bad actors, many (not all) bad actors are in it for the money. The ironic aspect is that the power of computing tools make is easy for a few people to make a lot of trouble for many people. So, a few people send spam email to make money for themselves which then makes it hard for others to use email to create abundance for all. Or a few people spam wikis to make money for themselves in turn making wikis harder to use by others to create abundance for all. Or a few people crack into other types of knowledge sharing sites again to make money for themselves making it harder for scientists and engineers to do collaborative work. Or a few people inject malware into ads to make money for themselves which makes it harder for other people to learn new information from the web they might use to build a better world.
These sorts of socially costly bad actions reflect a narrow view of self (selfishness) and/or also short-term thinking.
I just started reading Vernor Vinge's "Rainbow's End" novel that touches on some of these ideas of technology as an amplifier: https://en.wikipedia.org/wiki/...
I forget where I first read this, but an economist wrote that the cost of doing business goes up greatly when there is less trust. If we had to harden all the power lines and phone lines and then armor all our cars and bar all our windows and so on, daily life would get a lot more expensive. One can see those sorts of costs rising in places where social order breaks down.
In physical day-to-day dealings in, say, much of the USA or Western Europe, we don't worry too much about copper thieves stealing power lines or stealing phone lines or doing other similar sorts of behavior because there is a certain level of trust making relatively insecure installations possible. That level of trust has arisen from a level of shared abundance. Trust also comes indirectly because there are also laws (backed by police and courts), norms (backed by neighbors), and effort costs that discourage most people from being anti-social in such ways. Lessig in Code 2.0 writes on ways human behavior is shaped by a mix of such rules, norms, and prices.
Or, as in the example you provide, trust may be more feasible in smaller groups where everyone knows each other and can see fairly easily what is going on.
So, I can wonder if computer networks will not settle down until we have better laws, norms, and prices governing their use. That is harder given, as with "interconnected", the fact that human actions across networks typically cross multiple legal jurisdictions and cultures and identity of actors is often hard to assess. Broad trust on the internet encouraged by laws, norms, and prices may be harder to foster these days -- even though in the early days of the internet, where most internet nodes were academic or military or government and reflected institutional norms, and where network connectio
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
If only that were true.
A very small portion of global spending goes to entertainment.
Simple objectives don't meet simple methods to obtain them. You know how much time is wasted handling paper records? Well electronic ones solve that, but require industry to support them. It's actually a net positive but it diversifies the workforce.
We no longer spend most of our time farming, but to say the extra work is unnessecary is too simple minded.
Everything beyond food, shelter and (arguably) medical care is by its nature unnecessary. *Desirable* maybe, but not necessary - and thus I would group it into some form of entertainment - science (satisfying intellectual curiosity = entertainment), dining out (spending less time cooking, more time focused on company = entertainment),etc. And of course, lots and lots of busywork that produces very little of value other than jobs to keep people fed, and could be eliminated without any loss so long as the Puritan/capitalist idea of jobs determining self- and social-worth (and wealth distribution) went with them.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Since then, technology and its security systems have evolved dramatically. But so has hacking. Tools stolen from the NSA are now in the hands of those they were fighting. One has to be pretty adroit to keep up with what's coming down the pike and find the right strategies and techniques to protect their stuff.
I see all this as technological Darwinism, an evolutionary fight for the survival of the fittest information systems, networks and telecommunications, ensuring all those proficient in IT security, which not so ironically includes hackers, a very comfortable living.
There is some truth in that. Sometimes there is a trade-off between certain types of security and convenience.
Also, it's VERY inconvenient when the system goes down entirely because it wasn't secured. The easiest attacks are generally denial of service attacks, so if you pay no mind to security you can expect the service to be unavailable frequently. A bit of security would make things a lot more convenient.
It's also pretty darn inconvenient when the system gives wrong results, such as when your bank balance is $10,000 less than it should be, because of a security problem.
Also, as others have pointed out, the definition of security is:
A secure system continues to operate properly, even when under attack.*
That implies that a secure system operates properly when NOT under attack. A system designed based on security principles doesn't crash, doesn't give wrong results, etc - even when it's under attack, and especially when it's not. A secure system is one that won't screw up *even if you try to make it screw up*, which means it's reliable when you're not trying to make it screw up.
Security has three parts, abbreviated CIA. A secure system provides confidentiality, which is the first thing most laymen think of. The I and A are also important. Integrity means the system provides correct results. Databases designed by application programmers rather than database architects often at this, especially load, when concurrency causes issues. Availability means the system doesn't go down. Earlier today we saw yet again how poorly Slashdot does in this regard, as the site was down AGAIN for several hours.
* That's the Morris definition of security - a secure system is one which continues to operate properly, giving correct results, even when under attack.
Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.
I was with you until that sentence. Abject poverty and spending more than half your waking life at "work" tasks long, LONG predates modernity.
I'll admit I use "modern" in a somewhat long-viewed sense. But estimates are that our hunter-gatherer ancestors averaged about 3-4 hours per day on survival-oriented tasks - we were truly the kings of the animal world. Agriculture changed that considerably - but even agriculture involves long months of relatively idle time to counterbalance the crunch of planting and harvest.
--- Most topics have many sides worth arguing, allow me to take one opposite you.