Ask Slashdot: Is the World Better Or Worse Because of Security Tech?

Slashdot reader krisdickie is a developer for embedded devices (and many other systems), and spends a lot of time being proactive about security. This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my team) would have been X times more productive or have come up with some amazing new concept or feature, if we didn't have to deal with implementing security measures.

In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?

Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?

Seriously?

[RobbieCrash]

What an asinine question.

Of course we're worse off because there are bad people in the world. If everyone was a magical completely altruistic person who did nothing but make the world a better place, the world would be a better place.

Re:Seriously?

[Sique]

This mostly misses the point. Security is much more than protection against bad people. This might be a very visible and easily explained effect of having security, but security also protects against misshappenings, mistakes, accidents, errors, all the little nuisances which disrupt the intended way of running things. Even if all people were saints, we still would need security.

Better or worse?

Is the World Better Or Worse Because of Security Tech?

Yes.

It depends

[walshy007]

This is not a one-case-fits-all item.

What kinds of measures specifically are being spoken of? Does it help or hinder end users doing what they wish? Are end users even a consideration or is this solely to keep a stranglehold on the device from a manufacturers perspective?

As with many things there will never be a single answer, what is presented is a set of varying trade-offs whose value will change depending on the desired goals and whose perspective it is desired from.

Necessity is the mother of invention

[Kobun]

Human 'bad actors' are only one source of adverse conditions for computing. Many security features double as stability and error-checking features. I think that the author's question is ultimately a silly one because of Hanlon's Razor - "Never attribute to malice that which is adequately explained by stupidity". I think most people have seen terrifically destructive users who had no malicious intent behind their actions. Even in a utopia, humans are still human.

Missing Option

[dohzer]

Not better or worse, but as it should be.

Technology is a gift

[MrKaos]

The choice people have to make is if it frees us or enslaves us.

We had our decision point in the 80s and 90s

[ctilsie242]

In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.

However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.

These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.

IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.

Simple answer: Yes.

Aka "both". But by and large, worse, and this will worsen until we fix two things:

The atrocious state of our technology, IOW the "hyoooooooge" technical debt. That mountain is so big we don't know where to start looking at it. But it's still there. It's become so big it has its own abyss, staring at you. That makes it even harder to look at.

Our willingness to be oppressed by technology. It doesn't matter if it's because of some "security" threat or other ("for the childrun", "terrists", you name it), government convenience (e.g. face recognition, not just China but the US and Europe already as well, but also SSNs and many other tricks, many seemingly innocuous), "user friendlyness" (yes, think about that one for a bit), faux-"security" ("secure boot" isn't about security), or any other reason. It always comes down to "who is in control?" and if it's not you, it's someone else. And if it's someone else, then the tech doesn't exist to empower you, but to empower them and by extension it becomes a temptation to use it against you, IOW a tool of oppression waiting to happen. Not because of any ideology, but because it's there, it's easy to use, it's powerful, and power corrupts.

So yeah, by and large the net effect is negative, will remain negative for the time being, and the people to do something about it, well, that's squarely us. So get to it, you slackers.

Re:I'd - sadly - say better.

[dgatwood]

It's not even that. The answer to the question of whether security makes things better or not in general is straightforward: It depends on whether the cost of the security is enough of a nuisance to exceed the projected lifetime benefit. And that largely depends on context. I'll explain by analogy.

I grew up in a small town in West Tennessee. Lots of folks around town routinely left their houses unlocked. It was that kind of town. There were a few thousand people, and everybody knew everybody, or if they didn't know somebody, they knew someone who did. In that context, it didn't take much security to keep things safe, because most people are good people, and if somebody from outside the community was wandering around, everybody knew that the person was an outsider if nobody out of a group of three or more people recognized the person. Thus, a bad person from elsewhere would arouse enough suspicion to be noticed, and would probably be thwarted in whatever nefarious deeds he or she was planning, unless it was just minor mischief like TPing the house of somebody that nobody really liked much anyway.

Now, I live in the Silicon Valley. I know two of my neighbors. Thanks to work and church, I know people from various parts of the area, but they don't live nearby I'm reasonably confident in leaving things lying around at work for precisely the same reason that I was reasonably confident back home—because everybody knows each other. But if you were to ask me if I could leave valuables lying around anywhere else, the answer would be "heck no," because nobody knows anybody, statistically speaking, and so everybody is indistinguishable from a potential insider or outsider. Even though most people are still good people, the odds of a bad person getting noticed are much lower. And with so many more people, the number of bad people is much higher even if the percentage is the same, which only compounds the problem.

The same problem exists with technology. Prior to the Internet, when computers were basically devices that you interacted with locally, security didn't matter that much, because most people are good people. When computers became more connected, that became a problem, because even if most people are good people, the bad people can get to your systems from anywhere in the world, so it only takes a few bad people to ruin everything. And because the pool of people potentially accessing your system is so much larger, the ability to distinguish good people from bad people is diminished.

So to make a long story short, computer security is a necessary response to the realities of a more interconnected world. Would things be worse without all that added security? Yes. Does the security actually make the world better? No. It just keeps things from unraveling in the presence of interconnectedness that does make the world better. The real question is whether that distinction matters.

Security Tech and the Orwellian society

[MindPrison]

First we have to ask ourselves, what is security?

Security, as in locked doors, encrypted drives, encrypted mail and digital wallets?

Or...

Security as in personal security (the rights to roam free and pursue our own dreams), free from oppressors, freedom of speech, information freedom.
In a time of fake news where it's possible to manipulate another country just by doctoring the news and opinions of the masses, this is certainly not good.
Another bad is that if we take away our freedom of speech, we get less say - and the power handed to a privileged few, aka "your" chosen government.

Internet gave us a lot of freedom. We could exchange information faster than ever before, play games with our friends overseas, book travels and earn money no matter were you where in the world.

But it also blinded us, with information this fast, there was no time for peer reviews of the news, what source can you truly trust? "Likes" almost became the new "law". Getting likes was almost like the new religion, and nevermind the reliability of the actual sources, just as long as a bunch of likes came along, and the rest thought "meh...might as well join the crowd", and what crowd? These are just numbers. A very real but dangerous development.

Time to take a step back - and understand that we should keep this technology free, putting too many locks on it also censors our freedom of speech, but security starts with us, we need to educate ourselves and not trust everything blindly. Turn off the net, breathe - go out there, say hi to your neighbor once in a while, talk amongst yourselves.

Prevent bad things from happening

[blackhedd]

As a cybersec professional of many years tenure (and now an exec at one of the major firms), I have to admit I've asked this same question many many times. If we didn't need to put so much effort into security, and instead put it into features with direct customer benefits, wouldn't we all be better off?

I think the OP approaches the answer to his question when he refers to preventing bad things from happening. A basic part of engineering is system robustness, resiliency and safety. We don't question the effort we put into assuring those things. We manage, in a variety of ways, the potential impacts arising from possible system failures.

With cybersecurity, we manage in a variety of ways the potential impacts arising from system vulnerabilities exploitable by bad actors. It's work we'd be doing anyway.

anonymity

[bigtreeman]

anonymity and security,
can't have both
if criminals know they will be identified and caught they will be less likely to offend.

Java Anecdote

[Tablizer]

It's a rather open ended question, but here's an anecdote to consider. A lot of free and open-source software is written in Java. However, our security administrator set an aggressive policy on Java because of past Java security holes. Java-based applications run about 20x slower than they would without the aggressive scanning done on it by our security software. It makes such software virtually useless. We either pay more for alternatives or go without. (I personally believe the security scanning software that starts with an "M" is poorly designed, but that's another topic.)

I cannot reliably say if our org's policy is too aggressive, because not getting things done may be just as bad as being hacked in the longer run.

Another oddity is that Microsoft is also leaky, but because we need some software to avoid going back to paper and pencils, Microsoft gets a pass that Java doesn't. It's crazy. Sometimes it feels the 90's were more productive because we didn't have consider security stuff. (That and stupid Web "UI" (non) standards.)

Re: Gaming has more investment, more of a WASTE o

[Immerman]

Bull. Music, art, dance, board games - these things exist in practically every culture in the the world, and have for at least several thousand years. Poverty is no great impediment to entertainment. Even in our hunter-gather days it's estimated that the average person only spent a few hours a day in survival-oriented activities. Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.

Re: Gaming has more investment, more of a WASTE o

[cascadingstylesheet]

Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.

I was with you until that sentence. Abject poverty and spending more than half your waking life at "work" tasks long, LONG predates modernity.