I'm sorry, but you appear to be confused about how this all works.
Authentication means proving the identity of the party you're communicating with. It has nothing to do with encryption, other than the fact that certain tools can be useful for both purposes.
There are multiple strategies for authentication that do not require that any third party be involved in or aware of the communication. No-one need be any more able to log your communications just because you authenticated the source.
There are also various strategies for authentication that do not rely on the continued existence of specific third parties in order to function. Indeed, if you are able to exchange information out of band initially, there is no requirement for any third party to exist at all.
And finally, on typical modern systems and assuming we're talking about communicating over the Internet, the overhead of authentication is likely to be negligible on both sides.
If you don't have an authenticated source for whatever you're receiving, you don't even know that the site you're seeing at a well-known URL is really the one you think it is. Your ISP, whoever is providing the WiFi you're borrowing at the coffee shop or on the train, your employer, or just some guy with the right gear to spoof the relevant infrastructure on whatever otherwise legitimate network you're connected to could be playing silly games.
As swillden says, in order to prevent this you need to be able to verify that what you're seeing came from who you think it came from and that it hasn't been modified along the way. Those are actually quite independent of encryption, although in practice on the web we usually use the same infrastructure to provide both functions.
Your market forces argument is predicated on the members of that market being able to make informed decisions. Since the average punter knows little if anything about IT security and will have little if any concept of the risks to themselves or those they care about in the event of security failures, that isn't possible. Fundamentally, governments make laws and statutory regulations to protect those who aren't necessarily in a position to protect themselves, and that is exactly the situation here.
The problem, from a public awareness point of view, is that there is little traceability even when something bad happens.
The effect may be that you spend several months trying to regain control of your identity and you never fully recover all of the money that "you" spent.
The cause may be that one big organisation leaked enough of your personal information to let the identity thief succeed in convincing several other big organisations that they were you.
All of those organisations are demonstrably at fault, but unless the victims can actually join the dots, neither they nor anyone else (governments, media, future potential victims) are going to hold the responsible organisations accountable.
I run my own businesses and work in tech fields, so I have no axe to grind there. I do know plenty of people who have been unable to do their jobs properly because perfectly reasonable requests were denied or extensively delayed by IT people for silly reasons, though. And I write that as someone who is well aware that IT get the blame when things go wrong and a lot of "unreasonable" policies to staff are actually sensible and necessary from an IT point of view.
IT is a support function, like HR or legal. It is valuable to the extent -- and only to the extent -- that it helps the organisation do whatever it is the organisation actually exists to do. You run tech decisions by IT for the same reason you run contracts by legal or compensation packages by HR, and sometimes you also need to overrule IT in the interests of the business as a whole for the same reason you overrule those other departments.
Well, if you wanted to know why road deaths are going up in the US, there's your answer. The first step to fixing a problem is acknowledging that it exists.
Doesn't mind, doesn't know, or just doesn't think they can do anything about it so tolerate it despite minding because they need a phone to live a normal life these days?
Those are three quite different scenarios, and in two of the three it appears there is a market failure where purchasers of these (or other) smartphones don't get a choice they could reasonably be offered and so can't express their preference with their wallets.
That sort of market failure is what regulation is for. Europe is going to have a party with this one, particularly if it isn't fixed before the new EU privacy regulations come in next year.
This is why there are various laws in some places that for example make a credit card company jointly liable if its card is used to make a purchase and the original seller doesn't make good any damage.
Also, deliberately using a limited liability company structure to take the customer's money and run is a good way to get your corporate veil pierced and the people behind that company fined or in jail. Typically the limited liability protects a company's owners/investors if the company is properly run but its business doesn't work out. It's not there to shield anyone from otherwise illegal behaviour.
And yet you have not answered any of my questions, nor given any other substantial arguments to support your position that I can see, so unfortunately I don't think we're going to get anywhere useful here.
So what exactly did you mean by "(admittedly just a small one)", then?
How much security-related material that is relevant to the original topic did you learn in your degree and then use in the software you wrote? Feel free to be specific about what was involved, and then the rest of us won't have to make any assumptions.
So far, you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to study further topics and more detail by yourself, which is kinda exactly the AC's original point that you called bullshit in the first place.
Sure, writing a program that serves text files using a simplified form of HTTP is easy. It's also about a million miles away from writing a modern, full-featured web server. Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that. And this still isn't what industrial IT security is really about anyway.
You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
I've worked in and around this field for a long time. I'm sorry to make this a little personal, but what you're writing sounds like you read a textbook once, probably in university, and you're very proud of some of the long words and acronyms you can still half-remember. Nevertheless, what you're described has little to no connection with security management in the real world, as staff as an organisation like Equifax would (should) be doing it.
An organisation like that would have a team of system administrators, network administrators, pen-testers, and other such professionals. They're not going to write their own web server and networking stack in case the industry standard ones have a flaw in their implementation of some elliptic curve math. But even if they were, the knowledge from an undergraduate-level CS degree would barely get them past writing the main function.
Nothing you mentioned from your degree syllabus has much to do with developing modern, production-grade security infrastructure of the kind that would safeguard personal data properly in this sort of situation, other than possibly the vague "system security models" at the end. The rest might be useful as background information, but it won't tell you much if anything about potential attack vectors and standard techniques to defend against them, the state of the art in encryption methods and how to disable any that are now known to be vulnerable in your server software, which AAA and staff education policies actually work, how to write and maintain a systematic list of firewall rules, how to structure large systems for defence in depth and compartmentalisation, or numerous other real world issues you need to address when building secure infrastructure.
I think we're probably in agreement on most of this. In particular, I agree that levels 2-3 are the trouble spot. I suppose my immediate concern is that exactly the safety issue you mention, if a driver suddenly has to take charge, will be the cause of some high profile accidents, and that will then cause the kind of paranoia you mention later on and result in delaying the move to properly autonomous transportation. Right now I don't see much evidence that anyone has anything as high as level 4 ready to go, and if they try to run before they can walk and get stuck in that awkward middle ground, I don't think the results will be good.
Every piece of self driving car software I've ever seen demoed already has many, many systems in place to monitor and attempt to avoid pedestrians and are much, much more sophisticated than human adaptability is.
Really? What have you seen demoed? I haven't seen a lot of detailed technical information (I'm a geek who follows this area out of interest, but it's not my field professionally) but what I have seen suggests that recent generations of these systems still rely on signals and markings far more than they will be able to in an entirely realistic and open world, and have frequently been forced to transfer control back to their human drivers when coming up against situations they didn't know how to handle, which obviously isn't an option in a fully autonomous vehicle.
A human driver can't usually track the position of dozens of pedestrians up and down and on both sides of a street to see if one of them suddenly veers off the sidewalk and into the street from between two parked cars
True, but an autonomous vehicle can't usually anticipate that if there's a bar and it's just after closing time with a small crowd outside, there's a significant chance that someone previously hidden will run out the front door straight into the road while drunk. An experienced human driver would probably have slowed down, allowed more space, and kept an eye on that exit. Generally, human drivers rely a great deal on local knowledge and in particular on recognising information that isn't directly related to road markings and traffic laws in order to stay safe, and it's going to be a long time before autonomous vehicle control software can fill in that sort of missing contextual information. Of course self-driving cars have advantages in constant vision and near-instant reactions that help to compensate for that omission, but whether (or, more realistically, how long until) it's enough to bridge the gap statistically is a different question.
(Please notice that I wasn't defending anyone here, just challenging a variation on the old cliche that you need to have a formal CS degree to be any good at anything to do with technology.)
Wow, that's quite a chip you've got on your shoulder there, mate.
For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security professionally and absolutely nothing to do with the kind of management expertise you'd want to hire and direct such professionals.
Also, I see little evidence of any correlation between interest in and aptitude for doing good technical work and having taken CS at undergraduate/college level. Some people took CS because they thought it would open the door to a high-paying career, yet couldn't program their way out of a wet paper bag. Some people were very interested in computers but took something like math or engineering, perhaps because they didn't want to spend the next year doing Java 101 when they'd been writing games since their early teens.
It isn't viable to function as a normal member of any Western society I know about without access to basic financial facilities like a bank account. In fact, it's caused so many problems for those unlucky enough to fall through the gaps here in the UK that the government had to step in and promote the provision of basic bank accounts that might not have any sort of credit facilities but at least provided enough basic services for someone to do things like receiving pay from an employer or settling household bills.
It would be nice to think you're right, though I fear your suggested timescales are optimistic.
What worries me is that a lot of the talk from the auto and tech industry execs does seem to be pitching this as a technology that's ready to go on real roads for real world testing in the very near future. Maybe that's partly for the investors, the media and the politicians, but still, I've detected more than a hint of arrogance in some of those public statements in recent years.
In reality, what I see today is that we have widespread implementation of level 1 features on the Society of Automotive Engineers' scale (i.e., partial driver aids like cruise control), and a lot of talk about the potential for level 4-5 (where vehicles are fully automated to the extent of driving an entire journey without human assistance), but disturbingly little talk about how we're going to safely get through levels 2-3 (where the vehicle does the majority of the work, but still requires a human driver to be ready to intervene in other circumstances, which seems like the riskiest of all possible worlds based on past experience).
Some of the more established auto companies, Ford for example, seem to be aiming to make the jump straight to level 4-5 because of that difficult automation-to-human transition, but if the likes of Google and Tesla are following the same strategy then I don't see much sign of it so far. That's a concern, because while the auto industry has certainly had its share of safety controversies over the years, I find the idea of Silicon Valley tech giants running the show with their typically fast-paced and cavalier attitude to quality to be moderately terrifying!
Why should the law with regard to automation differ from established law?
For the same reason that drivers are explicitly licensed in most places and what would normally otherwise be anyone's freedom to get into a vehicle and move around in it is curtailed until they have demonstrated their competence: we are literally talking about controlling dangerous machinery in life or death situations here, and just putting up with financial compensation for any damage after the fact isn't good enough.
I'd rather see this left to the courts to determine than having some arbitrary and irrational law based upon nothing but emotion and fear.
False dichotomy is false, but in any case, what useful compensation could a court possibly award retrospectively if some bug (or security flaw) in an automated system caused many thousands of vehicles of a certain model to exhibit the same dangerous behaviour resulting in the death or serious injury of hundreds of nearby people within a short period of time? There are risks of scale involved here that simply don't exist when we're talking about human drivers as we have at the moment, and there is ample evidence that those risks are significant.
Every car that is currently sold is threat to those same groups - humans as drivers are absolutely the worst. Some worse than others,but none are perfect. I suspect that any technology that will be deployed would be, statistically, safer than human drivers.
You might suspect that, but is there any real evidence to show that we've reached anywhere near that stage of maturity yet? The only statistics I've seen so far suggest that autonomous vehicles even under relatively favourable and semi-controlled conditions still don't outperform good human drivers statistically, even with all their advantages in terms of never losing "concentration", having full 360 degree "vision" the whole time, having near-instant physical response to sensor inputs, and so on.
So deploying the technology when it has matured a little more has the immediate prospect of reducing overall death rate, however that doesn't help the individual.
There are interesting ethical questions about the greater good in this sort of situation, but I don't think they become relevant until you have an automated technology to consider that is significantly superior to the status quo.
Like those same drivers, cyclists, and pedestrians I see every day who don't obey traffic laws or have much common sense?
This is one of the biggest challenges with completely autonomous vehicles. In the real world, even if you play by the rules and act totally logically, you can't safely assume that everyone else will. A human driver will naturally learn to deal with this variability and adapt. Software doesn't do that unless its programmers make it.
It's also worth keeping in mind that there are many legitimate reasons that normal traffic rules might not be followed. Emergency vehicles might be travelling faster than a normal speed limit or ignore other restrictions that would slow down their response. Damage or repair to the roads or surrounding area might force unusual courses, and the signage explaining this isn't always as clear as it could be. Natural events such as localised flooding or a landslide next to a mountain road might force drivers to go places they normally wouldn't. The list is almost endless, and goes far beyond bad drivers who routinely break the law just because they assume they'll get away with it.
Slashdot Mirror
I'm sorry, but you appear to be confused about how this all works.
Authentication means proving the identity of the party you're communicating with. It has nothing to do with encryption, other than the fact that certain tools can be useful for both purposes.
There are multiple strategies for authentication that do not require that any third party be involved in or aware of the communication. No-one need be any more able to log your communications just because you authenticated the source.
There are also various strategies for authentication that do not rely on the continued existence of specific third parties in order to function. Indeed, if you are able to exchange information out of band initially, there is no requirement for any third party to exist at all.
And finally, on typical modern systems and assuming we're talking about communicating over the Internet, the overhead of authentication is likely to be negligible on both sides.
Why not? Any communication over an untrusted network is potentially a source of malware if nothing else.
Until self-signed certificates are also deemed a security threat by the mighty Google and sites using them are auto-blocked in Chrome.
If you don't have an authenticated source for whatever you're receiving, you don't even know that the site you're seeing at a well-known URL is really the one you think it is. Your ISP, whoever is providing the WiFi you're borrowing at the coffee shop or on the train, your employer, or just some guy with the right gear to spoof the relevant infrastructure on whatever otherwise legitimate network you're connected to could be playing silly games.
As swillden says, in order to prevent this you need to be able to verify that what you're seeing came from who you think it came from and that it hasn't been modified along the way. Those are actually quite independent of encryption, although in practice on the web we usually use the same infrastructure to provide both functions.
Your market forces argument is predicated on the members of that market being able to make informed decisions. Since the average punter knows little if anything about IT security and will have little if any concept of the risks to themselves or those they care about in the event of security failures, that isn't possible. Fundamentally, governments make laws and statutory regulations to protect those who aren't necessarily in a position to protect themselves, and that is exactly the situation here.
The problem, from a public awareness point of view, is that there is little traceability even when something bad happens.
The effect may be that you spend several months trying to regain control of your identity and you never fully recover all of the money that "you" spent.
The cause may be that one big organisation leaked enough of your personal information to let the identity thief succeed in convincing several other big organisations that they were you.
All of those organisations are demonstrably at fault, but unless the victims can actually join the dots, neither they nor anyone else (governments, media, future potential victims) are going to hold the responsible organisations accountable.
I run my own businesses and work in tech fields, so I have no axe to grind there. I do know plenty of people who have been unable to do their jobs properly because perfectly reasonable requests were denied or extensively delayed by IT people for silly reasons, though. And I write that as someone who is well aware that IT get the blame when things go wrong and a lot of "unreasonable" policies to staff are actually sensible and necessary from an IT point of view.
IT is a support function, like HR or legal. It is valuable to the extent -- and only to the extent -- that it helps the organisation do whatever it is the organisation actually exists to do. You run tech decisions by IT for the same reason you run contracts by legal or compensation packages by HR, and sometimes you also need to overrule IT in the interests of the business as a whole for the same reason you overrule those other departments.
Well, if you wanted to know why road deaths are going up in the US, there's your answer. The first step to fixing a problem is acknowledging that it exists.
Also, IT is not Management, and is not there to be in charge and tell the people doing whatever your organisation actually does how to do their jobs.
But the current generation doesn't seem to mind.
Doesn't mind, doesn't know, or just doesn't think they can do anything about it so tolerate it despite minding because they need a phone to live a normal life these days?
Those are three quite different scenarios, and in two of the three it appears there is a market failure where purchasers of these (or other) smartphones don't get a choice they could reasonably be offered and so can't express their preference with their wallets.
That sort of market failure is what regulation is for. Europe is going to have a party with this one, particularly if it isn't fixed before the new EU privacy regulations come in next year.
This is why there are various laws in some places that for example make a credit card company jointly liable if its card is used to make a purchase and the original seller doesn't make good any damage.
Also, deliberately using a limited liability company structure to take the customer's money and run is a good way to get your corporate veil pierced and the people behind that company fined or in jail. Typically the limited liability protects a company's owners/investors if the company is properly run but its business doesn't work out. It's not there to shield anyone from otherwise illegal behaviour.
And yet you have not answered any of my questions, nor given any other substantial arguments to support your position that I can see, so unfortunately I don't think we're going to get anywhere useful here.
So what exactly did you mean by "(admittedly just a small one)", then?
How much security-related material that is relevant to the original topic did you learn in your degree and then use in the software you wrote? Feel free to be specific about what was involved, and then the rest of us won't have to make any assumptions.
So far, you've claimed that someone needs to have a CS degree to know what they're doing in this field, yet now you seem to be saying that what your degree actually did was teach you how to study further topics and more detail by yourself, which is kinda exactly the AC's original point that you called bullshit in the first place.
Sure, writing a program that serves text files using a simplified form of HTTP is easy. It's also about a million miles away from writing a modern, full-featured web server. Again, the knowledge included in even the best undergraduate CS course wouldn't get you close to what you need to understand to do that. And this still isn't what industrial IT security is really about anyway.
You do realise that most exploits are actually discovered and capitalised on by people using exactly the in-depth low level knowledge Im talking about right?
I've worked in and around this field for a long time. I'm sorry to make this a little personal, but what you're writing sounds like you read a textbook once, probably in university, and you're very proud of some of the long words and acronyms you can still half-remember. Nevertheless, what you're described has little to no connection with security management in the real world, as staff as an organisation like Equifax would (should) be doing it.
An organisation like that would have a team of system administrators, network administrators, pen-testers, and other such professionals. They're not going to write their own web server and networking stack in case the industry standard ones have a flaw in their implementation of some elliptic curve math. But even if they were, the knowledge from an undergraduate-level CS degree would barely get them past writing the main function.
Nothing you mentioned from your degree syllabus has much to do with developing modern, production-grade security infrastructure of the kind that would safeguard personal data properly in this sort of situation, other than possibly the vague "system security models" at the end. The rest might be useful as background information, but it won't tell you much if anything about potential attack vectors and standard techniques to defend against them, the state of the art in encryption methods and how to disable any that are now known to be vulnerable in your server software, which AAA and staff education policies actually work, how to write and maintain a systematic list of firewall rules, how to structure large systems for defence in depth and compartmentalisation, or numerous other real world issues you need to address when building secure infrastructure.
I think we're probably in agreement on most of this. In particular, I agree that levels 2-3 are the trouble spot. I suppose my immediate concern is that exactly the safety issue you mention, if a driver suddenly has to take charge, will be the cause of some high profile accidents, and that will then cause the kind of paranoia you mention later on and result in delaying the move to properly autonomous transportation. Right now I don't see much evidence that anyone has anything as high as level 4 ready to go, and if they try to run before they can walk and get stuck in that awkward middle ground, I don't think the results will be good.
Every piece of self driving car software I've ever seen demoed already has many, many systems in place to monitor and attempt to avoid pedestrians and are much, much more sophisticated than human adaptability is.
Really? What have you seen demoed? I haven't seen a lot of detailed technical information (I'm a geek who follows this area out of interest, but it's not my field professionally) but what I have seen suggests that recent generations of these systems still rely on signals and markings far more than they will be able to in an entirely realistic and open world, and have frequently been forced to transfer control back to their human drivers when coming up against situations they didn't know how to handle, which obviously isn't an option in a fully autonomous vehicle.
A human driver can't usually track the position of dozens of pedestrians up and down and on both sides of a street to see if one of them suddenly veers off the sidewalk and into the street from between two parked cars
True, but an autonomous vehicle can't usually anticipate that if there's a bar and it's just after closing time with a small crowd outside, there's a significant chance that someone previously hidden will run out the front door straight into the road while drunk. An experienced human driver would probably have slowed down, allowed more space, and kept an eye on that exit. Generally, human drivers rely a great deal on local knowledge and in particular on recognising information that isn't directly related to road markings and traffic laws in order to stay safe, and it's going to be a long time before autonomous vehicle control software can fill in that sort of missing contextual information. Of course self-driving cars have advantages in constant vision and near-instant reactions that help to compensate for that omission, but whether (or, more realistically, how long until) it's enough to bridge the gap statistically is a different question.
(Please notice that I wasn't defending anyone here, just challenging a variation on the old cliche that you need to have a formal CS degree to be any good at anything to do with technology.)
Wow, that's quite a chip you've got on your shoulder there, mate.
For the record, an undergraduate CS degree has almost nothing to do with the kind of technical expertise you'd want working in IT security professionally and absolutely nothing to do with the kind of management expertise you'd want to hire and direct such professionals.
Also, I see little evidence of any correlation between interest in and aptitude for doing good technical work and having taken CS at undergraduate/college level. Some people took CS because they thought it would open the door to a high-paying career, yet couldn't program their way out of a wet paper bag. Some people were very interested in computers but took something like math or engineering, perhaps because they didn't want to spend the next year doing Java 101 when they'd been writing games since their early teens.
It isn't viable to function as a normal member of any Western society I know about without access to basic financial facilities like a bank account. In fact, it's caused so many problems for those unlucky enough to fall through the gaps here in the UK that the government had to step in and promote the provision of basic bank accounts that might not have any sort of credit facilities but at least provided enough basic services for someone to do things like receiving pay from an employer or settling household bills.
It would be nice to think you're right, though I fear your suggested timescales are optimistic.
What worries me is that a lot of the talk from the auto and tech industry execs does seem to be pitching this as a technology that's ready to go on real roads for real world testing in the very near future. Maybe that's partly for the investors, the media and the politicians, but still, I've detected more than a hint of arrogance in some of those public statements in recent years.
In reality, what I see today is that we have widespread implementation of level 1 features on the Society of Automotive Engineers' scale (i.e., partial driver aids like cruise control), and a lot of talk about the potential for level 4-5 (where vehicles are fully automated to the extent of driving an entire journey without human assistance), but disturbingly little talk about how we're going to safely get through levels 2-3 (where the vehicle does the majority of the work, but still requires a human driver to be ready to intervene in other circumstances, which seems like the riskiest of all possible worlds based on past experience).
Some of the more established auto companies, Ford for example, seem to be aiming to make the jump straight to level 4-5 because of that difficult automation-to-human transition, but if the likes of Google and Tesla are following the same strategy then I don't see much sign of it so far. That's a concern, because while the auto industry has certainly had its share of safety controversies over the years, I find the idea of Silicon Valley tech giants running the show with their typically fast-paced and cavalier attitude to quality to be moderately terrifying!
Why should the law with regard to automation differ from established law?
For the same reason that drivers are explicitly licensed in most places and what would normally otherwise be anyone's freedom to get into a vehicle and move around in it is curtailed until they have demonstrated their competence: we are literally talking about controlling dangerous machinery in life or death situations here, and just putting up with financial compensation for any damage after the fact isn't good enough.
I'd rather see this left to the courts to determine than having some arbitrary and irrational law based upon nothing but emotion and fear.
False dichotomy is false, but in any case, what useful compensation could a court possibly award retrospectively if some bug (or security flaw) in an automated system caused many thousands of vehicles of a certain model to exhibit the same dangerous behaviour resulting in the death or serious injury of hundreds of nearby people within a short period of time? There are risks of scale involved here that simply don't exist when we're talking about human drivers as we have at the moment, and there is ample evidence that those risks are significant.
Every car that is currently sold is threat to those same groups - humans as drivers are absolutely the worst. Some worse than others,but none are perfect. I suspect that any technology that will be deployed would be, statistically, safer than human drivers.
You might suspect that, but is there any real evidence to show that we've reached anywhere near that stage of maturity yet? The only statistics I've seen so far suggest that autonomous vehicles even under relatively favourable and semi-controlled conditions still don't outperform good human drivers statistically, even with all their advantages in terms of never losing "concentration", having full 360 degree "vision" the whole time, having near-instant physical response to sensor inputs, and so on.
So deploying the technology when it has matured a little more has the immediate prospect of reducing overall death rate, however that doesn't help the individual.
There are interesting ethical questions about the greater good in this sort of situation, but I don't think they become relevant until you have an automated technology to consider that is significantly superior to the status quo.
Like those same drivers, cyclists, and pedestrians I see every day who don't obey traffic laws or have much common sense?
This is one of the biggest challenges with completely autonomous vehicles. In the real world, even if you play by the rules and act totally logically, you can't safely assume that everyone else will. A human driver will naturally learn to deal with this variability and adapt. Software doesn't do that unless its programmers make it.
It's also worth keeping in mind that there are many legitimate reasons that normal traffic rules might not be followed. Emergency vehicles might be travelling faster than a normal speed limit or ignore other restrictions that would slow down their response. Damage or repair to the roads or surrounding area might force unusual courses, and the signage explaining this isn't always as clear as it could be. Natural events such as localised flooding or a landslide next to a mountain road might force drivers to go places they normally wouldn't. The list is almost endless, and goes far beyond bad drivers who routinely break the law just because they assume they'll get away with it.