Online security is a horrifying nightmare.
Heartbleed. Target. Apple. Linux. Microsoft. Yahoo.eBay. X.509. Whatever security cataclysm erupts next,
probably in weeks or even days. We seem to be trapped in a vicious cycle of cascading
security disasters that just keep getting worse.
Why? Well — “Computers have gotten
incredibly complex, while people have remained the same gray mud with
pretensions of godhood … Because of all this, security is terrible … People, as
well, are broken … Everyone fails to use software correctly,” writes the great
Quinn Norton in a bleak piece in Medium. “We are building the most important technologies for the global
economy on shockingly underfunded infrastructure. We are truly living through
Code in the Age of Cholera,” concurs security legend Dan Kaminsky.
Most of which is objectively true. And it’s
probably also true, as Norton states and Kaminsky implies, that a certain
amount of insecurity is the natural state of affairs in any system so complex.
But I contend that things are much worse than
they actually need to be, and, further, that the entire industry has developed
learned helplessness towards software
security. We have been conditioned to just accept that security is a
complete debacle and always will be, so the risk of being hacked and/or a 0-day
popping up in your critical code is just a random, uncontrollable cost of doing
business, like the risk of setting up shop in the Bay Area knowing that the Big
One could hit any day.
What’s more, while this is not actually true,
most of the time it is no bad thing.
I’m pleased that I was a Heartbleed hipster,
dissing OpenSSL before it was cool (i.e. ten days before Heartbleed emerged
into the light) but I don’t pretend to be a security expert. I do write
software for a living, though … and recent events remind me vividly of the time
I attended DefCon just after Cisco tried to censor/gag-order Michael Lynn. Continue
reading…
No comments:
Post a Comment