• #security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Can I interest you in more security, sir?

nsa-eagle-200x197The last week’s meeting of the IETF discussed security of the Internet and the recent revelations that the NSA turned the Internet into a giant surveillance machine. While the sentiment was clear that the Internet should not allow itself to such abuse, there is little evidence that anything at all could be done about it.

The problem is not that it is technically impossible to introduce more encryption and build better protocols. The problem is that it is not in the current interest of the companies to do so. The Internet was conceived for use in academia, so it was not a commercial thing from the start. The principles on which it is built are idealistic. But it is commercial from the hardware to the applications, through and through now. And it is not in any company’s commercial interest to introduce better security. It is quite the opposite, in fact: most companies are interested in less security even if they claim otherwise.

Me and you, as people, as independent human beings, can introduce better security because it is in our interest. I would not rely on companies to do so.

Comments List

Sven Türpe2013-11-12 18:58 /

You get what you pay for. Which, considering my rather uneventful life, leads to the question why I would want to pay for more security and what my return might be.

tigr[ino]2013-11-12 19:35 /

The culture of trying to sell the cheapest junk at the highest price to the neighbour leads to these questions. The security in itself has value for you and for all of us. The security of the Internet increases the quality of the Internet and decreases the worry. That's a lot.

Sven Türpe2013-11-14 09:23 /

So what are the differences between security, world peace, nirvana, and communism?

tigr[ino]2013-11-14 09:41 /

They are completely different states that share a lot of common traits. I understand the interest in using those concepts, however their effect is quite different: - security makes for a higher quality of life - world peace indicates a quality of life - nirvana makes quality of life irrelevant - communism makes quality of life homogeneous So, I guess you should either go for security and communism and watch for the world peace or aim for nirvana :)

Sven Türpe2013-11-14 23:48 /

The reputation of security in conjunction with attempts at communism has suffered a bit in the course of history, hasn't it? But let's focus on your proposition that security makes for higher quality of life, and accept it for the sake of argument. Security shares this value proposition with a variety of other offers. Since we have limited resources to spend, we must make choices. In an ideal world, I'd spend nothing on security since there would be no threats at all. Since I don't live in such a perfect world, I spend some amount of my resources -- money, time, energy, mental workload, however you like to measure it -- on security. I gain no quality of life from my forced spending on security, I only prevent losses that would otherwise occur. Now you come along and tell me I should spend even less on quality of life and even more on security. What are you trying to threaten me with? ;-)

tigr[ino]2013-11-15 08:33 /

Has it? Has the reputation of security really suffered? Ask people that used to live in those countries, ask those living now - how secure do (did) they feel? They will tell you, they were pretty damn secure. So I could not agree that communism made a dent in the reputation of security. Not at all. One thing I would not be ready to admit is that we live in an ideal world. Ideal world would already have perfect security indeed, so we would not need to channel resource towards security and would simply live happily ever after. Fortunately, that's not the case. Therefore, in our imperfect world we have to spend resources on security. They get, in fact, spent one way or another, in a factory or cleaning up after incidents at home. The problem is not that we, as a society in common, have a choice, because we don't. The problem is that many entities treat such costs as externalities passing them onto the society at large. In my opinion, those costs must be internalized, otherwise the society is suffering more losses or costs than it could if such costs were optimized and paid at source.

Sven Türpe2013-11-16 11:38 /

I think it has, because people were made more secure than they ever wanted to be. Some even put their lives at stake to get away from that much security; many more are happy now that they can make their own decisions and bear the risk. As regards externalities, isn't it the adversary in the first place who externalizes the costs of his personal (or organizational, or national) gain? How -- or to what extent -- does the presence of such an adversary oblige me, as opposed to society as a whole, to to spend on countermeasures? And isn't, from a defense point of view, herd protection a viable strategy? It is not the only strategy, but one of those that evolved (have a look at http://en.wikipedia.org/wiki/R/K_selection_theory) and thus might make sense. Some creatures, such as turtles, rely on strong protection of each individual over a long period of time; others, such as ants, mass-reproduce short-lived individuals. Neither strategy is right or wrong per se. Both pursue the same macroscopic, collective end -- survival of the species. Survival of an individual is instrumental, a means toward this end. In other words, computers have to be only secure enough, statistically, for the Internet to survive.

tigr[ino]2013-11-18 13:11 /

We call that "arguing about the taste of bananas with those, who actually tried them" :) Most people are not interested in taking risks, not at all. Most people were happy there and would gladly go back if they could. Most people also realize they cannot and make do with what they have. Yes, there were adventurers like everywhere. Yes, they were exploited by the system on the other side of the Wall. That does not mean the society at large was worse off. Adversaries are not externalizing anything. They just are. They behave the way they are because that is their nature. This would be the same as claiming that a tiger is externalizing his costs by eating prey. That is simply the way he is, he is out there and if you do not take care he will get you. The companies produce things for us and claim to provide us with all the benefits while lying to us about the costs - that is, in a rough language, the nature of externalization of costs. We assume that we already paid the full price but we did not, in fact. We will be paying more, time and again, for the manufacturer's profit. And this principle is destructive to the society in the long run.

Sven Türpe2013-11-20 09:23 /

So most people would prefer a safe and predictable life in a prison cell over the risks of life outside. Is that what you are trying to tell me? If so, aren't you in effect promoting that we spend more resources to attain this low-risk condition? Adversaries aren't just. They break the social contract that requires, with some exceptions rarely applicable in modern everyday life, to interact with others on the basis of voluntary and fair exchange. One doesn't rob, steal, rape, or burgle. A subset of the population ignores this rule; society strives to lock up this subset in prison. (A) We've just established that as a consequence of your assumptions, we must consider the acts of robbery, theft, rape, and burglary not crimes but security investments. After all, the person commiting them decreases his or her chances of not being locked away in a safe place. (B) I don't see what's wrong with society as a whole, rather than randomly chosen individuals, defending the social contract. Why leave defense to the individual victim or possible victim and not defend against adversaries collectively? If you want to pose (B) as a problem of economics, you'll probably find examples for and against either approach. I suspect that it simply depends on a couple of side conditions whether one or the other approach is more efficient. Maybe everyone ist better off with a police force as a public good in urban Darmstadt, but everyone is better off with a rifle in the closet for self-defense and hunting in Siberia?

tigr[ino]2013-11-20 11:10 /

Yes, I see where you are coming from and I think we should clearly split the various discussions we are having here. We are mashing together several different concepts loosely connected by the security taken broadly but in order to achieve clear understanding we better split the subjects out logically. First of all, the question of what society is best for its people is still open. Every society basically cares about its own advance and does not care for the particular people. Now, the societies you refer to, presumably the Soviet bloc of countries, could hardly be called "prison". I can imagine that there is no objective information on the nature of life there but one thing person should avoid is making assumptions based on propaganda. People in countries like Soviet Union could never be seen more enslaved than people of the current Western Europe for example, quite the contrary. On the other hand, this adds nothing to our discussion of security, does it? Let me write another post on the subject of "societies as jails" and we discuss there, shall we not? As for the adversaries and their social contract, the adversaries actually do not have any social contract at all. Or, they have a social contract in some other place and time. Or, let's put it differently, you cannot count on the adversaries agreeing that they have a social contract like you count on everyone else. They are not open to this kind of manipulation. So how would you invoke something that they did not agree to? Nonsense. The whole concept of social contract is a mind trick to speak about something else in different terms. So I prefer not to talk about it at all. People do not steal, rape and murder not because of some ephemeral social contract but because they are not inclined to. Yes, there are different discussions about all of this, this also deserves a separate topic. I actually wrote about it a while ago in Russian, I should write about it again in English. People are not inherently inclined to hurt each other en mass. There are aberrations and their place is in jail (or, some say, in hospitals, and others, on a rope but let's not split hairs) while most people would cheerfully go about their business helping each other in the absence of any deterring mechanisms whatsoever. Now, after all these side tracks, let's come back to the question at hand that we actually are discussing. I realize that my original article should have been several pages long. Let me try to clarify my point then. The problem, as I see it, is in the short-sightedness of the commercial companies. The concentration on the immediate profit makes them do things to the detriment of themselves and of the society as a whole in the long term. The security of software is one such thing. They will cheerfully externalize their costs while putting the burden on the shoulders of the society to bear many times over. I think that there are several things to be done here. One would be to put pressure on the government to do its job of long-term oversight and regulate this part. The other part, and the purpose of this article, is to raise the awareness in the society, make people understand this problem of companies not caring. Yes, this is a case of me promoting the view that people should fend for themselves (too) but as a part of a larger picture that includes much more than that.

Sven Türpe2013-11-20 23:55 /

There's nothing wrong with short-sightedness in business. A business as a supplier of some good or service has to adapt itself to the demand and competition in the market. The whole point of running a company is to profit from voluntary exchanges with customers. Give people what they want, and produce it at costs lower than what they are willing to pay. That's it. Sure, in some cases there may be undesriable side effects to society requiring treatment. Externalities, however, are a refinement of economic models in the first place, nothing more or less. As the text you're linking to correctly points out, they can be positive or negative. Externalities can even be simultaneously positive and negative. Just consider Internet service/infrastructure providers, giving everyone the benefit of having an Internet, as well as the troubles of having an Internet. I think we also have to be careful to distinguish true externalities, and in particular undesirable onws, from wishful thinking about a supposedly ideal world. Something isn't an externality just because you wish somebody would pay for this something. And even a negative externality isn't necessarily a big problem for you and me: If everyone incurs some cost from a commodity like Internet access, does it matter which way we pay that cost? P.S.: One does indeed not agree to a social contract, neither as a bad nor as a good guy. The social contract is hypothetical, a thought experiment to figure out what is just and what isn't: http://youtu.be/9PTXwN-MJ8Q?t=22m30s. However, we afford institutions like law, justice, and law enforcement to defend this hypothetical contract -- or what the founders of our states thought of as an appropriate social contract -- against actual violations.

tigr[ino]2013-11-26 12:32 /

You are right, most of the time there is nothing wrong with leaving things up to the business and its short-sightedness does not prevent it from doing a good job. However, the long-term view both for the business and for the society governance is essential. There must be a balance between the two. Again, here I take the point of view of the society as a whole when talking about externalities of developing secure software. I can see that imposing the costs on the companies (or individuals, or both) now would slow them down at first but would generate a better overall picture later. So, in my opinion, we have to give up some of the immediate benefit in recognition of the long-term improvement. This is the case when short-sightedness is actually harmful to business itself and the society as a whole. P.S. http://tigr.net/2013/11/26/got-social-contract/

Sven Türpe2013-11-27 23:59 /

So how do you know that society would be better off spending more work on less software to attain what I'd expect to be a rather petty security margin? Technically secure systems and software will still be vulnerable to attacks due to dependencies: on users (security is a secondary goal), on configuration (if you can define its security policy, you own the system), or on environmental security controls (software can hardly defend itself against tampering with its runtime environment or the code itself). We also don't need to counter all threats with technical prevention. Think about this, your food or your tea would be amazingly easy to poison -- but I suppose you don't lock your tea cup in the presence of potential adversaries. And that's how it should be. As a society, we deem murder extremely undesirable, but we don't prevent it with technical countermeasures. We rather threaten to apprehend and punish murderers and make this threat credible by running law enforcement agencies. That's a macroscopic solution, as opposed to the microscopic approach of trying to close every loophole some bad guy might exploit to bad ends. I explored the microscopic and macroscopic perspectives in a paper last year along with a discussion of security engineering tools: http://erichsieht.wordpress.com/2012/11/29/an-exercise-in-lateral-thinking/ What do you think of bulletproof suits (cf. http://www.youtube.com/watch?v=g25CL93f0f8)? Would you personally buy them, now that you know they exist and might save your life? Should everybody buy them? Or should the suit industry maybe offer only bulletproof products? Undoubtedly a bulletproof suit is more secure than a regular one, and murder is bad for society, isn't it?

tigr[ino]2013-11-28 10:26 /

Ah, that is an excellent question! How do we know that the return on our investment is going to be bigger than the investment? How do we know that there will be a return? How do we know that the security margin is going to be petty? We are the specialists, we have the knowledge, we have the experience, we can judge and argue about such things. That's what it is all about: we are trying to argue about our way to the future, we are trying to predict the effects of our actions and non-actions and we hope to become wiser in the process. That aside, I read your article last year and I thought it was great. Did I not tell you? Well, I tel you now. It was great and I enjoyed reading it a lot. I will not go into the whole discussion of micro and macro right now though. We have complicated matters sufficiently as it is :) Let's better talk about the food analogy, I like that one. We know that food can be poisonous. We also seem to be fairly careless about it. But is it true? First, we are conditioned by oh-so-many-years of evolution to check the food unconsciously. Do you close your eyes and nose when you eat? Likely not. You check the look of the food when you buy it, you check the expiration date, you re-check it when you get it out of the fridge, you smell it and taste it when you eat. That is a lot of defense your body puts up against poisoning. And still, do you think we never get poisoned? I get food poisoning roughly once a year. Just for the entertainment, a few links to the lists of massive food poisoning cases: http://listverse.com/2013/03/18/10-odd-cases-of-food-poisoning/ http://www.healthline.com/health-slideshow/worst-foodborne-illness-outbreaks http://en.wikipedia.org/wiki/List_of_foodborne_illness_outbreaks_in_the_United_States So, moving the analogy to the software, I think it is necessary to develop the two lines of defense that we have in the "food chain" already. First, there must be control over the safety and quality of the software imposed at the source, just like in the food industry. Second, we must all learn to put up our own defense, "smell" the bad software and learn to make the good cookies for our guests that will not make them vomit. I really like the analogy. The "software and information food chain" is as important in our digital age as the food chain always was.

Leave a Reply

Your email address will not be published. Required fields are marked *