Can I interest you in more security, sir?

nsa-eagle-200x197The last week’s meeting of the IETF discussed security of the Internet and the recent revelations that the NSA turned the Internet into a giant surveillance machine. While the sentiment was clear that the Internet should not allow itself to such abuse, there is little evidence that anything at all could be done about it.

The problem is not that it is technically impossible to introduce more encryption and build better protocols. The problem is that it is not in the current interest of the companies to do so. The Internet was conceived for use in academia, so it was not a commercial thing from the start. The principles on which it is built are idealistic. But it is commercial from the hardware to the applications, through and through now. And it is not in any company’s commercial interest to introduce better security. It is quite the opposite, in fact: most companies are interested in less security even if they claim otherwise.

Me and you, as people, as independent human beings, can introduce better security because it is in our interest. I would not rely on companies to do so.

Guard your secrets

I meant to write about the subject of spying and corporate information security for a while now but got around to it only now. The article Confessions of a Corporate Spy has provided an excellent background for the discussion and is absolutely worth a read.

Twenty years ago the corporate spying was already abound and me, as a fresh employee, was excited to find out that we are actually being spied upon. We had to keep quiet about our work when we went out for drinks or lunches. Once a Good Samaritan lady reported overhearing our colleagues talk about their work in a restaurant near the company. This lead to disciplinary measures and the whole company new what happened. And we all new it was wrong to discuss things outside.

4.1.1Fast forward twenty years. The company managers discuss the upcoming mergers and acquisitions in a social network account of a third-party company. Details of products, designs, problems, customers are exchanged freely at lunch tables and in trains. How often do you see privacy screens on laptops of people doing their work in trains and at the airports?

People became careless. It’s like if in the drive to deliver more and faster we completely forgot that the competition does not really have to do a lot to catch up with us if they have all the information available to them. We forgot that despite the information flowing in heaps over the Internet we still have to protect it in all the mundane places. Web security, application security, network security do not matter anything if all the same information is available to anyone who can listen carefully and record.

Security is said to be about finding the weakest link and mending it. Nowadays, the physical security of information is rising in the ranks and will become the weakest link. Sometimes it already is. Especially when a specialist in competitive intelligence comes around. With the business intelligence market estimated at $80 billion, do you think we should be sloppy?

Making sure your people know that it is a really bad idea to talk business outside a business setting, to talk confidential information to strangers, to work on company numbers where the screen can be seen and so on is not that hard. Companies 20 years ago did it. We can do it now. Let’s do it.

Brainwashing in security

At first, when I read the article titled Software Security Programs May Not Be Worth the Investment for Many Companies I thought it was a joke or a prank. But then I had a feeling it was not. And it was not the 1st of April. And it seems to be a record of events at the RSA Conference. Bloody hell, that guy, John Viega from SilverSky, “an authority on software security”, is speaking in earnest.

That’s one of those people who are continuously making the state of security as miserable as it is today. His propaganda is simple: do not invest into security, it is a total waste of money.

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

And following the suit was the head of security at Adobe, Brad Arkin, can you believe it? I am not surprised now we have to use things like NoScript to make sure their products do not execute in our browsers. I have a pretty good guess what Adobe and SilverSky are doing: they are covering their asses. They do the minimum required to make sure they cannot be easily sued for negligence and deliberately exposing their customers. But they do not care about you and me, they do not give a damn if their software is full of holes. And they do not deserve to be called anything that has a word ‘security’ in it.

The stuff Brad Arkin is pushing at you flies into the face of the very security best practices we swear by:

“If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. “Manual code review is a waste of time. If you think you’re going to make your product better by having a lot of eyeballs look at a lot of code, that’s the worst use of human labor.”

No, sir, you are bullshitting us. Your company does not want to spend the money on security. Your company is greedy. Your company wants to get money from the customers for the software full of bugs and holes. You know this and you are deliberately telling lies to deceive not only the customers but even people who know a thing or two about security. But we have seen this before already and no mistake.

 

The problem is, many small companies will believe anything that is pronounced at an event like the RSA Conference and take it for granted that this is the ultimate last word in security. And that will make the security state of things even worse. We will have more of those soft underbelly products and companies that practice “security by ignorance”. And we do not want that.

The effect of security bugs can be devastating. The normal human brain is not capable of properly estimating the risks of large magnitude but rare occurrence and tends to downplay them. That’s why the risk of large security problems that can bring a company to its knees is usually discarded. But security problems can be so severe that they will put even a large company out of business, not to mention that a small company would not survive any slightly more than average impact security problem at all.

So, thanks, but no, thanks. Security is a dangerous field, it is commonly compared to a battlefield and there is some truth in that. Stop being greedy and make sure your software does not blow up.