> We are struggling with a broken model of "security" and the emergence of a global insecurity industry.
I have a take that isn't too close to the focus of this article, but there is a big underlying point.
There are known vulnerabilities in consumer and enterprise tech that are purposefully not closed in order to maintain a tactical advantage. Consider the tech used to break into phones, Pegasus. This is a highly visible peak of an iceberg in an otherwise massive industry of finding and weaponizing vulnerabilities that can have real world consequence, see WannaCry.
This is both hugely political, and not political at all. It's almost a guarantee that a nation-state with cyber resources will use said resources to find a tactical advantage and constantly lob attacks back and forth. Each side will loudly exclaim "Look they're hacking us!" while staying quiet on their own attacks. You can set your watch to it.
Basically any government is spending vast resources to find vulnerabilities and keep them open, which makes everyone less safe. Coupled with the constant war on encryption, gov sponsored "Cyber" is a money pit for hawks that wish to start trouble.
JumpCrisscross 163 days ago [-]
> almost a guarantee that a nation-state with cyber resources will use said resources to find a tactical advantage and constantly lob attacks back and forth
Guns versus butter. There is probably a rational amount of cyber insecurity, given writing secure software comes with tradeoffs. (Nothing that comes with tradeoffs optimises to zero or infinity.) Perhaps being able to run insecure software is a form of peace dividend.
Doesn’t cover intentional security holes. But we don’t have evidence that is a prevalent problem.
arminiusreturns 163 days ago [-]
Actually we do have evidence it is a prevalent problem. A few data points ok, but we have repeated data points (at foundational pivot points) supporting it. (example: NIST infiltration and manipulation of encryption standards. Vault 7. etc).
JumpCrisscross 163 days ago [-]
> few data points ok, but we have repeated data points
This is no evidence it’s a prevalent problem. It’s absolutely a problem. But I’m unconvinced we’re e.g. at a material military disadvantage or at economic risk as a result of it.
Buttons840 163 days ago [-]
We need strong legal protections for security researchers. "Red teams" should be protected so long as they responsibly report their findings and they should be given the benefit of the doubt. Security researchers should even be allowed to test the security of systems without permission.
This is a matter of national security, and personal security. Why can't I personally test the security of my bank? Why can't I ask an organization I trust to test the security of my bank?
Currently we threaten to jail security researches if they go so far as to press F12 and inspect the HTML source of a webpage. The personal data of half the nation is leaked twice a month. Companies have no financial incentive to build secure systems. Despite all this, we will be surprised when our critical infrastructure goes down and wonder "what more could we have done?"
We sacrifice national security for the convenience of companies. Companies don't want researchers reporting the poor security of their systems. We allow companies to tightly control how their systems are tested, while also holding that companies are not liable for the security of their systems. When it comes to corporate security, they can have their cake and eat it too--they have authority over their systems but are not responsible / liable for their systems.
hypeatei 163 days ago [-]
German courts/laws seem to be very hostile to anyone exposing security flaws.
I remember a story posted here where someone found a hard coded SQL connection string in decompiled code, connected to the server with it, and notified the company. Then, the company took the person to court (claiming something nonsensical about circumventing security) and the courts agreed.
There was even people on HN siding with the courts that decompiling code and finding the key is circumventing their security which is madness.
robertlagrant 163 days ago [-]
> Why can't I personally test the security of my bank?
I don't understand this perspective. What's the difference between tihs and being allowed to try and walk into all the back rooms of your bank and read everything you can? Or do you think you should be able to do that?
Buttons840 163 days ago [-]
IT systems on the internet are not like physical locations in a peaceful society. The analogy falls apart very quickly.
IT systems on the internet are constantly approached by millions of actors, good and bad, and if they are designed correctly then this is no problem and is not a burden on anybody. This is very unlike a comfortable office setting in a peaceful society.
You are making an analogy between modern banks and IT systems. Modern banks are almost never breached, while IT systems have major breaches every week. That's not a fair analogy.
ElevenLathe 163 days ago [-]
Should I be prosecuted for walking up to my credit union after closing and trying to open the front door to see if it's really locked?
taeric 163 days ago [-]
If you proceed into the building? Almost certainly.
If you put the doors or windows through a stress test? Again, almost certainly.
Buttons840 163 days ago [-]
What if you have money in the bank and the bank has been robbed thousands(!) of times because they forget to lock the windows. Assume nobody is going to do anything to make the bank change their window locking habits, or lack thereof.
At this point in the analogy, do you personally believe it is worrisome if an upstanding citizen thinks "I wonder if they forgot to lock the windows again?", and they check to just to see. Is the solution in this scenario to harshly punish the citizen while doing nothing to the bank or their windows?
(!): I say thousands because https://haveibeenpwned.com/ reports that my email address has appeared in almost 3,000 (three thousand!) data breaches.
taeric 163 days ago [-]
This doesn't really help the scenarios, though? In fact, if you know that a place has been the source of a ton of crime, physically going there is a terrible idea. Not sure why similar wouldn't apply for this?
I'm... also very curious what expected numbers are there for data breaches? I'm seeing 12. How in the world are you at 3,000?!
Buttons840 163 days ago [-]
I haven't given my email address to any websites that are involved with pornography or other disreputable things, nor have I given my email to any website with connections to illegal activities.
The number of leaks with my specific email address doesn't really matter. The point here is that there are thousand and thousands of data breaches happening all the time. These all affect real people. These all have wronged people, and these people have no redress.
Your gut reaction of "there's a problem, let's criminalize" seems to match the general consensus here in the USA. We'll criminalize and jail endlessly, but it's not working, the problem is getting worse, more data breaches happen all the time, airlines cancel all flights, hospitals cancel medical procedures, all because we can't build secure IT systems. The problem keeps getting worse despite our criminalization.
One thing we wont try is expecting competence and accountability (financial liability) from our wealthy and powerful organizations. Nor will we try empowering upstanding security researchers, and meanwhile criminal hackers continue to act with no regard for the law.
taeric 163 days ago [-]
Where did I give my gut reaction? It would almost certainly be more inline with finding processes to improve things. I'm all for pen tests and similar. Bounty programs are also good ideas.
The topic here, though, was whether or not casing out a location would get you in trouble. And, yeah, if you are casing out a place you can get in trouble. Regardless of how much crime has or has not happened there. Indeed, I would stipulate you are less likely to get in trouble if you are checking out a place that has not had crime.
And apologies if you thought I was blaming you on the leaks. Not my intent, at all. Genuinely surprised to hear you get 3,000+ hits. Moreso with how few hits I get, relatively.
Buttons840 162 days ago [-]
I apologies as well. It's easy to argue against comments as though they're all from one person, even though they come from different people.
You say the topic here is whether or not casing out a location would get you in trouble. This illustrates a problem with analogies, we are now several comments deep in a discussion about an analogy. I original spoke about the security of virtual IT systems, and an analogy was made to the security of physical buildings. A computer program and a physical building are quite different, but here we are talking about physical buildings. I don't want to talk about the security of physical buildings anymore.
taeric 162 days ago [-]
Totally fair! In discussions this big, I often do not try and speak to multiple threads at the same time. If only to dodge this sort of confusion.
My specific entry to the thread was to say that you are likely to get in trouble if you try the door of a bank and walk on in if it is open.
robertlagrant 163 days ago [-]
No, just as you should be able to type your bank's URL in your browser even if they've taken the website down.
Joker_vD 163 days ago [-]
> Why can't I personally test the security of my bank?
For the same reason your bank can't test how well you store your PIN and secret phrase, I imagine. It's not in the contract between you and the bank, and the general law doesn't allow for it ("I was not trying to burgle that house, Your Honour, I was testing its security" — "That's a nice joke, mister, so I won't you hold in contempt of the court. Still, guilty, five years").
> Why can't I ask an organization I trust to test the security of my bank?
For the same reason the bank can't ask an organization it trusts to test how well you store your PIN and secret phrase, I imagine: it's not in the contract.
And good luck trying to find a bank that would agree to let you inspect their security.
Buttons840 163 days ago [-]
We need to include in this analogy that the bank is robbed every other week because they forgot to close the vault or they left a pile of cash sitting outside while they went to lunch. In such a situation if an upstanding citizen checks that the vault is actually locked--"did they remember to lock it today?"--the actions of that citizen don't concern me.
But let's set the analogy aside.
If companies want full control over their systems and who may test the security of those systems, that's fine with me, so long as their full control also comes with full liability. The problem is we currently give companies full control without any responsibility or liability.
warkdarrior 163 days ago [-]
Responsibility and liability are usually established in court, so go ahead and sue all the companies that have your data. Also you need to demonstrate that you incurred some tangible loss from a data breach.
Buttons840 163 days ago [-]
Yes. To get redress I must pay hundreds of thousands of dollars in legal fees (try suing a company like Equifax or AT&T for less) and also provide detailed evidence of exactly what criminal organizations from all over the world have done with my data. Does this seem reasonable? If I fail to meet this standard does that really mean I wasn't harmed?
And does this standard apply the other direction? If I personally test the security of a company without permission, do they have to prove that I caused actual damage before I am punished? If the moral standard applies evenly, then I should be able to try opening the vault, and if I fail, no harm done. The bank must show actual harm before I am punished. But no, there is no even application of moral standards here; when it comes to individuals testing security the act itself is criminalized regardless of whether or not harm was done. It is even a felony to experiment with physical devices you own in many cases.
hypeatei 163 days ago [-]
Trying locks on a house vs. sending payloads to an internet exposed server are not analogous.
I've seen this time and time again on HN. Making analogies that aren't clear doesn't result in useful discourse (people argue over the dumb analogies rather than the thing itself), kinda like I'm doing right now...
Joker_vD 163 days ago [-]
> Trying locks on a house vs. sending payloads to an internet exposed server are not analogous.
Well, go write your congressman about it (or however it's done whenever you are), because it sure does look like the lawmakers and the courts do seem those two things to be kinda analogous; but I doubt that arguing in the HN comment section about laws has ever improved (or will ever improve) those laws.
robertlagrant 163 days ago [-]
No, analogies are good. Calling them dumb instead of pointing out the difference is what's not useful.
hypeatei 163 days ago [-]
Pointing out the difference? These two things (sending data over TCP/IP and testing physical locks on a house) are in two completely different realms.
robertlagrant 163 days ago [-]
I don't know what "different realms" means. It's an analogy, so it won't be two identical things. The question is: why doesn't the comparison make sense?
163 days ago [-]
krab 163 days ago [-]
Analogies time!
I saw this big shiny vault had a side door unlocked, Your Honour. This vault stores my money as well, so I wanted to see - surely they wouldn't let burglars in just like that. I didn't break any lock, I didn't pass any sign. When I saw the door indeed led to the money, I left and wrote the bank a letter.
ThinkBeat 163 days ago [-]
Is there a trustworthy source for this claim¹ the post makes?
It does not conform to what I see today, nor the plans I see for the future
when it comes to governments use of software.
¹
""
Thankfully the political systems of Europe have started to wise-up and stand-up to US BigTech hostility and have mandated that all software used for public services, government and state apparatus must be Libre open source code that is auditable, verifiable and under control of the people.
""
jeffbee 163 days ago [-]
I've been hearing this claim half my life. Slashdot used to have a daily story of how "Germany switches to Linux" and it always turned out to be that Linux got installed on one server in the bureau of steam-cleaning municipal dumpsters in a village nobody had heard of before.
PaulHoule 163 days ago [-]
When the German open source enthusiasts and penny pinchers legislate government employees using open source office software the employee's union fights back.
j-pb 163 days ago [-]
Could you cite your sources?
The only thing that I could find was that VerDi has a very good stance being PRO open-source software, and ANTI encryption and chat backdoors:
ver.di setzt sich ein für die Nutzung und Förderung von Open-Source-Software durch
den deutschen Staat, indem er in Verwaltung, Behörden und staatlichen Organisationen
so weitgehend wie möglich Open-Source-Software nutzt. Zudem soll die Entwicklung von
Open-Source-Software finanziell und institutionell langfristig gefördert werden. Dies
gilt ebenso für die benötigte Hardware-Infrastruktur. Wenn der Staat Software
programmiert oder in Auftrag gibt, muss diese Open Source sein. Dadurch macht der
Staat sich unabhängig von einzelnen Anbietern und langfristig werden Kosten gespart,
da weniger Gebühren für Lizenzen anfallen.
It is not true, source: I work for an institution that would be impacted by such a ruling. There are requirements for sovereignty, but as usual people play fast and loose with the concept. Governments are not more competent than anyone else.
harry_ord 163 days ago [-]
The statement is so vague it can't be true anyway. What's Europe? The continent, the EU or one of the organisations that EU membership often come with?
krageon 155 days ago [-]
I actually know what I'm talking about. You're free to disagree and "just ask questions", but I don't want to engage with tedium.
harry_ord 155 days ago [-]
I was agreeing with you. I found the statement that 'the political systems of Europe' so vague it couldn't be true. It's why I listed several different definitions of Europe.
krageon 152 days ago [-]
I misunderstood, I apologise
TZubiri 163 days ago [-]
Don't get me wrong this is some schizo shit, but I agree with the sentiment, and it in itself is a source for the claim. What would you expect a double blind trial measuring political bits in cybersecurity atoms?
ThePowerOfFuet 163 days ago [-]
>some schizo shit
Please don't smear those with mental illness like this.
mikewarot 163 days ago [-]
>We can't look to history for guidance.
Sure we can. When's the last time a defective toaster took down a major power grid?
Never. Because we don't place all of our trust in every appliance plugged in everywhere. We haven't done anything like that in more than a century.
Equivalent mechanisms exist for computing. They can be made equally easy to use.
We simply lack the will to upgrade everything and are willing to band-aid everything forever instead.
jmull 163 days ago [-]
This kind of apocalyptic manifesto concerns me on two fronts...
One, it makes me worry about the mental health of the author. They are clearly really not having a good time living in our reality, and I hope they can find a way to relieve the suffering.
Two, I hope no one else gets caught up in it. There are a lot of strong words and claims but nothing remotely actionable. It's pushing pure panic/fear/angst.
cloudstrike is just a company that is strong on sales/marketing but weak on tech, who found a market that requires you to be strong on both. I don't think there's anything wrong with such companies existing, but it seems clear they should never be in a position to break everything. The fix could be the market, regulatory, and/or technical. There are tradeoffs, so we probably need to work through the arguments of different approaches and different combinations of approaches.
nonrandomstring 162 days ago [-]
> a lot of strong words
The words are mild and sometimes even a little playful. The ideas are
strong. Please offer some strong ideas in response, instead of calling
other people crazy, which makes you look weak.
> nothing remotely actionable... The fix could be the market,
regulatory, and/or technical.
The premise of the piece is that markets have wholly failed to provide
computer security for people, that technical complexity has escaped us
as engineers, and that regulation is undesirable, difficult and often
makes things worse. The time is now for this stuff to get very
_political_.
As I wake up this morning to UK news that we'd like to ban Twitter I'm
already seeing some good evidence this is happening. If you don't
believe that politics is relevant action in our society you wouldn't
be alone. But you'd still be in a disaffected minority. Please
understand that the rest of the billions of people are going to move
to increasingly effective political means to unseat derelict and
corrosive US big-tech in order to build a better technological
society.
quohort 163 days ago [-]
> One, it makes me worry about the mental health of the author. They are clearly really not having a good time living in our reality, and I hope they can find a way to relieve the suffering.
> Two, I hope no one else gets caught up in it. There are a lot of strong words and claims but nothing remotely actionable. It's pushing pure panic/fear/angst.
This made me laugh, it comes off as so condescending. Don't worry about my "mental health". The purpose of life is not to just be content all the time, it's to overcome suffering and achieve some level of self-actualization.
If we are on the verge of the apocalypse, It should feel apocalyptic. The question is of how urgent the apocalypse really is (taken with a grain of salt to make room for the unknown) and what can be usefully done.
> cloudstrike is just a company that is strong on sales/marketing but weak on tech, who found a market that requires you to be strong on both. I don't think there's anything wrong with such companies existing, but it seems clear they should never be in a position to break everything.
I do think there is something wrong "fixing" security by just outsourcing your problems to some other company to monitor. Real security is about one's own operating practices and standards. Companies like cloudstrike don't necessarily increase security, they increase fragility because they act as a central point of failure.
> The fix could be the market, regulatory, and/or technical. There are tradeoffs, so we probably need to work through the arguments of different approaches and different combinations of approaches.
The author suggests that the problems are more systematic. I would say the fix is cultural: we have a flawed culture of outsourcing security to the market, regulators, or technology.
oneplane 163 days ago [-]
This article is fundamentally missing the point of why computer security is incomplete: even if we wanted to, we are currently not able to make useful systems that are also secure to the degree that the current user base is still able to use it.
We don't need to "work on keeping it insecure", the entire industry produces bad software just fine, no active planning required. Hanlon's razor applies, even if there are a double digit set of examples where a backdoor (or similar) was added. Especially when you consider that next to the backdoor the front door is wide open anyway.
rstuart4133 162 days ago [-]
> even if we wanted to, we are currently not able to make useful systems that are also secure to the degree that the current user base is still able to use it.
I disagree. We have computer systems now that are secure which the vast majority of people have no trouble using: phones and tablets. They are so secure band-aids like CrowdStrike and similar anti virus measures aren't needed on them.
We've known for decades that desktops, such as Windows, MacOS and the majority of Linux use a broken security model. We know why it is broken: you can't trust the owner of the device, be that joe citizen or a corporate. Joe citizen will be socially engineered into installing something the modifies the OS, turning it into malware that can't be repaired. The corporate will buy something like CrowdStrike, which is essentially the same trick in a different guise: con the owner into installing something that makes the attacker money. A absolute precondition for an OS guaranteeing it is secure is it can't modified by a third party, and that includes the user. Yet we persist in providing OS's that do allow the user to modify them, and then pretend papering over that with things like anti-virus programs fixes the problem.
We've also know for decades secret proprietary code that is so secret it comes with a licence that bans you from attempting to pull it apart and looking for vulnerabilities (via a licence banning you from reverse engineering), is pure poison for security. I need to have 100% faith Juniper does not have a backdoor, or and Microsoft is not still allowing MD5 signed certs in critical parts of it's infrastructure.
Despite all that it's true that here we are in 2024, still using things that are insecure by design, and still buying hidden proprietary code from vendors that have included backdoor passwords in their products in the past. I'm not sure it is a political problem, but it sure isn't a "we don't know how to do better" problem. We do.
fpoling 163 days ago [-]
We are perfectly capable of producing reasonably secure systems, but the present situation made that not cost-effective. It is strictly cheaper to apply security as an after-thought or even ignore the issue completely and just pay off the penalties later.
Veserv 163 days ago [-]
What do you mean by reasonably secure system? Secure against commercially motivated attackers issuing profitable attacks that, these days, routinely payout 10-50 M$? Such security would need to be adequate to protect against 10 M$ budgets, or teams with a resource budget of 10-30 skilled people for a year (10-30 person-years). If that is not the minimum standard, then I do not see how it can be claimed to be a reasonably secure system if commonplace, expected threats with incentive to execute indefinitely are not stopped.
If that is the standard, what do you mean by capable of producing such systems? Do you mean that large commercial software developers (i.e. Google, Microsoft, Amazon, etc.) have the existing knowledge and capability to develop and deploy such systems without fundamentally throwing out and redesigning their systems from scratch? If so, then that is untrue.
If you merely mean that there exists or has existed such capability somewhere and that it could be reinvented or relearned with appropriate incentives, then that is true. However, that would require fundamentally redesigning basically every commercial software system and has a time horizon of years to decades even with the incentives properly aligned and having a iron will to reject insecure software systems despite the complaints by their producers which has not worked so far.
fpoling 163 days ago [-]
Access cards for satellite TV or SIM cards are great examples of reasonably secure systems. Surely probably for 1M$ one can hack single card, but it will be wildly unprofitable. Which demonstrates that with the right insensitive industry can develop secure stuff. And the card development took like 10 years. And it was a highly non-trivial job as it required to develop entirely new hardware.
With software it must be easier. The big IT companies most likely are incapable of doing that as the security was never a hard requirement for them from the very start so it is not in their DNA and at this point they are themselves are security liability. Smaller companies on the other hand should be capable of producing software withing the right legal framework that only state actors can hack.
EDIT: case in point is Google trying to prevent double-free bugs in Chromium using smart-pointers. What was originally planned to be one-year efforts took like 3 years and counting just because Google cannot afford a few percent point performance regression and various teams working on Chromium do not prioritize the relevant non-performance bugs.
petermcneeley 163 days ago [-]
>"The sooner we stop pretending these are technical problems and start speaking the truth about the fundamental political problems..."
The problem is that cyberspace was designed to be apolitical [0]. Power abhors a vacuum and as such the traditional powers (gov/corp) once again reign supreme even in cyberspace.
The struggle of hacker against hacker is a what struggle?
proMETHeus69 162 days ago [-]
Fire is technology. It can be used well to serve us or can be used to destroy us. Consider the current phase of tech as early humans with fire sometimes accidentally (or on purpose) burning down their environment yet at the same time making food more accessible. We must create the fireplace, boiler, forge of technology and rules to produce and consume it safely or else we will continue to be burned as a human race. I am optimistic we will wrangle this problem how we did thousands of years ago for fire. Baby steps.
dash2 163 days ago [-]
After reading half of this long, dramatic screed, I realised I had not been told a single new fact. I’ll skip the second half.
nonrandomstring 162 days ago [-]
Couldn't help but delve into your genuinely interesting take on
revising social science theories to explain the rise of populism and
decline of trust, including ideas from Robert Putnam who I've recently
been reading for a study on the subject of "social capital".
It felt odd that as a social scientist you fell short of the
patience to read what a fellow scientist has to tell you about the
lens through which you see the world - namely computers, solely on the
basis that it disappointed your thirst for "new facts".
Spoiler: FWIW, in the second half he elopes the scullery maid and
challenges his arch rival to a duel...
Chiba-City 163 days ago [-]
Great article. Read all of it twice. Don't fixate on one or two sentences.
I once worked in Fed Govt IT system. Remember the 2015 OPM (Office of Personnel Management) data breach? If not, read up on that (use a search engine). Over 22 million government personnel records were released into the wild. The Wikipedia article "blames China," but some folks told me that multiple agency personnel and multiple agency contractors had simply put everyday Fed Govt OPM spreadsheets on everyday Web sites to make them easy to share.
"Experts" rarely grasp the everyday 1. incompetence, 2. indifference, 3. recklessness and 4. even corruption pervasive across and thriving in all our "elite institutions."
We need to take Robert Salow's Productivity Paradox (look it up) very seriously. All the incentives line up for "experts" to sell more things and sell newer things. But we are often (always?) selling bandaids for the previous bandaids, while users (customers) are swallowing birds to catch the spiders to catch the flies. Solved problems cease being problems. That's sadly bad for the IT business.
djyaz1200 163 days ago [-]
[flagged]
wswope 163 days ago [-]
Note to self: impersonate djyaz1200 when launching cyberattacks under the new world order.
djyaz1200 163 days ago [-]
Yes, correctly identifying the perpetrators would be very challenging.
arrosenberg 163 days ago [-]
It's a bit more challenging when the attacks are coming from hostile nation-states that covertly or overtly support the crimes.
djyaz1200 163 days ago [-]
I get that it's easy to suggest solutions but hard to implement them. I just don't see how the security situation gets better without escalating the response. Does anyone else? How does this get better?
arrosenberg 163 days ago [-]
I don't see any group dominating the internet in the way Britain/the US have dominated the seas (eliminating most piracy). The only solution is to reach a détente with peer adversaries that everyone can live with, then jointly enforce it on smaller adversary states.
ToucanLoucan 163 days ago [-]
> Some group shut down over 50% of car dealers in America in June/July. That's warfare.
You're not entirely wrong but also "Someone broke half the car dealers IT backends, this is WAR" is possibly the most American statement I have ever heard, holy cow.
I CAN'T CONSUME PRODUCTS! TO WARRRR
djyaz1200 163 days ago [-]
I hear that, and yes, it's funny, but as you point out not entirely wrong. These attacks harm businesses and the families that depend on them. The tens of millions of dollars paid in ransom go somewhere, that money would be less valuable if it came with the real chance the military would hunt you down and kill you.
ToucanLoucan 163 days ago [-]
Hey not judging at all. I've said to friend groups multiple times, no matter how anti-war I am, I am completely fine with America using it's geopolitical position of near un-challengability to get away with drone striking the server farms spammers operate from.
If we're going to spend the atrocious amounts we do on defense, the least we could do is use them for good sometimes.
djyaz1200 163 days ago [-]
I totally agree. It's like we're having all these little pearl harbors over and over again and doing nothing. If we're going to spend all this money on muscle, let's use it to do some useful things and hurt some people who deserve it.
Rendered at 08:32:47 GMT+0000 (Coordinated Universal Time) with Vercel.
I have a take that isn't too close to the focus of this article, but there is a big underlying point.
There are known vulnerabilities in consumer and enterprise tech that are purposefully not closed in order to maintain a tactical advantage. Consider the tech used to break into phones, Pegasus. This is a highly visible peak of an iceberg in an otherwise massive industry of finding and weaponizing vulnerabilities that can have real world consequence, see WannaCry.
This is both hugely political, and not political at all. It's almost a guarantee that a nation-state with cyber resources will use said resources to find a tactical advantage and constantly lob attacks back and forth. Each side will loudly exclaim "Look they're hacking us!" while staying quiet on their own attacks. You can set your watch to it.
Basically any government is spending vast resources to find vulnerabilities and keep them open, which makes everyone less safe. Coupled with the constant war on encryption, gov sponsored "Cyber" is a money pit for hawks that wish to start trouble.
Guns versus butter. There is probably a rational amount of cyber insecurity, given writing secure software comes with tradeoffs. (Nothing that comes with tradeoffs optimises to zero or infinity.) Perhaps being able to run insecure software is a form of peace dividend.
Doesn’t cover intentional security holes. But we don’t have evidence that is a prevalent problem.
This is no evidence it’s a prevalent problem. It’s absolutely a problem. But I’m unconvinced we’re e.g. at a material military disadvantage or at economic risk as a result of it.
This is a matter of national security, and personal security. Why can't I personally test the security of my bank? Why can't I ask an organization I trust to test the security of my bank?
Currently we threaten to jail security researches if they go so far as to press F12 and inspect the HTML source of a webpage. The personal data of half the nation is leaked twice a month. Companies have no financial incentive to build secure systems. Despite all this, we will be surprised when our critical infrastructure goes down and wonder "what more could we have done?"
We sacrifice national security for the convenience of companies. Companies don't want researchers reporting the poor security of their systems. We allow companies to tightly control how their systems are tested, while also holding that companies are not liable for the security of their systems. When it comes to corporate security, they can have their cake and eat it too--they have authority over their systems but are not responsible / liable for their systems.
I remember a story posted here where someone found a hard coded SQL connection string in decompiled code, connected to the server with it, and notified the company. Then, the company took the person to court (claiming something nonsensical about circumventing security) and the courts agreed.
There was even people on HN siding with the courts that decompiling code and finding the key is circumventing their security which is madness.
I don't understand this perspective. What's the difference between tihs and being allowed to try and walk into all the back rooms of your bank and read everything you can? Or do you think you should be able to do that?
IT systems on the internet are constantly approached by millions of actors, good and bad, and if they are designed correctly then this is no problem and is not a burden on anybody. This is very unlike a comfortable office setting in a peaceful society.
You are making an analogy between modern banks and IT systems. Modern banks are almost never breached, while IT systems have major breaches every week. That's not a fair analogy.
If you put the doors or windows through a stress test? Again, almost certainly.
At this point in the analogy, do you personally believe it is worrisome if an upstanding citizen thinks "I wonder if they forgot to lock the windows again?", and they check to just to see. Is the solution in this scenario to harshly punish the citizen while doing nothing to the bank or their windows?
(!): I say thousands because https://haveibeenpwned.com/ reports that my email address has appeared in almost 3,000 (three thousand!) data breaches.
I'm... also very curious what expected numbers are there for data breaches? I'm seeing 12. How in the world are you at 3,000?!
The number of leaks with my specific email address doesn't really matter. The point here is that there are thousand and thousands of data breaches happening all the time. These all affect real people. These all have wronged people, and these people have no redress.
Your gut reaction of "there's a problem, let's criminalize" seems to match the general consensus here in the USA. We'll criminalize and jail endlessly, but it's not working, the problem is getting worse, more data breaches happen all the time, airlines cancel all flights, hospitals cancel medical procedures, all because we can't build secure IT systems. The problem keeps getting worse despite our criminalization.
One thing we wont try is expecting competence and accountability (financial liability) from our wealthy and powerful organizations. Nor will we try empowering upstanding security researchers, and meanwhile criminal hackers continue to act with no regard for the law.
The topic here, though, was whether or not casing out a location would get you in trouble. And, yeah, if you are casing out a place you can get in trouble. Regardless of how much crime has or has not happened there. Indeed, I would stipulate you are less likely to get in trouble if you are checking out a place that has not had crime.
And apologies if you thought I was blaming you on the leaks. Not my intent, at all. Genuinely surprised to hear you get 3,000+ hits. Moreso with how few hits I get, relatively.
You say the topic here is whether or not casing out a location would get you in trouble. This illustrates a problem with analogies, we are now several comments deep in a discussion about an analogy. I original spoke about the security of virtual IT systems, and an analogy was made to the security of physical buildings. A computer program and a physical building are quite different, but here we are talking about physical buildings. I don't want to talk about the security of physical buildings anymore.
My specific entry to the thread was to say that you are likely to get in trouble if you try the door of a bank and walk on in if it is open.
For the same reason your bank can't test how well you store your PIN and secret phrase, I imagine. It's not in the contract between you and the bank, and the general law doesn't allow for it ("I was not trying to burgle that house, Your Honour, I was testing its security" — "That's a nice joke, mister, so I won't you hold in contempt of the court. Still, guilty, five years").
> Why can't I ask an organization I trust to test the security of my bank?
For the same reason the bank can't ask an organization it trusts to test how well you store your PIN and secret phrase, I imagine: it's not in the contract.
And good luck trying to find a bank that would agree to let you inspect their security.
But let's set the analogy aside.
If companies want full control over their systems and who may test the security of those systems, that's fine with me, so long as their full control also comes with full liability. The problem is we currently give companies full control without any responsibility or liability.
And does this standard apply the other direction? If I personally test the security of a company without permission, do they have to prove that I caused actual damage before I am punished? If the moral standard applies evenly, then I should be able to try opening the vault, and if I fail, no harm done. The bank must show actual harm before I am punished. But no, there is no even application of moral standards here; when it comes to individuals testing security the act itself is criminalized regardless of whether or not harm was done. It is even a felony to experiment with physical devices you own in many cases.
I've seen this time and time again on HN. Making analogies that aren't clear doesn't result in useful discourse (people argue over the dumb analogies rather than the thing itself), kinda like I'm doing right now...
Well, go write your congressman about it (or however it's done whenever you are), because it sure does look like the lawmakers and the courts do seem those two things to be kinda analogous; but I doubt that arguing in the HN comment section about laws has ever improved (or will ever improve) those laws.
I saw this big shiny vault had a side door unlocked, Your Honour. This vault stores my money as well, so I wanted to see - surely they wouldn't let burglars in just like that. I didn't break any lock, I didn't pass any sign. When I saw the door indeed led to the money, I left and wrote the bank a letter.
It does not conform to what I see today, nor the plans I see for the future when it comes to governments use of software.
¹ "" Thankfully the political systems of Europe have started to wise-up and stand-up to US BigTech hostility and have mandated that all software used for public services, government and state apparatus must be Libre open source code that is auditable, verifiable and under control of the people. ""
The only thing that I could find was that VerDi has a very good stance being PRO open-source software, and ANTI encryption and chat backdoors:
https://www.verdi.de/ueber-uns/bundeskongress-2023/berichte/...Please don't smear those with mental illness like this.
Sure we can. When's the last time a defective toaster took down a major power grid?
Never. Because we don't place all of our trust in every appliance plugged in everywhere. We haven't done anything like that in more than a century.
Equivalent mechanisms exist for computing. They can be made equally easy to use.
We simply lack the will to upgrade everything and are willing to band-aid everything forever instead.
One, it makes me worry about the mental health of the author. They are clearly really not having a good time living in our reality, and I hope they can find a way to relieve the suffering.
Two, I hope no one else gets caught up in it. There are a lot of strong words and claims but nothing remotely actionable. It's pushing pure panic/fear/angst.
cloudstrike is just a company that is strong on sales/marketing but weak on tech, who found a market that requires you to be strong on both. I don't think there's anything wrong with such companies existing, but it seems clear they should never be in a position to break everything. The fix could be the market, regulatory, and/or technical. There are tradeoffs, so we probably need to work through the arguments of different approaches and different combinations of approaches.
The words are mild and sometimes even a little playful. The ideas are strong. Please offer some strong ideas in response, instead of calling other people crazy, which makes you look weak.
> nothing remotely actionable... The fix could be the market, regulatory, and/or technical.
The premise of the piece is that markets have wholly failed to provide computer security for people, that technical complexity has escaped us as engineers, and that regulation is undesirable, difficult and often makes things worse. The time is now for this stuff to get very _political_.
As I wake up this morning to UK news that we'd like to ban Twitter I'm already seeing some good evidence this is happening. If you don't believe that politics is relevant action in our society you wouldn't be alone. But you'd still be in a disaffected minority. Please understand that the rest of the billions of people are going to move to increasingly effective political means to unseat derelict and corrosive US big-tech in order to build a better technological society.
> Two, I hope no one else gets caught up in it. There are a lot of strong words and claims but nothing remotely actionable. It's pushing pure panic/fear/angst.
This made me laugh, it comes off as so condescending. Don't worry about my "mental health". The purpose of life is not to just be content all the time, it's to overcome suffering and achieve some level of self-actualization.
If we are on the verge of the apocalypse, It should feel apocalyptic. The question is of how urgent the apocalypse really is (taken with a grain of salt to make room for the unknown) and what can be usefully done.
> cloudstrike is just a company that is strong on sales/marketing but weak on tech, who found a market that requires you to be strong on both. I don't think there's anything wrong with such companies existing, but it seems clear they should never be in a position to break everything.
I do think there is something wrong "fixing" security by just outsourcing your problems to some other company to monitor. Real security is about one's own operating practices and standards. Companies like cloudstrike don't necessarily increase security, they increase fragility because they act as a central point of failure.
> The fix could be the market, regulatory, and/or technical. There are tradeoffs, so we probably need to work through the arguments of different approaches and different combinations of approaches.
The author suggests that the problems are more systematic. I would say the fix is cultural: we have a flawed culture of outsourcing security to the market, regulators, or technology.
We don't need to "work on keeping it insecure", the entire industry produces bad software just fine, no active planning required. Hanlon's razor applies, even if there are a double digit set of examples where a backdoor (or similar) was added. Especially when you consider that next to the backdoor the front door is wide open anyway.
I disagree. We have computer systems now that are secure which the vast majority of people have no trouble using: phones and tablets. They are so secure band-aids like CrowdStrike and similar anti virus measures aren't needed on them.
We've known for decades that desktops, such as Windows, MacOS and the majority of Linux use a broken security model. We know why it is broken: you can't trust the owner of the device, be that joe citizen or a corporate. Joe citizen will be socially engineered into installing something the modifies the OS, turning it into malware that can't be repaired. The corporate will buy something like CrowdStrike, which is essentially the same trick in a different guise: con the owner into installing something that makes the attacker money. A absolute precondition for an OS guaranteeing it is secure is it can't modified by a third party, and that includes the user. Yet we persist in providing OS's that do allow the user to modify them, and then pretend papering over that with things like anti-virus programs fixes the problem.
We've also know for decades secret proprietary code that is so secret it comes with a licence that bans you from attempting to pull it apart and looking for vulnerabilities (via a licence banning you from reverse engineering), is pure poison for security. I need to have 100% faith Juniper does not have a backdoor, or and Microsoft is not still allowing MD5 signed certs in critical parts of it's infrastructure.
Despite all that it's true that here we are in 2024, still using things that are insecure by design, and still buying hidden proprietary code from vendors that have included backdoor passwords in their products in the past. I'm not sure it is a political problem, but it sure isn't a "we don't know how to do better" problem. We do.
If that is the standard, what do you mean by capable of producing such systems? Do you mean that large commercial software developers (i.e. Google, Microsoft, Amazon, etc.) have the existing knowledge and capability to develop and deploy such systems without fundamentally throwing out and redesigning their systems from scratch? If so, then that is untrue.
If you merely mean that there exists or has existed such capability somewhere and that it could be reinvented or relearned with appropriate incentives, then that is true. However, that would require fundamentally redesigning basically every commercial software system and has a time horizon of years to decades even with the incentives properly aligned and having a iron will to reject insecure software systems despite the complaints by their producers which has not worked so far.
With software it must be easier. The big IT companies most likely are incapable of doing that as the security was never a hard requirement for them from the very start so it is not in their DNA and at this point they are themselves are security liability. Smaller companies on the other hand should be capable of producing software withing the right legal framework that only state actors can hack.
EDIT: case in point is Google trying to prevent double-free bugs in Chromium using smart-pointers. What was originally planned to be one-year efforts took like 3 years and counting just because Google cannot afford a few percent point performance regression and various teams working on Chromium do not prioritize the relevant non-performance bugs.
The problem is that cyberspace was designed to be apolitical [0]. Power abhors a vacuum and as such the traditional powers (gov/corp) once again reign supreme even in cyberspace.
[0] https://www.eff.org/cyberspace-independence
It felt odd that as a social scientist you fell short of the patience to read what a fellow scientist has to tell you about the lens through which you see the world - namely computers, solely on the basis that it disappointed your thirst for "new facts".
Spoiler: FWIW, in the second half he elopes the scullery maid and challenges his arch rival to a duel...
I once worked in Fed Govt IT system. Remember the 2015 OPM (Office of Personnel Management) data breach? If not, read up on that (use a search engine). Over 22 million government personnel records were released into the wild. The Wikipedia article "blames China," but some folks told me that multiple agency personnel and multiple agency contractors had simply put everyday Fed Govt OPM spreadsheets on everyday Web sites to make them easy to share.
"Experts" rarely grasp the everyday 1. incompetence, 2. indifference, 3. recklessness and 4. even corruption pervasive across and thriving in all our "elite institutions."
We need to take Robert Salow's Productivity Paradox (look it up) very seriously. All the incentives line up for "experts" to sell more things and sell newer things. But we are often (always?) selling bandaids for the previous bandaids, while users (customers) are swallowing birds to catch the spiders to catch the flies. Solved problems cease being problems. That's sadly bad for the IT business.
You're not entirely wrong but also "Someone broke half the car dealers IT backends, this is WAR" is possibly the most American statement I have ever heard, holy cow.
I CAN'T CONSUME PRODUCTS! TO WARRRR
If we're going to spend the atrocious amounts we do on defense, the least we could do is use them for good sometimes.