Insecure at Any Speed (and more on quantum lockpicking)

The author of an earlier link addresses the “mom-and-pop-shops aren’t secure” problem by pointing out that security is really hard. She suggests shifting the burden of maintaining security from the user to the tech designer. I disagree: I think this is impossible, the designer can’t predict how his or her product will be used, and therefore be sure it will be secure in every possible case. Instead, the designer can make the product as easy to secure as possible. The ultimate responsibility for security is still the user’s, but now they need less arcane knowledge to discharge it.

Quantum lockpicking: I realized today how to better describe the understanding of the world that certain kinds of people seem to share… they don’t fall prey to the assumption that surface representations have anything to do with what’s going on beneath.

There are the obvious explanations. Sure, the hacker because they find and exploit the non-obvious all the time, the abuse victim because the friendly face has tried to calm them into vulnerability, and the socipath because their own surface is inevitably an illusion. Still, these don’t fully explain the phenomena to my eye.

I also posed the problem of inspiring the brain to exploit quantum phenomena like the FPGA did, without the ensuing emotional trauma caused by needing to learn it in order to survive.

It turns out one good example might be technical education. In certain classes, solving problems takes a little more than the methods taught in lecture or in the book. Sure, the raw facts are there, but arriving at the solution involves a leap of insight in how to get there.

http://idoneous-security.blogspot.de/2012/02/insecure-at-any-speed.html

“It’s not that these organizations don’t care about security. You’d have to know about security first in order to care about it. The next time you go to a sandwich shop or a gas station, ask the manager about the security in the POS system they’re using. It should be an interesting, but very brief, exchange.[…]

Who outside of the clannish IT industry knows how to spell ftp, much less knows that it’s insecure? Who would know the better options and be able to implement them? Who has the time to examine and reconfigure computers on a regular basis?[…]

make no mistake: security is disruptive. It’s enormously disruptive. Getting the network architected correctly, every version of software patched and every configuration right, especially after the system has been in use for a while, is as disruptive to the business as migrating to a completely new system or platform. Ask anyone who has tried to manage a security initiative in an enterprise. Even assuming the enterprise wants to do it, it’s a major undertaking. All this shows how badly security is designed today; you shouldn’t have to keep reconfiguring your systems on a weekly or monthly basis in-flight just to keep the security entropy at bay.[…]

It’s an intractable problem, and frankly, it’s one that the enterprise shouldn’t have to solve. People are trying to work with the equivalent of a pencil, and it’s not their fault that their pencils are fragile, complicated, and prone to exploding at inopportune moments. They shouldn’t have to know or care why the pencil isn’t working; they want a new one without any delay, and without hearing long stories about how the graphite in this type of pencil isn’t backwards-compatible with all the erasers in the firm.

So when we read about how bad security is getting, we shouldn’t be pointing the finger at the compromised enterprises. We should be pointing it at their IT providers, who really ought to know better; but more fundamentally, we should be pointing it at ourselves. We should stop demanding that the user be responsible for security; those of us who are building this stuff to begin with should fix it ourselves, and build it in to all future technology. Today security is an afterthought, and a bad one at that. As long as it remains separate from the systems it’s supposed to protect, instead of being simply an attribute, and as long as it requires users to maintain an abnormal height of awareness as they go about their daily jobs, security is going to continue to be as bad as it is today.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: