Will software security improve?

Software is wildly insecure. Basically all software can be hacked with varying degrees of sophistication. The cheaper the software / device, the easier it is to hack. Some devices ship without any real attention to security at all. C’est la vie.

Here’s the thing: do we care? Sort of. But mostly not. And that’s because, as Danniel Miesller recently pointed out, the benefits of software (insecure or not) far outweigh the costs. Here’s his helpful graphic summary:

Everyone would like, in theory, to have more secure software. But security costs talent, time, and therefore money. We don’t get secure software because we mostly don’t want to pay for it.

Will that change? Should that change? There’s a lot of talk around regulating cybersecurity, but if we’ve collectively decided we don’t need it then perhaps we don’t. We may see cybersecurity regulation focus on preventing black swan events like entire sections of the internet going down or people dying or elections being hacked. But perhaps that’s where the regulation should end. Software is amazing and cheap and, so far, no one dies. Success!

All your big data are belong to us

Maybe China hacked Marriot. Maybe not.

What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.

Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not Encrypted

But in a world where there are massive repositories of data on massive numbers of people (cue “IN A WORLD…” dramatic narration), that data is going to be used by governments. That’s just how this is going to work.

(The use of the post title meme probably dates me.)

Privacy vs Security

It’s an old topic, long discussed, and for that reason somewhat boring / repetitive. But I think new intelligent video analytics and facial recognition technology are about to make this extremely relevant again.

There’s no question in my mind that we, as a society, as going to trade public privacy (e.g., being monitored in public all the time) for safety. If the DC Sniper incident happens again, we’ll have drones over every major city. But two points:

  1. The privacy of our homes continues to be relatively secure, apart from the voice-control and IoT devices we voluntarily invite inside. Will that change? I don’t see any need for safety purposes.
  2. Will the additional security change the debate on gun control? If we as a society (i.e. the government) know exactly where you are and what you’re doing every time you step outside, does it matter that you have an arsenal inside your home? So long as it stays there…

And I often think of the aphorism attributed to Ben Franklin:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

Still relevant? Of course, like many old quotes, this one is often thrown about without any understanding of its context.

On balance, I lean towards freedom to deploy technology and catch law breakers. And freedom to own firearms. Safety and liberty?

Cybersecurity Ethics

At an MLCE today and got this hypothetical:

Your Company learns that a bug in one of your apps could have provided bad guys with access to confidential user information, but you do not have evidence that anyone actually obtained such information. You’ve fixed the bug. Arguably, privacy statutes require the Company to make disclosure to users and/or regulators. Management makes decision not to disclose, because no indication of actual breach. Ethical issue?

The audience of lawyers split 75% / 25% (live polling) calling this an ethical issue. Fascinating.

Two points: (1) I think the right answer is no. If the statute “arguably” does not require disclosure (i.e. reasonable people disagree) then this is not an ethical issue. But also (2) this scenario is almost certainly true all the time for all companies with confidential user data and internet-facing systems. Should they all be disclosing all the time? Is that even realistic?

Just take a look at the National Vulnerability Database, do a blank search, and look at the security bugs listed today. Awful security bugs are being found, published, and fixed every day for every major application everywhere. If you have confidential user information and internet-facing applications, you may face this hypothetical every single day.

You could see this working in the future (or now)

I find this case (paywall) very enjoyable and creative.  But read the actual decision attached – it’s short and delightful!

Plaintiff alleged that the medical provider used software that was not secure and that it did not protect his personal information. But also tacitly admits that, as of yet, no one has taken or used plaintiff’s personal information.

In other words, the poorly secured software had yet to be hacked. But plaintiff was harmed because it could be.

The plaintiff lost. But imagine a world where this was a siren’s call for someone to hack the hospital system. It’s a really interesting market. Regular folks find deficient security on a platform that should probably be more secured.  That person hires a lawyer.  The lawyer drafts up and files the complaint and… maybe publicizes to interesting channels that are willing to poke around in weak systems.

And ta da! You may have yourself an actual case at that point.  

Does this feel to anyone like short sellers who short a company and then say how awful a company is?  

If Cyber Attacks Go Personal

We tend to think cyber attacks will be directed to institutional weaknesses: power grids, communications, etc. But the following scenario imagines that we are equally vulnerable at a personal level. Bruce Schneier links to this:

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese “Assassin’s Mace” — a silver bullet super-weapon capable of disabling key parts of the American military — turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet’ s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls’ cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency’s initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine’s account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron’s Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other’s throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration’s “zero tolerance” policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared “an operational pause,” directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

Institutions are made of individuals, and attacking individuals can cripple institutions. But it is also enormously more difficult to attack many individual accounts. I find this scenario compelling, implausible, and a useful exercise in thinking laterally.

Hackers steal tools from NSA, hack everyone with them

From the New York Times:

Hackers exploiting data stolen from the United States government conducted extensive cyberattacks on Friday that hit dozens of countries, severely disrupting Britain’s public health system and wreaking havoc on tens of thousands of computers elsewhere, including Russia’s ministry for internal security.

Link

There are really only two things that need to be said about this, both said well by others:

  1. “Remember last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild?” John Gruber, Daring Fireball (link)
  2. “Either everyone gets security or no one does.” Bruce Schneier (link)

The point is there’s no such thing as a security backdoor that “only I can use.” If you want systems to truly be secure, they must truly be secure.