

“When you get right down to it, most security is based on the honor system.” - p4bl0
http://fjhqjv.tumblr.com/post/13394731443/ill-create-a-gui-interface-in-visual-basic

======
enobrev
Far more than security. Most of society is built on the honor system.

In half-full bar at an hour when there isn't a bouncer (usually before 9pm in
NYC), the only thing keeping twenty or thirty people from pouring their own
booze for free is a large slab of wood and a person behind it. The name tags
and maybe a counter do the same thing at a retail store with one or two
checkout people.

Society is almost entirely built on a simple trust system and the fear we've
built into ourselves of the repercussions for going against societal norms.

~~~
tsunamifury
I would hope that it's also a mutual respect for others work as well. I don't
refrain from theft because I might get caught but because society functions
because of a mutual respect for their work.

This is partly why we have such a business problem in finance and the media,
both severely lack mutual respect between parties.

~~~
true_religion
Mutual respect is merely a social norm, and a desire not to break "mutual
respect" is a reflection of the natural human pressure to avoid breaking
social norms.

~~~
jeremysalwen
You're conflating social construct with social norm.

You can make claims about why _you_ express mutual respect, that doesn't make
it the _only_ reason why someone might do so.

------
andrewcooke
at first i thought this was just the standard party line. but then i got to
the part that describes how i develop over-complex systems just so that i can
charge more, and i realised just how deep the insight was.

then an amazing hn-libertarian-market-forces thought hit me: why not have a
_market_ for software, where people have to _pay_ for it? and then
_competition_ would push the people that make over-complex software out of
business.

of course, if that happened, then the world described in the article would be
replaced by a different one: one where no-one wants to spend money on things
that don't immediately show a profit. like security. but that would be a
different article...

~~~
micheljansen
Exactly. The article was quite interesting up until the introduction of the
trojan kitten that systems are only overly complex because the people who
build them need to justify spending 40 hours a week in a cubicle to build
them.

Systems are complex because the world is complex. If it could be done simpler,
faster and more secure, it would be done simpler, faster and more secure.

~~~
throwaway64
>If it could be done simpler, faster and more secure, it would be done
simpler, faster and more secure.

With imperfect information, an optimal market cannot exist, security and
complexity is one of those things that is very hard to assess before, and even
after a purchase.

<https://en.wikipedia.org/wiki/Market_for_lemons>

I think purely from personal experience, what you are saying is absolutely
untrue.

~~~
micheljansen
Never attribute to malice that which is adequately explained by stupidity ;)

------
jjguy
No network of any reasonable size/complexity can keep out a focused attacker.
If you think yours can, you are wrong.

Today's threat models are dominated by the criminal, opportunistic attackers
looking for user information or computing power. Real discussion and
countermeasures for focused attacks are severely lacking.

Governments know this. CISOs know this. They speak of it privately to each
other, but rarely in public because the issues are so sensitive. Messaging
from industry is dominated by the vendors who both have significant equities
in the "we're secure!" message and speak very narrowly about the security of
their applications, but rarely/never about the collection of those
applications into these beasts we call networks.

Posts like this are becoming more commonplace, but neither industry nor
academia are making tangible strides to solutions. If you want a startup idea,
focus on security and go disrupt.

~~~
tptacek
Good luck with that. Security is lousy with product startups.

The opportunities for technical disruption are clearly there.

But no sector outside Business Process Software like SAS and Oracle has so
much built-up institutional knowledge of how to run direct sales and marketing
to enterprise customers as security. The crappiest me-too products are
weaponized for enterprise sales 6 months before they're launched.

It's hard to break through the noise.

~~~
jjguy
The noise is incredibly annoying. There's no industry-accepted way to
distinguish between a security expert and the guy with the A+ cert. We really
need to raise the bar and instuitionalize better standards.

Your points re: difficulty of enterprise sales are hard-learned, I assume. My
intuition says there's an opportunity to exploit there, given the disconnect
between users and industry. Of course, the same is true of cell providers, but
no one has managed that one yet either.

~~~
tptacek
The one disruptive approach I've seen work over the last 10 years is open
source.

There are early adopters and there are influencers. But in enterprise sales,
they're rarely the same people.

Among 2000 billion dollar enterprises, there are perhaps 20-30 with strong
security teams with the bandwidth to truly engage with new technology (as
opposed to simply running a bakeoff and deploying a product in a category that
a trade press magazine says is important). Those are influencer early
adopters.

Open source allows you to release something early and maybe catch the
attention of those influencer early adopters. A scrappy sales team that can
take a meeting with a new customer and put a couple F-500 deployments on the
logo slide because they've got Github followers has a shot at getting pilot
deployments.

Open source is also "free", in the sense that enterprises can't not spend
money on software; deployment decisions follow purchasing decisions, not the
other way around, so the drumbeat of technology at an enterprise is purchase
orders. Try hard to give your software away at an enterprise; nothing will
happen until you give them a way to pay you money.

------
JoachimSchipper
That's an unrealistically elaborate hack. Try "someone showed up in an orange
overall and carted it off".

(Also, people trying to pad their work exist, but are not the chief cause of
software complexity.)

~~~
pavel_lishin
We don't need to pad our work. Two e-mails a day, updating the requirements
document (sometimes in contradictory ways, sometimes in self-contradictory
ways) is enough to turn a two-week CRUD app into a six-month application.

------
dredmorbius
It's not an honor system.

It's a system in which most participants have a vested interest in the system
itself working with integrity as a whole, and a substantial downside cost of
being caught.

While single-round shorting of a system is highly feasible in many systems, an
iterative game (there is more than one round being played) means that cheaters
have to contend with the possibility of detection and retaliation. This is
what keeps many meatspace systems largely honest: it's a restricted domain,
biological socialization tendencies work fairly effectively (even a large city
can have a "small town" feel), and reputations matter.

In the online/digital space, complexity throws most of this to whack. Any
public IP is exposed, largely equivalently, to any other public IP. Attacks
are generally launched through compromised systems, and those systems
themselves have little reputation risk (Joe/Jane Sixpack's WinXP box doesn't
particularly care if it's considered "untrusted" by small segments of the
Internet).

The complexity of systems being defended makes detection of attacks in
realtime (and distinguishing these from self-inflicted damage) difficult. Most
attacks, if detected at all, are detected well after the fact. The noise level
of constant low-grade attacks has to be factored in (or more likely: ignored).
And it may be a slight escalation of an otherwise largely benign attack that
takes down a system -- too high a hit rate on an expensive query, resource
exhaustion, cascade effects.

Complex attacks (like complex systems) are prone to failure. Your attacker is
also most likely going to KISS -- unless she has a very specific and high-
payoff interest in your systems (say, Stuxnet / Duqu).

The main difference between online and physical security systems is that honor
and socialization systems _don't_ work nearly as effectively. There are
measures which can help resolve this: while the Internet is vast, its
infrastructure is highly concentrated among a small number of firms and
entities: major routing centers, backbone links, registrars, hosting centers,
and payment processors. Countering attackers at any of these points can be
effective, though this usually comes with significant friendly casualties.

I'd call the premise of the article flawed, and I don't watch TV.

------
jgeralnik
I would watch his TV show.

~~~
Folcon
Maybe we should have TV shows like this, I can't help but feel anything that
gets the general public a bit more aware about how this stuff really works and
makes them more suspicious about "bad" practices is a net win. Not to mention
that if it had some pretty good writers it would make for quite compelling TV.
I'm thinking something in the Crime genre, maybe like CSI?

Heck, I'd watch it! I might learn something =D...

~~~
jjguy
It wouldn't be very interesting. Here's what real hacking looks like:
<http://imgur.com/YAnUh>

(sorry for the reddit-esque share, originally there. But it's relevant and
accurate)

~~~
Folcon
It doesn't have to be like that though, your focusing on the parts that just
wouldn't be interesting enough to get air time.

I was thinking about it more in terms of a show where a fake independent group
get called in to deal with security situations. A corp getting hacked
repeatedly and they have to deal with it. Being called in to audit security
and finding illegal activities, etc.

If you sit and analyse real processes like the judicial system, or actual
crime scene investigation or corporate law, or hospital systems. You rarely
find things that make for immediately interesting and compelling television.
However that hasn't stopped very successful tv shows being produced that are
about these areas. Mostly because these shows focus on the people and issues
than the system.

I'm only saying that it should be possible to create a entertaining tv program
that does highlight the issues in this area. Greater public awareness here
can't be a bad thing. :)

~~~
pantaloons
People find culture fascinating and any show which can present new cultures
and institutions in an easily digestible fashion will be popular.

With the "easily digestible" part in in mind I would have to disagree that
there is room for a show about software security, The IT crowd is about as
close as you are going to get. Obviously I would love for a West Wing or The
Wire-esque show in this area but we know how popular they turned out to be.

