
Cybersecurity is not very important [pdf] - headalgorithm
http://www.dtc.umn.edu/~odlyzko/doc/cyberinsecurity.pdf
======
segfaultbuserr
>> Paper: _" Yet the world is doing remarkably well overall, and has not
suffered any of the oft-threatened giant digital catastrophes."_

> HN: This paper is the antivax argument, but for tech. If there was no major
> digital disaster that does not means that it cannot happen.

No, it's not what the author was saying. I found the paper is advocating a
different position.

> Paper: _This essay does not claim that a “digital Pearl Harbor” will not
> take place. One, or more, almost surely will. But that has to be viewed in
> perspective. Given our inability to build secure system, such events are
> bound happen in any case. So all we can affect is their frequency and
> severity, just as with large physical dangers. Further, the likelihood of
> a“digital Pearl Harbor” has to be considered in comparison to all the other
> threats we face. The issue is risk management, deciding how much resources
> to devote to various areas._

I completely disagree with the main thesis of the paper, but I think this
perspective is interesting.

It seems the author is using an approach towards network security similar to,
say, industrial safety or terrorist attacks: I think everyone at here is
familiar with the criticism from cryptographers like Bruce Schneier on
terrorist attacks: locking down the streets or putting armed forces and
increasingly ridiculous lists of banned goods at airports is mainly a security
theater. If a terrorist decided to destroy something, literally everything,
from a bus, a market, a train station, an airplane or a park, etc, can be a
target. Imagining a movie plot of terrorists attacking a particular target,
and putting that target under a ton of superficial security measures is not
meaningful for security in the real world.

It seems the author thinks most online attacks work in a similar way.

I think it's an interesting, debatable perspective.

What do you think about it?

~~~
DaniloDias
I think this is already well trod ground, using an unmeasurable claim that
doesn’t withstand scrutiny.

If security didn’t matter, we wouldn’t have consultants earning 500k+ per year
doing glorified QA.

We wouldn’t have the fines associated with GDPR.

We wouldn’t have the public turmoil over the Clinton email scandal.

I don’t think anyone is smarter about solving security problems as a result of
reading this paper.

I don’t think anyone’s smarter about shipping products without security as a
result. This reads like an apology for the status quo. There are predictable
and avoidable financial consequences for anyone who takes to heart the claim
that “security is not very important.”

~~~
leroy_2000
"If security didn't matter, we wouldn't have consultants earning 500k+ per
year doing glorified QA."

That's like saying "If elevators didn't matter, we wouldn't have elevator
operators." But oh wait, we solved that problem. Future generations will
likely solve the problem for the need for security. But today's society is so
ignorant of the attributes that lead to abhorrent behavior that they cannot
even fathom that security will become a non-issue in the future.

------
tptacek
This is kind of a fun read. You should know Odlyzko is an important
cryptography researcher, and that he writes think-pieces like this on the
regular. It's best read as devil's advocacy.

------
ziddoap
Its obviously not too important to the host, site is disabled by HTTPS
Everywhere haha.

~~~
prophesi
Yeah, I wonder what their reasoning is to disable HTTPS on those tilde
directories? The main site (
[https://www.dtc.umn.edu](https://www.dtc.umn.edu) ) supports HTTPS just fine
(though it doesn't force a redirect to HTTPS, which is also odd/troublesome)

~~~
circular_logic
A couple of guesses:

a. The web server hosting the tilde directories is very much likely older than
the main site.

b. As any uni user can put any HTML on these directories Perhaps not supplying
their certificate is an attempt to lower the success of phishing attempts for
the main site logins.

------
wefarrell
"Yet the world is doing remarkably well overall, and has not suffered any of
the oft-threatened giant digital catastrophes."

Totalitarian states manipulating the political processes of democratic states
for their own gain is a giant digital catastrophe.

~~~
markkanof
If you are talking about the idea of Russia interfering in U.S. elections,
this doesn't seem to have any thing to do with cybersecurity. The only at all
credible allegations are that they used Facebook within the bounds of how
Facebook is supposed to be used (when it comes to security).

~~~
wefarrell
The hacking of Podesta's emails were absolutely a cybersecurity issue.
Spamming facebook and other social media sites with fake accounts is
absolutely a cybersecurity issue - in the case of Facebook using a fake
account is an unauthorized use of their platform.

There was a large social component to it, as is the case with most large
cybersecurity breaches.

~~~
vuln
Podesta was phished, not hacked.

Big difference between phished and a 0day or an unpatched vulnerability. Can’t
patch humans.

~~~
dredmorbius
Google's delivery, authentication, compromise-detection, PEP management, and
content encryption policies and capabilities directly contributed to the
success of this attack.

[https://en.wikipedia.org/wiki/Politically_exposed_person](https://en.wikipedia.org/wiki/Politically_exposed_person)

[https://old.reddit.com/r/dredmorbius/comments/7qya12/informa...](https://old.reddit.com/r/dredmorbius/comments/7qya12/information_security_peps_podesta_who_are_you/)

~~~
vuln
Or just a "typo"

[https://www.cnn.com/2017/06/27/politics/russia-dnc-
hacking-c...](https://www.cnn.com/2017/06/27/politics/russia-dnc-hacking-
csr/index.html)

[https://www.theverge.com/2016/12/13/13940514/dnc-email-
hack-...](https://www.theverge.com/2016/12/13/13940514/dnc-email-hack-typo-
john-podesta-clinton-russia)

[https://thehill.com/policy/cybersecurity/310234-typo-may-
hav...](https://thehill.com/policy/cybersecurity/310234-typo-may-have-caused-
podesta-email-hack)

~~~
dredmorbius
Which wouldn't have mattered with the other protections in place.

------
stitzman
In my opinion, this paper is advocating for a risk-management approach to
cybersecurity, just like businesses address every other issue. Evaluate the
risks, including cybersecurity, do what you can to reduce the probability or
impact of any occurrence, and develop actionable plans to maintain business
resiliency during and after any such event. This is what successful businesses
do all the time.

This is not revolutionary, it's just not an idea that's been applied on a
widespread basis in the cybersecurity realm until fairly recently.

------
Ericson2314
When we have no disasters _and_ no NAT / everything is muched more networked
and addressable in particular, I'll believe it.

------
MikeBVaughn
"Yet the world is doing remarkably well overall, and has not suffered any of
the oft-threatened giant digital catastrophes."

Equifax?

~~~
freshm087
But it supports the notion. Even in the States lots if people don't exactly
know what happened, outside of US it is virtually unknown.

------
willsalz
Is this a tongue-in-cheek paper?

~~~
lallysingh
At least devil's advocate. And it serves as a decent counterpoint for flat-out
hysteria.

------
joveian
It seems to me that the author is arguing: 1) it is important to maintain
perspective vs other types of security and to remember that security is never
the end goal, 2) security is a wholistic thing that is reinforced in a variety
of ways and even the very complexity that makes security bugs happen can have
positive implications for overall security, and 3) _" The main conclusion is
that, contrary to the public perception and many calls from prominent business
and government leaders, we are not facing a crisis."_.

 _" All along, the constant refrain has been that we need to take security
seriously, and engineer our systems from the ground up to be truly secure."_
The author argues that attention to network security will be and has been
growing as proportionally needed. The author compares to cars killing large
numbers of people and Hurricane Maria. These are the types of tradeoffs that
society has made in the past and continues to make in other areas as well, and
if you rank them in terms of the negative aspects it is easy to argue that
network security issues are well down the list. The paper does not directly
discuss the issue of targeted harassement on the internet and how the various
online and offline systems have not really adjusted to this yet (some people
saying "crisis" are arguing for such changes, although they might not be the
particular people saying "crisis" discussed here). I would argue that a major
and general failing of capitialism is that many value jugements end up being
made by economically self interested parties rather than society as a whole
and that pushing against this tendency wherever it appears is not a bad thing.

 _" The critics of the standard “business as usual” approach have been
presenting to the public both a promise and a threat. The promise was that
with enough resources and control over system development, truly secure
information technologies systems would be built. The threat was that a
gigantic disaster, a “digital Pearl Harbor,” would occur otherwise."_ I don't
see this argument much so maybe I am missing the context of the paper. I do
see things like "connecting power plant control systems to the internet could
cause big problems", however my sense is that the author would also argue
against doing that. The main arguments I see are around individually smaller
scale issues (and sometimes the possibility that they will happen many times).

The author doesn't really cover the issue of needed physical proximity, which
is much lower on the internet and can make it easy to cross legal boundries
and avoid many potential physical consequences. It isn't a pure difference
since people can and do pay people in other parts of the world to conduct
physical attacks, however it is still a difference and I think it somewhat
undermines the argument that _" through incremental steps, we have in effect
learned to adopt techniques from the physical world to compensate for the
deficiencies of cyberspace"_. Relatedly, falures of different systems can
cascade more easily on the internet, although this can certainly also happen
in other types of security (e.g. Kevin Mitnick style attacks seem
communication system related rather than information network security). The
author does touch this issue when discussing how slowing things down can be
important for security but doesn't discuss how that is supposed to be
implemented in a complex but not that secure world. It seems like there are
some potential issues mostly due to wider communication networks and some due
to networked information systems, but this isn't discussed. There is currently
a lot of pressure for things done on the internet to happen quickly and
awareness of the risks might help change that.

Setting priorities can involve both analysis of the tradeoffs and value
judgements of what positive and negative options are preferrable. It is the
value judgement aspect where I particularly disagree with the paper. While
network security isn't a particularly large aspect of my overall value
disagreement, I think attitudes toward network security can entrench
particular tradeoffs even when those making the value judgements have
interests at odd with society in general. Additionally, to the extent that
exposure to the internet is becoming required in many contexts (in the US at
least) and IoT exposes more of physical reality to internet control,
information security issues can make it impossible to make good choices even
if well informed and increase the number of uninformed people subject to
direct attack from almost anywhere in the world (again, this is not only an
issue with information security). Similarly, to the extent that lack of
privacy can improve security in some ways, those who are interested in privacy
should and do argue for stronger information security in other ways.

The costs and benefits of current global systems (in general, not just
information systems) are unevenly distributed and the overall arguement seems
made to appeal to those who get more of the benefits and fewer of the costs.
One good short argument (not information security related) about this general
situation is:

[https://www.theguardian.com/global-development-
professionals...](https://www.theguardian.com/global-development-
professionals-network/2017/may/18/how-to-stop-the-global-inequality-machine)

So I agree that information security is in many ways in better shape than
other types of security and basic social tradeoffs, but I don't think this
means it is in good shape on an absolute scale or that society as a whole,
particularly on a global scale, has actually agreed to those changes. I think
most people saying "crisis" are arguing for different value judgements and
often do so in other areas as well as network security. The internet is a more
recent development than many other issues and hasn't been as strongly
integrated into society yet, another reason for greater attention.

I'll end with my favorite quote from the paper:

 _" We do not know how to build secure systems of substantial complexity. But
we can build very secure systems of limited functionality. Those can be
deployed for specialized purposes, such as monitoring large systems for signs
of penetrations or corruptions, or ensuring integrity of backups."_

------
DaniloDias
This paper is the antivax argument, but for tech.

~~~
tptacek
What's the medical science equivalent to co-inventing the index calculus
algorithm? Because from what I understand, the "medical scientists" behind the
antivax movement were disgraced later as charlatans, and the index calculus
algorithm is one of the more important discoveries in the underlying science
of computer security.

~~~
likpok
A better (but less emotionally evocative) example might be Linux Pauling, who
made large contributions to chemistry (eventually winning the nobel prize),
but who in later life became a proponent of pseudoscience (megavitamin
therapy).

I can't say whether this paper is nonsense or legitimate, but people making
major contributions to their field and then going off in interesting
directions isn't unprecedented.

~~~
tptacek
I'm just saying that antivax conspiracies appear to be exclusively the
province of crackpots, and Odlyzko is not that.

------
Zelmor
Fuck this person in particular.

~~~
sctb
You've been breaking the guidelines a lot and we've already asked you to stop,
so we've banned the account. We're happy to unban accounts if you email
hn@ycombinator.com and we believe you'll start posting civilly and
substantively.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

