
The Internet Is Burning - Libertatea
http://techcrunch.com/2014/05/24/the-internet-is-burning/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
======
cheald
It all sounds very nice and grand, but the author had this epiphany _during
the presentation of a security vulnerability in Cisco 's products_. Cisco's
superior software engineering practices may in fact make their products more
secure than the majority of software, but it _didn 't keep them from being
broken_.

The fact of the matter is that security is hard. Balancing security with
usability with speed of development with ROI is a tricky proposition. Cisco
has a fundamental need to write high-security code because what they are
selling is highly-secure infrastructure. That same need doesn't exist for
other entities, and it _shouldn 't_ exist, because that security comes at
financial and usability costs, at the least. That isn't to say that software
developers shouldn't employ best practices and strive for secure code, but
security is not a boolean, and it seems somewhat naive to equate "many people
write imperfectly secure code" with "nobody cares about security".

There's a middle ground between security being a "debacle" and it always being
a persistent threat. Bugs exist - and will always exist. You can spend lots
and lots of money making sure that fewer bugs exist in your code, and you can
spend lots and lots of money writing in-house code or auditing external code,
but unless there is economic incentive to do so ("a security breach in our
difficult-to-update firmware will leave our company devastated"), spending
those resources makes very little sense. Additionally, all it takes is _one_
bug to bring your massively expensive hyper-engineered software to its knees,
as we saw in the Cisco case.

Security is always not about writing perfectly-engineered, hyper-secure code.
It's about tradeoffs between financial resources and usability, and it's about
mitigation of potential damage. If you write code predicated on "this is so
well written that it can never be broken", you're in for a bad time.

~~~
crest
Just watch this before use Cisco crap:
[https://media.ccc.de/browse/conferences/sigint13/vortrag_mp6...](https://media.ccc.de/browse/conferences/sigint13/vortrag_mp6_og_-_2013-07-05_12:00_-_cisco_in_the_sky_with_diamonds_-
_fx_-_greg_-_5115.html)

------
adventured
The security lapses and mistakes are, unto themselves, not getting worse.
They're exposing a dramatically greater number of people and a lot more data
accordingly. That is all that has fundamentally changed, and that tells you
the problem.

~~~
georgemcbay
This is an important point. When I first started using the internet in the
late 80s there was nary a non-mil site (and even those were iffy) that I
couldn't get into almost instantaneously using remote exploits in widely used
software like sendmail; and once in it was almost trivial to get root
escalation, often through fairly well known (by the standards of the time)
issues with the way suid root programs would badly parse environmental
variables that you could maliciously malform to get the suid program to
execute other arbitrary programs.

Things were much less complex back then but the security was far worse on the
whole than it is today. People would just telnet around! In plaintext! On
local networks that were largely switch-free with ethernet adapters that would
gladly go into promiscuous listening mode. Not to mention things like full-
blown IP spoofing before ingress/egress filtering was common and all the TCP
stacks had terribly predictable sequencing.

The important things that changed are as you said that dramatically greater
number of people are impacted by these issues, and to a lesser degree the
people hacking into systems back then on average were less likely to have any
malicious intent or financial motives (the change with this is somewhat
directly related to the first point).

------
Zigurd
That's a very good article. highly secure practices need to become pervasive,
or surveillance will forever remain pervasive.

One big problem, though, is that governments are buying zero-days. Why
tolerate that, and the people making zero-days? They should be treated like
bioterrorists making enhanced ebola virus.

~~~
coderzach
> Why tolerate that, and the people making zero-days? They should be treated
> like bioterrorists making enhanced ebola virus.

That is the silliest thing I've heard on hackernews in a while. Criminalizing
disclosure of security flaws would make everything MUCH less secure. Security
flaws would still be found by unscrupulous individuals, it's just that the
users and creators of the flawed software wouldn't know about them.

~~~
Zigurd
> _Criminalizing disclosure of security flaws_

I made no such suggestion, much less proposal. The problem is commercial,
militarized development of zero-day exploits and selling to the highest
bidder.

UNLIKE responsible disclosure by legitimate security researchers, weaponized
exploits are very analogous to the freelance development of bioweapons and
then auctioning them off to the highest bidder. It is a cancer on computing,
and deserves to be stamped out, as such a bioweapons development would get
wiped out quickly and conclusively.

------
ChuckMcM
This quote leaps out _" Oh, it’s been awful if you’re an activist, a
dissident, a journalist, a victim of identity theft, a specific target of the
NSA, etc; but most people aren’t."_

It isn't all that different than the 'real world' where if someone decides to
target you in meatspace there isn't a lot you can do (except perhaps arm
yourself and the outcome of that is dubious at best). I'm all in favor of
building a more secure network though. We could even use the pipes that are
there, definitely going to start small though.

------
skue
> _I’m pleased that I was a Heartbleed hipster, dissing OpenSSL before it was
> cool (i.e. ten days before Heartbleed emerged into the light) but I don’t
> pretend to be a security expert._

When did it become appropriate to diss open source software without the
expertise to create something better, and why does he think this is brag-
worthy?

~~~
adventured
Open source is now the majority concept, if not in distribution then certainly
in ideology. It won. It's to be expected that technology hipsters would turn
against it. We'll probably see a new wave of people arguing in favor of
proprietary software instead (using whatever bs reasoning is necessary,
including "it's safer!").

~~~
hkmurakami
And round we go again...

It's almost like fashion.

