
The Insecurity of Secret IT Systems - listronica
https://www.schneier.com/blog/archives/2014/02/the_insecurity_2.html
======
danso
I know that NSA/Snowden continues to be at the top of the news, but it's still
worth pointing out again that NSA's internal system is probably one of the
most secret of internal IT systems and through Snowden's work, we've found
out: 1) NSA employees are easily phished and 2) They probably don't have the
same level of deterministic dev ops deployments that modern tech companies
depend on, given that it was Snowden's job to install an "anti-leak" system
and apparently no one double-checked to make sure he had installed it. Hell,
who knows if even that secret anti-leak system would actually do anything
besides add more cruft to their internal operations?
[http://arstechnica.com/tech-policy/2013/10/snowdens-nsa-
post...](http://arstechnica.com/tech-policy/2013/10/snowdens-nsa-post-in-
hawaii-failed-to-install-anti-leak-software/)

~~~
pjc50
I'd not realised that it was the person whose job it was to install the anti-
leak system who leaked everything. I guess that's an obvious outcome..

~~~
TeMPOraL
This gives the new meaning to "copying production database to test
environment"... ;).

------
stretchwithme
Regarding voting systems, all we ever needed was open source software.

Voters were incorrectly recording their paper ballots. A PC with a punch card
machine attached and running open source software could have correctly punched
these cards.

And we also could have had another system that read the cards right there in
the polling place that the voter could use to confirm their ballot was
correctly encoded. Or an phone app that could read a photo of it.

We could have gotten that software for free. It could have run on ancient PCs.
It could have solved the actual problem that we had.

But the lobbyists got there first, influencing politicians into buying
unneeded and overpriced solutions, just like they do in every other area of
government.

~~~
smw
As much as I agree that the software should be open source, that's not nearly
enough. There are large numbers of rootkits and vulnerabilities for Linux, for
instance. There would be a huge incentive to modify the software of these
machines in some undetectable way in order to influence elections.

There's been a lot of scholarly literature written on how to do secure
electronic voting, and I understand the consensus is that some sort of voter
verifiable paper audit trail is the only way to match or exceed the security
of the paper ballot system.

~~~
wiml
stretchwithme addresses that in the third (and subsequent) sentences of his
comment. I know that's a lot to read, but still. They were in fact describing
a voter-verified paper trail system.

~~~
acdha
He appeared to specifically exclude that possibility by requiring a machine to
read it.

This entire discussion is predicated on a mistaken assumption that we have
significant levels of fraud – often asserted but never convincingly supported
– or that electronic systems reduce those odds. We'd be much better off
sticking with a simple optical system which can be reviewed and scored by hand
and providing a computer-assisted system to help those who have difficulty to
fill in that ballot. As a plus, this system is really cheap and easy to scale
rather than requiring a bunch of expensive computers and support staff for an
infrequent event.

------
kev009
His point applies equally to general software quality. Even in the workplace,
I always see the bad programmers try to sling shitty code with private repos
or direct pushes with no peer review. The good ones always operate in the open
and appreciate peer reviews.

------
0xdeadbeefbabe
How is a an airport xray scanner maker supposed to participate in that
iterative process for improving security if they aren't in a mass market? No
security researchers took interest for a long time till Rios purchased a
scanner. "It runs an outdated windows 98 operating system" just shows how
little anyone cares, even if Rios would like it to show how awesome he is as a
researcher or how awful windows 98 is as an OS.

Also unrelated, how to factor a large prime to break RSA 1024 quickly is a
secret too.

~~~
TeMPOraL
> _How is a an airport xray scanner maker supposed to participate in that
> iterative process for improving security if they aren 't in a mass market?_

Invite pentesters. Hold competitions for people to try and break it in an
isolated part / mockup of an airport. Donate one to your local hackerspace and
ask them to have fun with it.

Possibilities are endless; the only things needed is understanding the points
in Schneier's essay and a little courage to do the right thing.

------
a_b__
The fact is that sometimes security through obscurity works. Take Skype for
example, it was well known that the US government had for a long time wanted
access and, depending on who you ask, failed. After being bought by MS and
reconfigured, it could be argued that there are now fewer access problems.

Where obscurity fails is where the product has been poorly designed in the
first place - perhaps due to lack of time or manufacture costs - or there is a
failure to update when the scenario or environment for which it was built
changes.

Obscurity is really a term about confidence and PR of a system (eg. ISO
standards compliant?) or company (RSA anyone?). How does the company convince
you that it is using best practices without compromising its competitive
advantage?

The grumbles about running Windows98 are pointless if the system meets the
requirements.

~~~
betterunix
"Take Skype for example, it was well known that the US government had for a
long time wanted access and, depending on who you ask, failed. After being
bought by MS and reconfigured, it could be argued that there are now fewer
access problems."

That is not a security through obscurity success story. The Skype design was
changed by Microsoft in a way that made government access easier.

"How does the company convince you that it is using best practices without
compromising its competitive advantage?"

Your competitive advantage is not my problem. I need a secure voting machine,
a secure ATM, a secure medical database, etc. If you cannot deliver a secure
system to me in a way that allows me to verify its security, then you never
had a competitive advantage in the first place.

------
yaur
"Smart security engineers open their systems to public scrutiny, because
that’s how they improve. The truly awful engineers will not only hide their
bad designs behind secrecy, but try to belittle any negative security
results."

Or restated:

All bad engineers try to hide their work from the public, therefore all good
engineers try to show their work to the public. I'm sure there is a logical
fallacy in there somewhere.

------
Aloha
Windows 98, Really?

wow. I'm just, wow.

Like I can understand an ancient version of Solaris, or Windows NT4 - but
Windows 98?

just wow.

------
peterbotond
security in any application has to start from the beginning and nurtured by
all developing this application. security can not be a bolt-on after the fact
patch works. when at least these two are not applied all applications will
fail miserably. security by obscurity only a make believe.

------
ehPReth
Is there a video of this talk anywhere?

