Hacker News new | past | comments | ask | show | jobs | submit login
Cybersecurity is not very important [pdf] (umn.edu)
55 points by headalgorithm on Mar 20, 2019 | hide | past | favorite | 48 comments



>> Paper: "Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes."

> HN: This paper is the antivax argument, but for tech. If there was no major digital disaster that does not means that it cannot happen.

No, it's not what the author was saying. I found the paper is advocating a different position.

> Paper: This essay does not claim that a “digital Pearl Harbor” will not take place. One, or more, almost surely will. But that has to be viewed in perspective. Given our inability to build secure system, such events are bound happen in any case. So all we can affect is their frequency and severity, just as with large physical dangers. Further, the likelihood of a“digital Pearl Harbor” has to be considered in comparison to all the other threats we face. The issue is risk management, deciding how much resources to devote to various areas.

I completely disagree with the main thesis of the paper, but I think this perspective is interesting.

It seems the author is using an approach towards network security similar to, say, industrial safety or terrorist attacks: I think everyone at here is familiar with the criticism from cryptographers like Bruce Schneier on terrorist attacks: locking down the streets or putting armed forces and increasingly ridiculous lists of banned goods at airports is mainly a security theater. If a terrorist decided to destroy something, literally everything, from a bus, a market, a train station, an airplane or a park, etc, can be a target. Imagining a movie plot of terrorists attacking a particular target, and putting that target under a ton of superficial security measures is not meaningful for security in the real world.

It seems the author thinks most online attacks work in a similar way.

I think it's an interesting, debatable perspective.

What do you think about it?


HN: This paper is the antivax argument

You should probably be replying to the one specific person in this thread who said that instead of arbitrarily attributing it to 'HN'.


I think this is already well trod ground, using an unmeasurable claim that doesn’t withstand scrutiny.

If security didn’t matter, we wouldn’t have consultants earning 500k+ per year doing glorified QA.

We wouldn’t have the fines associated with GDPR.

We wouldn’t have the public turmoil over the Clinton email scandal.

I don’t think anyone is smarter about solving security problems as a result of reading this paper.

I don’t think anyone’s smarter about shipping products without security as a result. This reads like an apology for the status quo. There are predictable and avoidable financial consequences for anyone who takes to heart the claim that “security is not very important.”


"If security didn't matter, we wouldn't have consultants earning 500k+ per year doing glorified QA."

That's like saying "If elevators didn't matter, we wouldn't have elevator operators." But oh wait, we solved that problem. Future generations will likely solve the problem for the need for security. But today's society is so ignorant of the attributes that lead to abhorrent behavior that they cannot even fathom that security will become a non-issue in the future.


This is kind of a fun read. You should know Odlyzko is an important cryptography researcher, and that he writes think-pieces like this on the regular. It's best read as devil's advocacy.


Its obviously not too important to the host, site is disabled by HTTPS Everywhere haha.


Yeah, I wonder what their reasoning is to disable HTTPS on those tilde directories? The main site ( https://www.dtc.umn.edu ) supports HTTPS just fine (though it doesn't force a redirect to HTTPS, which is also odd/troublesome)


A couple of guesses:

a. The web server hosting the tilde directories is very much likely older than the main site.

b. As any uni user can put any HTML on these directories Perhaps not supplying their certificate is an attempt to lower the success of phishing attempts for the main site logins.


"Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes."

Totalitarian states manipulating the political processes of democratic states for their own gain is a giant digital catastrophe.


If you are talking about the idea of Russia interfering in U.S. elections, this doesn't seem to have any thing to do with cybersecurity. The only at all credible allegations are that they used Facebook within the bounds of how Facebook is supposed to be used (when it comes to security).


The hacking of Podesta's emails were absolutely a cybersecurity issue. Spamming facebook and other social media sites with fake accounts is absolutely a cybersecurity issue - in the case of Facebook using a fake account is an unauthorized use of their platform.

There was a large social component to it, as is the case with most large cybersecurity breaches.


Podesta was phished, not hacked.

Big difference between phished and a 0day or an unpatched vulnerability. Can’t patch humans.


Google's delivery, authentication, compromise-detection, PEP management, and content encryption policies and capabilities directly contributed to the success of this attack.

https://en.wikipedia.org/wiki/Politically_exposed_person

https://old.reddit.com/r/dredmorbius/comments/7qya12/informa...



Which wouldn't have mattered with the other protections in place.


The stolen emails from the Clinton campaign, leaked piecmeal, and arguably part of foreign propaganda efforts had a hell of a lot do with cybersecurity.


Hacked emails is certainly a cybersec thing, but the fact that backstage politics secrets sometimes become public is nothing new, and not necessary bad for democracy.


When a totalitarian adversary does it to aid their preferred candidate it's absolutely terrible for democracy.


Sorry, I hear "when it's against my preferred candidate it's absolutely horrible". Transparency, and informed decisions are usually claimed to be good for democracy. Hacked emails may play for this, even if done for another reason. Democratic elections are always go with dirt-digging, and spills, and it is essential part of the process even if someone doesn't like it.


In most cases dirt digging isn't usually a serious problem.

When a totalitarian adversary does it to aid their preferred candidate it is.


It's not considerable higher that in the decades before without much digitization.


But that's not an issue of cybersecurity, which is something like "Alice does not want Bob to access system X she owns, Alice follows standard procedure to secure it, Bob accesses X anyway."

In the threat model you've described, advertising and social media services were explicitly granting the agents access; they didn't circumvent the cybersecurity layer.

Edit: Maybe you can count it as social engineering, but that would only apply if e.g. Facebook is trying to enforce a policy of "No Russian election/political ad buys", but they don't seem to have a problem doing that once they decide to.


Facebook's official policy is to only allow one authentic account per person.


Still seems a stretch to lump that under cybersecurity.


Unauthorized use of any digital platform is explicitly within the realm of cybersecurity.

That fact notwithstanding, the hacking of Podesta's emails is absolutely a cybersecurity issue.


>Unauthorized use of any digital platform is explicitly within the realm of cybersecurity

Then mugging me of my smartphone is cybersecurity, and the boundary ceases to exclude anything, and we might as well just drop the "cyber" prefix.


Mugging you of your smartphone alone wouldn’t be a cybersecurity issue. Using it without your permission would be.


External influences is nothing new, and is part of politics for as long as masses opinion matters. If democracy would not able to work with it, it wouldn't exist.


In my opinion, this paper is advocating for a risk-management approach to cybersecurity, just like businesses address every other issue. Evaluate the risks, including cybersecurity, do what you can to reduce the probability or impact of any occurrence, and develop actionable plans to maintain business resiliency during and after any such event. This is what successful businesses do all the time.

This is not revolutionary, it's just not an idea that's been applied on a widespread basis in the cybersecurity realm until fairly recently.


When we have no disasters and no NAT / everything is muched more networked and addressable in particular, I'll believe it.


"Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes."

Equifax?


But it supports the notion. Even in the States lots if people don't exactly know what happened, outside of US it is virtually unknown.


Is this a tongue-in-cheek paper?


At least devil's advocate. And it serves as a decent counterpoint for flat-out hysteria.


It seems to me that the author is arguing: 1) it is important to maintain perspective vs other types of security and to remember that security is never the end goal, 2) security is a wholistic thing that is reinforced in a variety of ways and even the very complexity that makes security bugs happen can have positive implications for overall security, and 3) "The main conclusion is that, contrary to the public perception and many calls from prominent business and government leaders, we are not facing a crisis.".

"All along, the constant refrain has been that we need to take security seriously, and engineer our systems from the ground up to be truly secure." The author argues that attention to network security will be and has been growing as proportionally needed. The author compares to cars killing large numbers of people and Hurricane Maria. These are the types of tradeoffs that society has made in the past and continues to make in other areas as well, and if you rank them in terms of the negative aspects it is easy to argue that network security issues are well down the list. The paper does not directly discuss the issue of targeted harassement on the internet and how the various online and offline systems have not really adjusted to this yet (some people saying "crisis" are arguing for such changes, although they might not be the particular people saying "crisis" discussed here). I would argue that a major and general failing of capitialism is that many value jugements end up being made by economically self interested parties rather than society as a whole and that pushing against this tendency wherever it appears is not a bad thing.

"The critics of the standard “business as usual” approach have been presenting to the public both a promise and a threat. The promise was that with enough resources and control over system development, truly secure information technologies systems would be built. The threat was that a gigantic disaster, a “digital Pearl Harbor,” would occur otherwise." I don't see this argument much so maybe I am missing the context of the paper. I do see things like "connecting power plant control systems to the internet could cause big problems", however my sense is that the author would also argue against doing that. The main arguments I see are around individually smaller scale issues (and sometimes the possibility that they will happen many times).

The author doesn't really cover the issue of needed physical proximity, which is much lower on the internet and can make it easy to cross legal boundries and avoid many potential physical consequences. It isn't a pure difference since people can and do pay people in other parts of the world to conduct physical attacks, however it is still a difference and I think it somewhat undermines the argument that "through incremental steps, we have in effect learned to adopt techniques from the physical world to compensate for the deficiencies of cyberspace". Relatedly, falures of different systems can cascade more easily on the internet, although this can certainly also happen in other types of security (e.g. Kevin Mitnick style attacks seem communication system related rather than information network security). The author does touch this issue when discussing how slowing things down can be important for security but doesn't discuss how that is supposed to be implemented in a complex but not that secure world. It seems like there are some potential issues mostly due to wider communication networks and some due to networked information systems, but this isn't discussed. There is currently a lot of pressure for things done on the internet to happen quickly and awareness of the risks might help change that.

Setting priorities can involve both analysis of the tradeoffs and value judgements of what positive and negative options are preferrable. It is the value judgement aspect where I particularly disagree with the paper. While network security isn't a particularly large aspect of my overall value disagreement, I think attitudes toward network security can entrench particular tradeoffs even when those making the value judgements have interests at odd with society in general. Additionally, to the extent that exposure to the internet is becoming required in many contexts (in the US at least) and IoT exposes more of physical reality to internet control, information security issues can make it impossible to make good choices even if well informed and increase the number of uninformed people subject to direct attack from almost anywhere in the world (again, this is not only an issue with information security). Similarly, to the extent that lack of privacy can improve security in some ways, those who are interested in privacy should and do argue for stronger information security in other ways.

The costs and benefits of current global systems (in general, not just information systems) are unevenly distributed and the overall arguement seems made to appeal to those who get more of the benefits and fewer of the costs. One good short argument (not information security related) about this general situation is:

https://www.theguardian.com/global-development-professionals...

So I agree that information security is in many ways in better shape than other types of security and basic social tradeoffs, but I don't think this means it is in good shape on an absolute scale or that society as a whole, particularly on a global scale, has actually agreed to those changes. I think most people saying "crisis" are arguing for different value judgements and often do so in other areas as well as network security. The internet is a more recent development than many other issues and hasn't been as strongly integrated into society yet, another reason for greater attention.

I'll end with my favorite quote from the paper:

"We do not know how to build secure systems of substantial complexity. But we can build very secure systems of limited functionality. Those can be deployed for specialized purposes, such as monitoring large systems for signs of penetrations or corruptions, or ensuring integrity of backups."


This paper is the antivax argument, but for tech.


What's the medical science equivalent to co-inventing the index calculus algorithm? Because from what I understand, the "medical scientists" behind the antivax movement were disgraced later as charlatans, and the index calculus algorithm is one of the more important discoveries in the underlying science of computer security.


A better (but less emotionally evocative) example might be Linux Pauling, who made large contributions to chemistry (eventually winning the nobel prize), but who in later life became a proponent of pseudoscience (megavitamin therapy).

I can't say whether this paper is nonsense or legitimate, but people making major contributions to their field and then going off in interesting directions isn't unprecedented.


I'm just saying that antivax conspiracies appear to be exclusively the province of crackpots, and Odlyzko is not that.


I think you mean GNU-Linux Pauling


Odlyzko, despite having some notable contributions to index calculus algorithms, was not among the first to invent or suggest its use.


A person who makes an important contribution to science can still say stupid and dangerous things.

I appreciate Andrew Odlyzko’s contributions to cs, but this paper is not one of them. It is a fine example of the evolution security nihilism in its final, tenured form.


Sound more like anti-killer-AI-robots argument, really. The essay argues that digital disasters are unlikely to happen, and when they do, they're unlikely to be important, compared to other global problems we currently face.


Agree. If there was no major digital disaster that does not means that it cannot happen.


And I think it's very arguable that there have been. There have been provable infiltrations of infrastructure, undermining of democratic processes, and that's not counting the more 'mundane' cyberattacks. STUXNET was an attack on a nuclear facility that had real-world, hardware effects; that's a digital disaster, just one in which the outcome isn't objectionable to a good chunk of western observers.


The border between disaster and just a little/medium accident is vague and mostly based on personal criterias. I personally not considering those that you mention as a disaster.


Fuck this person in particular.


You've been breaking the guidelines a lot and we've already asked you to stop, so we've banned the account. We're happy to unban accounts if you email hn@ycombinator.com and we believe you'll start posting civilly and substantively.

https://news.ycombinator.com/newsguidelines.html




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: