Sunday, September 7, 2008

We're not as smart as we think we are

Ever wonder why bridges almost never fall down? They almost never do, and when it happens, it's big news.

Ever wonder why you have to update your computer every month because of security bugs? (and while Microsoft is the example here, this applies to every computer, every operating system, and every application).

The biggest problem is that software technology changes so quickly. If your code is still being used ten years later, that's a big win. If it's being used twenty years later, it's headlines. Yet there are modern-design bridges that are older than the United States.
This is the Iron Bridge, the world's first bridge made entirely from iron. When it was completed in 1781 it was one of the wonders of the world, and a triumph of the Industrial Revolution. Other than being made of iron, it is entirely unremarkable to people today. The basics are simple, even after a couple centuries:
  • Bolt the girders together.
  • Paint the iron to make sure it doesn't rust.
  • Check the bridge regularly, especially for rust.
Software isn't like that. You can change software so that it does other things, sometimes radically different things. While it starts out as a simple, say, text editor, by the time you're done adding new features, it's Disco-Roller-Fishing.

Back to bridges. You never hear the following said in discussions about bridges:
We'd like you to change your girder_connector_bolt() function to also spread Nutella on toast.
This is not only possible with software, but it happens all the time:
We'd like you to add IP network capability so that people can remotely manage the factory control system.
The problem is that we're not as smart as we think that we are. Adding the IP networking capability adds security risk, but nobody stops to think about those new risks. And then someone finds out that a single IP packet can crash the process control computer that controls your industrial ovens, and all your cookies burn up.

Oops.

This happens all the time, because we like to turn our pretty solid factory process control system into a Web 2.0 Disco-Roller-Fishing portal. Think about this before you get all excited about online banking.

Any change you make to software may add a security bug. Even fixing a security bug can introduce another security bug.

Upgrading from a 32-bit CPU to a 64-bit CPU is, shall we say, a "target rich environment". Dave LeBlanc (one of the smartest coders I know) shows how. This one is pretty funny (in a really security geeky way) because you may introduce a security bug without changing the code - just recompiling it for 64-bit is enough to do the damage. One of your key security assumptions - which was perfectly valid on 32-bit - is no longer valid on 64-bit.

Now let's run it in a virtualized environment. How's your security? (Cliff Note's answer: you don't know, and nobody else does, either)

Computer security is a really interesting field. Because of the rate of change in computer technology, it never lacks for something new. But I think that maybe we've lost, and that it's Game Over.

Iron Bridge? #2 son understands it; #1 son might be able to design it. And it wouldn't fall down, either.

Software? We can make everything safe except for Disco-Roller-Fishing.

1 comment:

  1. Among other wonders of the world: roman aquaducts. Those arches predate the voltage adders and likings found in fancy graphing calculators. Shit, they predate calculus, and yet, they are still standing. You know what scares me the most? People who think that high technology makes us smarter, and that new technologies should be designed with the sole purpose of making our lives easier. That's how huge tech disasters happen, foo'! People want miracle machines and systems that will allow them to push a few buttons and never have to pay it any more attention.

    sorry, I had to rant. Ignorance of the second law of thermodynamics really ticks me off! Entropy, dudes! Learn. It.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.