Wednesday, June 4, 2014

If Architects designed buildings the way that programmers write software, the first woodpecker that came along would destroy civilization

Peter finds a real humdinger of a security post: why is software security so broken?
Libpurple was written by people who wanted their open source chat client to talk to every kind of instant messaging system in the world, and didn’t give a shit about security or encryption. Security people who have examined the code have said there are so many possible ways to exploit libpurple there is probably no point in patching it. It needs to be thrown out and rewritten from scratch. These aren’t bugs that let someone read your encrypted messages, they are bugs that let someone take over your whole computer, see everything you type or read and probably watch you pick your nose on your webcam.

This lovely tool, OTR, sits on top of libpurple on most systems that use it. Let me make something clear, because even some geeks don’t get this: it doesn’t matter how good your encryption is if your attacker can just read your data off the screen with you, and I promise they can. They may or may not know how to yet, but they can. There are a hundred libpurples on your computer: little pieces of software written on a budget with unrealistic deadlines by people who didn’t know or didn’t care about keeping the rest of your system secure.
My only criticism of this post is that it isn't terrifyingly pessimistic enough.  If you boot it, they will come.  Remember, you're reading this from a computer screen right now.

Software secure is wretched.  Sometimes it's wretched because nobody cares.  Sometimes it's wretched because, well, because you recompiled a program for a 64 bit architecture (rather than a 32 bit one) and without changing a line of code now everyone can pwnz0r you*.  It's a little known fact that Nazi Germany fell because of a failure of cyber security.

But back to the post that Peter pointed us towards.  This is absolutely correct:
Security and privacy experts harangue the public about metadata and networked sharing, but keeping track of these things is about as natural as doing blood panels on yourself every morning, and about as easy. The risks on a societal level from giving up our privacy are terrible. Yet the consequences of not doing so on an individual basis are immediately crippling. The whole thing is a shitty battle of attrition between what we all want for ourselves and our families and the ways we need community to survive as humans — a Mexican stand off monetized by corporations and monitored by governments.
Even classified networks get hacked.  I'm still the #1 Google result for "How to hack a classified network"**.  If the Defense Department - with all their skilled security d00ds and financial resources - if they can't keep themselves safe, then what chance do you have?

The answer, of course, is slim to none.  And Slim just left town.

I've worked in this technology space since 1985.  Quite frankly, I'm not sure what to tell you to help yourselves out.  I wish I had a better answer, other than "never do anything consequential on the 'Net".  And that absolutely, positively means never bank online.  Or vote online.  Of have a car with a computer in it.  Or a "smart" gun.

Riddle me this, Security Man: what do you get when you cross a car with a computer?  Answer: a computer.  Go read the post that Peter points us to.  Re-read it until the hair on the back of your neck stands up, and a shiver runs up your spine.  At that point, you will understand the situation precisely.
If ignorant both of your enemy and yourself, you are certain to be in peril.
- Sun Tsu
Good morning.  ;-)

* I'm actually pretty proud of this post, which is from when I'd only been blogging a couple months but already a distinctly Borepatchian style had emerged.

** Another pretty good security post from the early days of this blog.


ASM826 said...

I'm going to say it again, too. It does not matter if you refuse to bank online. Your bank is banking online. Your credit card company is banking online. The check you send to the utility company to keep your lights on is electronically processed.

It's turtles all the way down.

That Guy said...

There is a security saying from WAY back. "Locks only keep honest people out".

It is true for cars, homes, computers and 'secure areas'.

Aretae said...

Ok. Programmer defense here.

The reason software security sucks is because software sucks.

When you go to build a house, and you nail two boards together, after measuring twice, SOME of the time, the boards are nailed together correctly.

It's just not true in programming. Programming since 1981, I have, exactly once, planned a 200-line program, written it, and had it work as planned. Once.

All of the rest of the time, the program has small errors in it, at 200 lines or less.

Modern programs are complex...not 200 lines, but 200,000 or 2 million.

And then, for almost all software development (I teach / coach other approaches), once software is working, the cost to change it is enormous. You might break something.

Software architecture isn't house architecture, it's Jenga architecture. Trying to add another stick...not so fun.

Dave H said...

To expand on Aretae's remarks: it's also REALLY HARD to gauge the skill of any given programmer, because modern software projects employ so many and the mistakes (or skill) of one will mask the mistakes of others. You can tell if a carpenter or an electrician is a screwup. You can't tell if a programmer is until it's too late, if at all.

Also, there's a widespread lack of "defensive programming," making code that won't fail, or will at least fail in a safe and predictable way, when something unexpected happens. Grunt coders aren't paid to deliver code that's better than the specification calls for; they're paid to deliver code on time. So all the jokes you've heard about things being built by the lowest bidder? That applies to software too.

airwindsolar said...
This comment has been removed by the author.
KD5NRH said...

Yeah, ASM826, it's amusing to listen to the people who won't have one o' them newfangled debit cards 'cuz it's too easy to steal from people usin' 'em, but will pay with a check (dug out only after everything was rung up and painstakingly filled out with a quill pen) at WalMart and think nothing of the fact that the cashier just voided the paper and handed it back to them.

Jester said...

Well, after reading that dissertation it now sounds like the threat of an EMP being detonated to be a net positive, start it from scratch.