Monday, October 3, 2016

Why is computer security so bad?

Because software almost doesn't work at all:
It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire. 
Computers, and computing, are broken.
This is absolutely, 100% true.  Years ago I was at a company that found a security bug in the Unix Remote Procedure Call (RPC) routine.  It was bad, allowing J. Random Hacker to remotely take over your server.  It took me weeks to chase down the security team at a large company that really should have known better.  At the end of the day, they didn't fix it.  The reason?

The code is really old and nobody here really understands how it works.  We're afraid that if we fix this we will actually break bigger things.

This is an excellent (if long) article about just how bad things are.  And this has the ring of truth:
For a bunch of us, especially those who had followed security and the warrantless wiretapping cases, the revelations weren’t big surprises. We didn’t know the specifics, but people who keep an eye on software knew computer technology was sick and broken. We’ve known for years that those who want to take advantage of that fact tend to circle like buzzards. The NSA wasn’t, and isn’t, the great predator of the internet, it’s just the biggest scavenger around. It isn’t doing so well because they are all powerful math wizards of doom. 
The NSA is doing so well because software is bullshit.

Hat tip: American Digest.


Ed Skinner said...

Some progress--note I said some--does happen. For the RCP issue, most have simply abandoned it and switched to the much more secure SSH wrapping. And programmers do switch from buffer over-running APIs to safer ones.

But new crap is also created. We're going to see a lot of issues in cars that will be software eelated. The Toyota gas pedal deaths, for example. Settled without blame out of court, analysts who've seen the code were horrified. New regulations are in store for that industry and I doubt I'll ever get in a car on aoto-pilot; my customer's commercial airliners with two pilots as backup scare me already.

Sherm said...

I wonder how much of this is because computers have gotten so powerful and storage so cheap. Small, elegant code isn't necessary and with more code comes more code to exploit.