Online security is a horrifying nightmare. Heartbleed. Target. Apple. Linux. Microsoft. Yahoo.eBay. X.509. Whatever security cataclysm erupts next, probably in weeks or even days. We seem to be trapped in a vicious cycle of cascading security disasters that just keep getting worse.
Why? Well — “Computers have gotten incredibly complex, while people have remained the same gray mud with pretensions of godhood … Because of all this, security is terrible … People, as well, are broken … Everyone fails to use software correctly,” writes the great Quinn Norton in a bleak piece in Medium. “We are building the most important technologies for the global economy on shockingly underfunded infrastructure. We are truly living through Code in the Age of Cholera,” concurs security legend Dan Kaminsky.
Most of which is objectively true. And it’s probably also true, as Norton states and Kaminsky implies, that a certain amount of insecurity is the natural state of affairs in any system so complex.
But I contend that things are much worse than they actually need to be, and, further, that the entire industry has developed learned helplessness towards software security. We have been conditioned to just accept that security is a complete debacle and always will be, so the risk of being hacked and/or a 0-day popping up in your critical code is just a random, uncontrollable cost of doing business, like the risk of setting up shop in the Bay Area knowing that the Big One could hit any day.
What’s more, while this is not actually true, most of the time it is no bad thing.
I’m pleased that I was a Heartbleed hipster, dissing OpenSSL before it was cool (i.e. ten days before Heartbleed emerged into the light) but I don’t pretend to be a security expert. I do write software for a living, though … and recent events remind me vividly of the time I attended DefCon just after Cisco tried to censor/gag-order Michael Lynn. Continue reading…