It wasn't me. You can't prove anything.


Security Disconnect

My sources for this post are purely tech journals and web pages like SlashDot and Wired. None of this is based on my employer’s information or practices. (Really, I’m not in security or anything like it.)

In the beginning, there were developers. All was well. Then some of the developers decided they wanted to be bad guys and they used their skills to cheat and steal. This was not good, but it was inevitable. Developers are people after all.

The result of this was an arms race between good and evil for the better technology to thwart the other side. Every time the bad guys come up with a trick, the good guys counter. Every time the good guys defend something valuable, the bad guys come up with more tricks. It is the way of nature. It has run for a life time and gotten very complex.

Something is happening in the technology industry that may not be a good thing. There is a separation between the public sector and ultra secure entities. For a very long time the ultra secure have taken off the shelf devices, tweaked them and made them more secure. This tech trickled back to the community and you had a positive feedback loop that accelerated security development.

I’m sure a lot of this is still going on, but is seems the industry that developed purely for the ultra secure is booming. The links between the ultra secure and mondain development seem to be withering. Security on so many public software projects just seems to be a box to tick in a PowerPoint presentation. The goal is to get people to click on in game purchases and rent virtual hotel rooms. Security is something you put in after a billion user files are stolen (Yahoo!)

My experience is companies telling developers to pay very close attention to security and then setting deadlines that allow very little time for dedicating thought to security. We do it anyway. We make it work, we make it secure, and we tick the box on the PowerPoint slide. It just isn’t easy.

That loss of feedback is going to slow forward movement of secure development. The ultra secure people are not going to provide last year's tech to the mundanes. The mundanes are not going to provide an army of people poking and prodding the software and indeed hardware to find weaknesses. You cannot automate lucky. Some mediocre programmer might find the loose tile in the wall that all the automation missed that brings down the castle. You have to know their is a problem before you can automate looking for it.

The Iranian nuclear development team air gapped (physically separated) all the development systems for their nuclear systems. They thought that this was a very good idea. It was really. It is not impervious to human error. One of the people who had access to the secure network put an infected USB drive in a secure computer and all the very expensive material separators ran too fast and burned out. This was a targeted attack. Someone knew what was going on at the facilities and exploited several weaknesses to slow the Iranian development of nuclear fuel.

The solution here is to keep the channels open. Don’t give away the family cow for magic beans, but talk to people on the other side of the isle. Learn motives, tools, intentions, drives, and accomplices. Root out bad things and talk about failures. Find the things that work and test the hell out of them.

No comments: