Jeff Blankenburg has a post wondering about the lack of security online, and how people are able to exclaim, ex post, exactly what was (and was not) done and that Everything Will Be Alright.

It’s worth reading his article (which is par for the course), but here are a couple of thoughts, jumping off from my post from a couple of days ago.  Security is difficult.  You can read books on the topic (Security Engineering and Software Security are two of my favorites), but the same stupid mistakes keep coming up.  People storing passwords in plaintext, sites without SSL certificates, people blindly downloading and opening all kinds of files, databases susceptible to SQL injection, etc.  You could probably have written a software security book from the 1980s and still have it be almost exactly as valuable today—whenever Steve Gibson re-publishes his TechTalk columns, that would be a good opportunity to see just how many of the problems that existed then are still around.

I mentioned the economics of security, and Ross Anderson is a master on the topic.  Instead of having me try to summarize some of the things he said, just read a few of those articles.  Instead, I’ll go down a second track, focused more on developers:  security is hard to do right. When we see online demos of new tools or development techniques, they skip the security entirely.  It’s all about getting things done fast and reasonably correct.  I don’t blame the demo writers so much, but rather the vast number of copy-pasta “developers” who troll around the Internet searching for pieces of code to develop Frankenstein systems.  You know the type:  broken Javascript, all kinds of messy functions everywhere, wicked SQL injection vulnerabilities because they didn’t understand that yes, Virginia, you do need to do input filtering.

Maybe there are some people who would do better but just don’t know any different.  Those people could be helped by demos which focus on security topics and implementation.  I like Microsoft’s Security Development Lifecycle, but it is a lot more difficult putting that into place than watching Rob Conery build a site.  But for every person like that, there are a number of developers who just want to copy-paste the codez.  Then, there are the people who rationally ignore security advice.  Why?  Because some of it is totally messed up.  Why do I need to change my password so often that I will never remember it, and so I need to write it down somewhere?

Security comes down to the problem that the IRA brought up after trying to assassinate Margaret Thatcher:  “[R]emember we only have to be lucky once. You will have to be lucky always.”  If anything, given the number of users who will gladly open any attachment they receive or paste any code they found on the internet into their project, it’s amazing that we don’t see more problems.  But then again, maybe that’s because many of the people whose systems have been compromised simply do not know about it—think of all of the bot-nets around.  Those computers are owned by somebody, and they almost certainly aren’t in on the scheme.  And not all of those systems are grandpa’s desktop computer that he bought to get e-mail from the kids; they also include plenty of corporate and even government machines.

Leave a comment