SoylentNews is people
SoylentNews
Seventy years into the computer age, Moshe Y. Vardi at ACM wants to know why we still do not seem to know how to build secure information systems:
Cyber insecurity seems to be the normal state of affairs these days. In June 2015, the U.S. Office of Personnel Management announced it had been the target of a data breach targeting the records of as many as 18 million people. In late 2016, we learned about two data breaches at Yahoo! Inc., which compromised over one billion accounts. Lastly, during 2016, close to 20,000 email messages from the U.S. Democratic National Committee were leaked via WikiLeaks. U.S. intelligence agencies argued that the Russian government directed the breaches in an attempt to interfere with the U.S. election process. Furthermore, cyber insecurity goes way beyond data breaches. In October 2016, for example, emergency centers in at least 12 U.S. states had been hit by a deluge of fake emergency calls. What cyber disaster is going to happen next?
[...] The basic problem, I believe, is that security never gets a high-enough priority. We build a computing system for certain functionality, and functionality sells. Then we discover security vulnerabilities and fix them, and security of the system does improve. Microsoft Windows 10 is much, much better security-wise than Windows XP. The question is whether we are eliminating old vulnerabilities faster than we are creating new ones. Judging by the number of publicized security breaches and attacks, the answer to that question seems to be negative.
This raises some very fundamental questions about our field. Are we investing enough in cybersecurity research? Has the research yielded solid scientific foundations as well as useful solutions? Has industry failed to adopt these solutions due to cost/benefit? More fundamentally, how do we change the trajectory in a fundamental way, so the cybersecurity derivative goes from being negative to being positive?
Previously:
It's 2015. Why do we Still Write Insecure Software?
Report Details Cyber Insecurity Incidents at Nuclear Facilities
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @04:49AM (8 children)
The obligations of the engineer or the client should not be one-size-fits-all; this "There should be a law!!111" cry is what makes life so abhorrently miserable for all of us.
What you are identifying is the fact that our society is very poorly defined; nobody really has any clear idea what's going on, or how one individual is obliged to another. What there should be, then, is a more robust way for individuals to negotiate and enforce well-defined contracts, and to resolve disputes thereby.
(Score: 2) by julian on Tuesday April 18 2017, @05:19AM (1 child)
And then the autistic screeching about coercion starts. Enjoy, everyone!
Meanwhile, the rest of us need a society that works balancing physical reality with human psychology.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @05:31AM
Whatevs, Julianbo.
(Score: 3, Interesting) by NotSanguine on Tuesday April 18 2017, @06:07AM (4 children)
What there should be, then, is a more robust way for individuals to negotiate and enforce well-defined contracts, and to resolve disputes thereby.
Oh, there are lots of well defined [cisco.com] contracts already. In addition to the one linked above, here are a few more:
http://www.linksys.com/ua/end-user-license-agreement/ [linksys.com]
http://www.samsung.com/us/support/HQ_index_EULA_popup.html [samsung.com]
https://www.apple.com/legal/internet-services/itunes/appstore/dev/stdeula/ [apple.com]
https://www.xfinity.com/Corporate/Customers/Policies/SubscriberAgreement.html [xfinity.com]
Microsoft's contracts are so well defined that they have customised them by point of purchase and product [microsoft.com]
There are hundreds more I could list, but you get the idea. The issue isn't not having well defined contracts, it's that the contracts we do have are designed specifically to dump all risk on the end user and ensure that whether a corporation and/or its products does what it's supposed to do or not, the corporation is held harmless in any event.
Even website click-through (click-wrap) contracts have been routinely found to be legally binding, although enforcement of a simple access (browsewrap) contracts have not [americanbar.org].
Go ahead and read through all those well defined contracts, then explain to me, given the mechanisms for purchase and access, how an end user can "negotiate" fair terms, even with a "well defined contract"?
tl;dr: your ideas are interesting and I would like to subscribe to your newsletter.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Insightful) by Anonymous Coward on Tuesday April 18 2017, @06:34AM (3 children)
There does not exist a robust means by which individuals can negotiation and enforce well defined contracts, or resolves disputes thereby.
Users gladly agree to whatever. Thus, are they not to blame?
(Score: 2) by NotSanguine on Tuesday April 18 2017, @06:39AM (1 child)
Your ideas are interesting and I would like to subscribe to your newsletter. Podcast? Crayons on construction paper? Wall writing with your feces?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @06:52AM
Your urine allows very little in the way of communication.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @01:17PM
Thus, are they not to blame?
Ultimately, yes.
To blame for what exactly? Sure, we can blame them and go neener neener, but what we've almost gotten at comes back to the thing about men and angels.
There is no well-defined contract between, say, a cloud service provider, the user as a customer of this cloud, the user as an actor that routes traffic over the internet, and the botnet operator. If a user's network participates in a DDOS against a cloud that user has never even heard of, how could we possible enforce a contract against them? If we could do that, the user might be able to cascade the responsibility to the botnet operator or equipment manufacturer, etc by way of some other contract (or maybe the buck stops at the user due to various contracts).
(It is within my capability to imagine some entity operating on the free market [which does not need to be an ISP necessarily] that all users of, say, a competing logical region of the internet requiring contracts with the botnet operator as another user or actor who routes traffic that would make enforcement possible in the abstract.)
What we have here is a lack of any kind of system to deal with these things. We don't have an egalitarian contract system where everybody is an equal (and I continue to think such a thing is unworkable). Additionally, the warlord whose violent imposition the user is subject to is also derelict in his duty.
The least we could hope for is for our violently imposed warlord (government) to bring his resources to bear on the (malicious) botnet operator; the (negligent) user, equipment manufacturer, ISP, OS vendor, etc; or some combination.
The only reason we accept this warlord is because he protects us from other warlords. What good is a warlord who won't do that? He's derelict in his duty because he's simply allowing another warlord (the botnet operator) infringe on our quiet enjoyment (to borrow a term from the implied rental contract with our warlord) without even so much as trying to do anything about it.
(Score: 0) by Anonymous Coward on Tuesday April 18 2017, @09:15PM
Nice! I'm happy to see you changing it up a bit, and so far no downmod!
There are times when society should create laws to protect against malfeasance. Public roads / bridges / other infrastructure should be held to a high safety standard, and that is only possible by creating a law with clear requirements. The biggest problem I see with eliminating government and moving to individual contracts is that no one is an expert on everything. This would make it very easy for a company to screw over its customers just to increase their profit margin.
I imagine you might respond with "if they screw them over then no one would use that company and so the market would correct itself" but let me use an example.
A small town needs a new bridge, so puts out a proposal and collects bids. They select a company that seems good, but the company ends up using cheaper materials and the bridge collapses in half the expected lifetime, say 10-20 years. Turns out this company had a history of doing this, so they get sued into oblivion but due to their corporate structure the owners were able to pocket the profits while tanking the company. Then they create a new company and start this process all over.
More examples could be brought up, such as electronics devices not polluting the air waves and causing aircraft guidance problems, along with a million other circumstances which could easily be overlooked or actively ignored by private companies. Without a large agency to oversee these various issues there is no way to prevent such problems from happening. Whether you call it government, or the majority of people use a couple of trusted "oversight" companies, it doesn't mater. You effectively have the same concepts and humanity pays for it either through taxes or higher service / product costs.
Personally I would choose the option of government for safety oversight. Private businesses have financial motivation for doing a bad job. Yes such corruption happens in government, but there is accountability. With private businesses there is much less accountability and history currently indicates that private businesses can and will make bad decisions in the pursuit of profit. Now we can have discussions about any particular piece of regulation, but you'll never convince me to hand the reigns over to profit motivated businesses.
We have a big enough problem with corporate interests buying legislation, in your reality they would simply do as they please and the biggest corporations would become vertically integrated. In a very short time period you would have corporate states since who would be there to break up such monopolies? That would be 100X worse than government paired with private business.