Developer and entrepeneur Bert Hubert has written about how software supply chain safety is similar to food supply safety. Both are about recognizing hazards and finding critical control points to monitor. Strict rules about handling must also be followed, in both fields.
You can’t just buy the required stuff and declare the food is now safe. It requires constant vigilance.
The analogies to cybersecurity are overwhelming. Food safety is the proper analogy for cybersecurity.
Compare:
- The enemy is invisible (germs)
- You can get infected via your supply chain, which is also your responsibility
- A single employee not paying attention can sink you
- Out of sight, bugs can fester for years before causing harm
- Without the right infrastructure, you are doomed
- But even if you buy the right stuff, there are no silver bullet solutions - only paths to improvement
So I looked into this a bit more, as related fields can often provide very good inspiration. And I was blown away by what I found.
Food safety has been around for a while now and they are light years ahead of us. A mainstay of providing safe food is HACCP[*].
[*] HACCP: Hazard analysis and critical control points.
The key in both areas is recognition that safety is an ongoing process and not a product or appliance which can be tacked on aftermarket.
Previously:
(2020) Supply-Chain Attack Hits RubyGems Repository with 725 Malicious Packages
(2020) A Better Kind of Cybersecurity Strategy
Related Stories
Supply-chain attack hits RubyGems repository with 725 malicious packages:
More than 725 malicious packages downloaded thousands of times were recently found populating RubyGems, the official channel for distributing programs and code libraries for the Ruby programming language.
The malicious packages were downloaded almost 100,000 times, although a significant percentage of those are likely the result of scripts that automatically crawl all 158,000 packages available in the repository, Tomislav Pericin, the cofounder and chief software architect of security firm ReversingLabs, told Ars. All of them originated from just two user accounts: "JimCarrey" and "PeterGibbons."
The accounts, which ReversingLabs suspects may be the work of a single individual, used a variation of typosquatting—the technique of giving a malicious file or domain a name that's similar to a commonly recognizable name—to give the impression they were legitimate. For instance, "atlas-client," a booby-trapped package with 2,100 downloads, was a stand-in for the authentic "atlas_client" package. More than 700 of the packages were uploaded from February 16 to 25.
Once installed, the packages executed a script that attempted to intercept Bitcoin payments made on Windows devices.
Bruce Schneier has done an analysis of Russia's (alleged) recent attack on U.S. government agencies:
Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR — previously known as the KGB — hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” — something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself — and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.
Schneier later adds:
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States.” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.
MIT news had a recent piece on a new model that demonstrates why countries that retaliate too much against online attacks make things worse for themselves:
(Score: 4, Funny) by Anonymous Coward on Monday February 22 2021, @07:36AM
You are what you eat. And you can't spell SHIT without I.T.
(Score: 2) by krishnoid on Monday February 22 2021, @09:01AM (4 children)
Don't forget the amount of crap [cnn.com] allowed in the end-consumer product to still be considered safe. That's an important part of the safety considerations.
(Score: 2) by canopic jug on Monday February 22 2021, @09:14AM (3 children)
Don't forget the amount of crap allowed in the end-consumer product to still be considered safe.
Crap is a good analogy. Analogs to toxins should also be watched for and alarms sounded early in the process if they are detected in order to prevent distribution and use. While people may commonly refer to M$ products as crap, those products are more analogous to heavy metals like cadmium, lead, and mercury: there are no safe levels. Intentional contaminiation should be treated strictly in ICT, especially intentional contamination.
Money is not free speech. Elections should not be auctions.
(Score: 1, Interesting) by Anonymous Coward on Monday February 22 2021, @12:28PM (1 child)
The human actually makes a pretty good metaphor for the computer. Each endpoint has an OS and hardware, analogous to the human body. When units interact, interfaces allow messages or code to be communicated, analogous to sensory input and social communication. Most data is handled by userspace processes, analogous to the microbiome which inhabits the liminal areas of the body.
We end up depending on the microbiome/userspace for most of our automatic defenses from external threats, because both computers and humans are geared towards taking input from every source possible and maximize the attack surface. Internal threats like bugs that lead to servers failing, untrained/hostile employees and executives compromising the network, hardware failures, all have reflections in human disease and ailments. External threats can find their match in many human social behaviors.
(Score: 2) by krishnoid on Monday February 22 2021, @05:46PM
+1 Interesting, citation needed for the second paragraph.
(Score: 3, Disagree) by krishnoid on Monday February 22 2021, @05:50PM
Now, now. Microsoft keyboards and mice [microsoft.com] are quite good quality; their split/angled keyboard was a standard for ergonomics for quite a while. Also, you can get a great deal of use out of Windows at least as long as you avoid installing/running Microsoft software [portableapps.com] on it and put it behind a good firewall.
(Score: 5, Interesting) by Anonymous Coward on Monday February 22 2021, @09:13AM (2 children)
What is more costly in terms of each single (!) individual involved (a calculation that definitely includes lazyness, indifference and shortsightedness):
1. Caring about the steps and their effects on end results, checking, reworking and discarding previous work deemed dangerous. Thereby guaranteeing company success through personal "hardship".
2. Doing as little as possible while declaring rules fudgeable bit by small bit by yet another "optimization" bit, whose point of fudgeability really has long since passed years ago. Thereby guaranteeing personal easy life, with the risk of actual personal impact being rather low. Or for software: mostly nonexistent.
#2 is the reality. It won't change on its own until the cost structure changes for most of the people involved (source: I work software quality control). Hint: "company does badly" is irrelevant, only personal effects count.
In the food industry, this change (barely!) came about *ONLY* through government intervention. Market forces are demonstrably not enough even when human life may be at stake. The *ONLY* game changer is rapid attributability to an actual person. This is what HACCP tries to do. This is why people are deadly afraid of it and will fight it tooth and nail. And hence the government intervention, which still needs oversight, and which still finds black sheep.
Expecting different for the software field as a whole is, in my informed opinion, naive or delusional. Believe me, I tried, and I had the mental breakdown to prove it. In a market driven society *cheating* is the cheapest way to sell shitty products. Anything else is hard work.
(Score: 5, Interesting) by Anonymous Coward on Monday February 22 2021, @09:55AM (1 child)
Same AC here:
For hell's sake, even in medicine !!
Read up on Ignaz Semmelweis, who single-handedly invented handwashing for medical personnel. He's a hero nowadays. During his lifetime, they fought him like Satan incarnate, because he told doctors what a lazy, complacent, patient-killing bunch of dirty irrationals they were. And they really, provably *were*!
Quality control at its finest. Another soul destroyed by the mediocre and the half-witted, preferring walking over dead bodys to changing their own ways.
(Score: 2) by cosurgi on Tuesday February 23 2021, @06:35PM
hey, make an account. I can’t become your fan when you don’t have one ;)
#
#\ @ ? [adom.de] Colonize Mars [kozicki.pl]
#
(Score: 1, Insightful) by Anonymous Coward on Monday February 22 2021, @02:29PM (1 child)
At least in the US, food safety is regulated, monitored and enforced. Food processors are shut down. Restaurants are shut down. Unsafe food is turned down when delivered, or thrown away. There are no good parallels in the software security realm. Sure, we have some regulatory reviews, PCI-DSS for credit cards, FedRamp for government cloud deployments, and a few others. But nothing that compares to the food industry.
As much as we like our freedom to innovate, use the latest programming language, use the latest fad library or framework, or just deliver fast, we have to at some point realize we aren't helping ourselves.
And, without external intervention, I fear we will continue in a tragedy of the commons way. As long as one company can provide crap/unsecure solutions, and thus "out compete" everyone else, there is no financial incentive to do any better. Add in solutions coming from multiple countries, with vastly different laws and regulations, and the situation is complex. Food safety doesn't have to deal with this factor.
(Score: 2) by krishnoid on Monday February 22 2021, @05:55PM
"Dagnabit, we darn tootin' don't need no fancy gubmit reggleations keepin us safe!"
"That's right sir. Now bite down on this bullet while I turn off a few of your routers and update your antivirus software to clear out this infection. Oh, and that'll be $20 for the haircut [wikipedia.org]."
(Score: 0) by Anonymous Coward on Monday February 22 2021, @03:15PM
(Score: 0) by Anonymous Coward on Monday February 22 2021, @06:19PM (1 child)
It seems very common to pass data using an address stack.
Billions of transistors available per chip and yet people are still doing such unhygienic things.
(Score: 2) by FatPhil on Monday February 22 2021, @06:45PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves