“Cybersecurity is not very important” is a new paper by the very smart Andrew Odlyzko. I do not agree with everything he says, but it’s worth reading and pondering if and why you disagree with it. I think I agree with it more than I disagree.
The Seattle Times has a story today about how “50 years ago today, the first 747 took off and changed aviation.” It’s true. The 747 was a marvel of engineering and luxury. The book by Joe Sutter is a great story of engineering leadership. For an upcoming flight, I paid extra to reserve an upper deck seat before the last of the passenger-carrying Queens of the Skies retires.
And in a way, the 747 represents a pinnacle of aviation engineering advancements. It was fast, it was long range, it was comfortable. There is no arguing that today’s planes are lighter, quieter, have better air, in seat power and entertainment, but I’m still happy to be flying on one, and there are still a few left to be delivered as cargo airplanes until 2022. (You can get lost in the Wikipedia article.)
And I want to talk a little not about the amazing aircraft, but about the regulatory tradeoffs made for aircraft and for computers.
As mentioned, the 50 year old design, with a great many improvements, remains in production. Also pictured is what’s probably a 1960s era Bell Systems 500 (note the integrated handset cord). Now, if 747s crashed at the rate of computers running Windows, there wouldn’t be any left. Regulation has made aviation safe, but the rate of innovation is low. (Brad Templeton has some thoughts on this in “Tons of new ideas in aviation. Will regulation stop them?.”)
In contrast, innovation in phones, computers and networks have transformed roughly every aspect of life over the last 25 years. The iPhone has transformed phones from phones into computers full of apps.
This has security costs. It is nearly impossible to function in society without a mobile phone. Your location is tracked constantly. A vulnerability in your phone leads to compromise of astounding amounts of personal data. These security costs scale when someone finds a vulnerability. Bruce Schneier has written recently about how this all comes together and leads him to say that even bad regulation is probably better than no regulation.
In some ways, we’re already accepting these controls: see “15 Controversial Apps That Were Banned From Apple’s App Store,” or “Google has ‘banned’ these 14 apps from Play Store.” Controls imposed by one of the two companies wealthy enough to compete in mobile phone operating systems are importantly different from government controls, except of course, when those companies remove apps at the behest of governments.
I don’t know how to write regulation that allows for permission-less innovation at the pace we’re used to, and balances that with security and privacy. Something’s likely to give, and we need to think about how to make the societal tradeoffs well. Does anyone?
(Lastly, speaking of that upper-deck reservation, I want to give a shout-out to TProphet’s Award Cat, who drew my attention to the aircraft type and opportunity.)
It’s well known that adoption rates for multi-factor authentication are poor. For example, “Over 90 percent of Gmail users still don’t use two-factor authentication.”
How well do these incentives work? Are there numbers out there?
J.E. Gordon’s Structures, or Why Things Don’t Fall Down is a fascinating and accessible book. Why don’t things fall down? It turns out this is a simple question with some very deep answers. Buildings don’t fall down because they’re engineered from a set of materials to meet the goals of carrying appropriate loads. Those materials have very different properties than the ways you, me, and everything from grass to trees have evolved to keep standing. Some of these structures are rigid, while others, like tires, are flexible.
The meat of the book, that is, the part that animates the structural elements, really starts with Robert Hooke, and an example of a simple suspension structure, a brick hanging by a string. Gordon provides lively and entertaining explanations of what’s happening, and progresses fluidly through the reality of distortion, stress and strain. From there he discusses theories of safety including the delightful dualism of factors of safety versus factors of ignorance, and the dangers (both physical and economic) of the approach.
Structures is entertaining, educational and a fine read that is worth your time. But it’s not really the subject of this post.
To introduce the real subject, I shall quote:
We cannot get away from the fact that every branch of technology must be concerned, to a greater or lesser extent, with questions of strength and deflection.
The ‘design’ of plants and animals and of the traditional artefacts did not just happen. As a rule, both the shape and the materials of any structure which has evolved over a long period of time in a competitive world represent an optimization with regard to the loads which it has to carry and to the financial and metabolic cost. We should like to achieve this sort of optimization in modern technology; but we are not always very good at it.
The real subject of this post is engineering cybersecurity. If every branch of technology includes cybersecurity, and if one takes the author seriously, then we ought to be concerned with questions of strength and deflection, and to the second quote, we are not very good at it.
We might take some solace from the fact that descriptions of laws of nature took from Hooke, in the 1600s, until today. Or far longer, if we include the troubles that the ancient Greeks had in making roofs that didn’t collapse.
But our troubles in describing the forces at work in security, or the nature or measure of the defenses that we seek to employ, are fundamental. If we really wish to optimize defenses, we cannot layer this on that, and hope that our safety factor, or factor of ignorance, will suffice. We need ways to measure stress or strain. How cracks develop and spread. Our technological systems are like ancient Greek roofs — we know that they are fragile, we cannot describe why, and we do not know what to do.
Perhaps it will take us hundreds of years, and software will continue to fail in surprising ways. Perhaps we will learn from our engineering peers and get better at it faster.
The journey to an understanding of structures, or why they do not fall down, is inspiring, instructive, and depressing. Nevertheless, recommended.
I’m pleased to be able to share work that Shostack & Associates and the Cyentia Institute have been doing for the Global Cyber Alliance. In doing this, we created some new threat models for email, and some new statistical analysis of
It shows the 1,046 domains that have successfully activated strong protection with GCA’s DMARC tools will save an estimated $19 million to $66 million dollars from limiting BEC for the year of 2018 alone. These organizations will continue to reap that reward every year in which they maintain the deployment of DMARC. Additional savings will be realized as long as DMARC is deployed.
There’s an interesting article at the CBC, about how in Canada, “More than a dozen federal departments flunked a credit card security test:”
Those 17 departments and agencies continue to process payments on Visa, MasterCard, Amex, the Tokyo-based JCB and China UnionPay cards, and federal officials say there have been no known breaches to date.
There are some interesting details about the who and why, but what I want to focus on is the lack of (detected) breaches to date, and the impact of the audit failure.
The fact that there have been no breaches detected is usually a no-op, you can’t learn anything from it, but with credit cards, there’s a “Common Point of Purchase” analysis program that eventually turns a spotlight on larger “merchants” who’ve been breached. So the lack of detection tells us something, which is that a large set of PCI failures don’t lead to breaches. From that we can, again, question if PCI prevents breaches, or if it does so better than other security investments.
The second thing is that this is now a “drop everything and fix it” issue, because it’s in the press. Should passing PCI be the top priority for government agencies? I generally don’t think so, but likely it will absorb the security budget for the year for a dozen departments.
“20 Ways to Make AppSec Move at the Speed of DevOps” is in CSO. It’s a good collection, and I’m quoted.
Congratulations to the 2016 winners!
- Dan Geer, Chief Information Security Officer at In-Q-Tel;
- Lance J. Hoffman, Distinguished Research Professor of Computer Science, The George Washington University;
- Horst Feistel, Cryptographer and Inventor of the United States Data Encryption Standard (DES);
- Paul Karger, High Assurance Architect, Prolific Writer and Creative Inventor;
- Butler Lampson, Adjunct Professor at MIT, Turing Award and Draper Prize winner;
- Leonard J. LaPadula, Co-author of the Bell-LaPadula Model of Computer Security; and
- William Hugh Murray, Pioneer, Author and Founder of the Colloquium for Information System Security Education (CISSE)
In a world where influence seems to be measured in likes, re-tweets and shares, the work by these 7 fine people really stands the test of time. For some reason this showed up on Linkedin as “Butler was mentioned in the news,” even though it’s a few years old. Again, test of time.
Today, a global coalition led by civil society and technology experts sent a letter asking the government of Australia to abandon plans to introduce legislation that would undermine strong encryption. The letter calls on government officials to become proponents of digital security and work collaboratively to help law enforcement adapt to the digital era.
In July 2017, Prime Minister Malcolm Turnbull held a press conference to announce that the government was drafting legislation that would compel device manufacturers to assist law enforcement in accessing encrypted information. In May of this year, Minister for Law Enforcement and Cybersecurity Angus Taylor restated the government’s priority to introduce legislation and traveled to the United States to speak with companies based there.
Today’s letter signed by 76 organizations, companies, and individuals, asks leaders in the government “not to pursue legislation that would undermine tools, policies, and technologies critical to protecting individual rights, safeguarding the economy, and providing security both in Australia and around the world.” (Read the full announcement here)
I’m pleased to have joined in this effort by Accessnow, and you can sign, too, at https://secureaustralia.org.au. Especially if you are Australian, I encourage you to do so.
Emergynt has created the Emergynt Risk Deck, a set of 51 cards, representing actors, vulnerabilities, targets, consequences and risks. It’s more a discussion tool than a game, but I have a weakness for the word “emergent,” and I’ve added it to my list of security games
Also, Lancaster University has created an Agile Security Game.