Ask Slashdot: Is the World Better Or Worse Because of Security Tech? 126
Slashdot reader krisdickie is a developer for embedded devices (and many other systems), and spends a lot of time being proactive about security.
This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my team) would have been X times more productive or have come up with some amazing new concept or feature, if we didn't have to deal with implementing security measures.
In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?
In a utopian world, where there are no bad actors, we would have likely forfeited many of the systems and ideas that have been put into place to prevent bad things from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of protecting ourselves from the perilous few?
Share your own thoughts in the comments. Is the world better or worse off because of our ongoing development of security tech?
Seriously? (Score:3, Insightful)
What an asinine question.
Of course we're worse off because there are bad people in the world. If everyone was a magical completely altruistic person who did nothing but make the world a better place, the world would be a better place.
Re: (Score:2)
This article touches on many of the overall issues, implicit in the "question", as it is.
"It’s time to kill the web"
https://blog.plan99.net/its-ti... [plan99.net]
Re: (Score:2)
Oh, sure, I can imagine such a place - but that awasn't the proposition: a world full of truly selfish people would care for ONLY themselves. Meanwhile pretty much every social animal on the planet demonstrates compassion and altruism - without them we would probably never even manage to develop modern civilization in the first place.
Re: (Score:2)
Security and Convince have always been at odds.
Now new security tech does help make some things a bit more convent while keeping a reasonable (not superior) degree of security.
Such as biometrics like finger print reading and face recognition allow you to keep devices secure enough against the casual bad actor ( the majority of them ). As well with the advancements in encryption allows a lot of extra security to go on without much user interaction. But still it isn't faster and easier to use these system w
Until the system goes down because it wasn't secur (Score:2)
There is some truth in that. Sometimes there is a trade-off between certain types of security and convenience.
Also, it's VERY inconvenient when the system goes down entirely because it wasn't secured. The easiest attacks are generally denial of service attacks, so if you pay no mind to security you can expect the service to be unavailable frequently. A bit of security would make things a lot more convenient.
It's also pretty darn inconvenient when the system gives wrong results, such as when your bank balanc
Re: (Score:3)
Better or worse? (Score:4, Funny)
Yes.
Sure, just ignore security, YOU IDIOT (Score:1)
admin/admin passwords, not rolling out patches, leaving anonymous FTP open... what can go wrong? this article was written by a dumbass
It depends (Score:3)
This is not a one-case-fits-all item.
What kinds of measures specifically are being spoken of? Does it help or hinder end users doing what they wish? Are end users even a consideration or is this solely to keep a stranglehold on the device from a manufacturers perspective?
As with many things there will never be a single answer, what is presented is a set of varying trade-offs whose value will change depending on the desired goals and whose perspective it is desired from.
Necessity is the mother of invention (Score:5, Insightful)
Re: (Score:2)
A good example would be the Melissa virus which, IIRC, started out as a proof-of-concept that accidentally got loose.
Missing Option (Score:3)
Not better or worse, but as it should be.
I'd - sadly - say better. (Score:2)
At this point, we re just imitating the Dutch boy quickly plugging holes in the dike while at the same time realizing that we'll run out of fingers long before all of the holes are plugged.
Re:I'd - sadly - say better. (Score:5, Insightful)
It's not even that. The answer to the question of whether security makes things better or not in general is straightforward: It depends on whether the cost of the security is enough of a nuisance to exceed the projected lifetime benefit. And that largely depends on context. I'll explain by analogy.
I grew up in a small town in West Tennessee. Lots of folks around town routinely left their houses unlocked. It was that kind of town. There were a few thousand people, and everybody knew everybody, or if they didn't know somebody, they knew someone who did. In that context, it didn't take much security to keep things safe, because most people are good people, and if somebody from outside the community was wandering around, everybody knew that the person was an outsider if nobody out of a group of three or more people recognized the person. Thus, a bad person from elsewhere would arouse enough suspicion to be noticed, and would probably be thwarted in whatever nefarious deeds he or she was planning, unless it was just minor mischief like TPing the house of somebody that nobody really liked much anyway.
Now, I live in the Silicon Valley. I know two of my neighbors. Thanks to work and church, I know people from various parts of the area, but they don't live nearby I'm reasonably confident in leaving things lying around at work for precisely the same reason that I was reasonably confident back home—because everybody knows each other. But if you were to ask me if I could leave valuables lying around anywhere else, the answer would be "heck no," because nobody knows anybody, statistically speaking, and so everybody is indistinguishable from a potential insider or outsider. Even though most people are still good people, the odds of a bad person getting noticed are much lower. And with so many more people, the number of bad people is much higher even if the percentage is the same, which only compounds the problem.
The same problem exists with technology. Prior to the Internet, when computers were basically devices that you interacted with locally, security didn't matter that much, because most people are good people. When computers became more connected, that became a problem, because even if most people are good people, the bad people can get to your systems from anywhere in the world, so it only takes a few bad people to ruin everything. And because the pool of people potentially accessing your system is so much larger, the ability to distinguish good people from bad people is diminished.
So to make a long story short, computer security is a necessary response to the realities of a more interconnected world. Would things be worse without all that added security? Yes. Does the security actually make the world better? No. It just keeps things from unraveling in the presence of interconnectedness that does make the world better. The real question is whether that distinction matters.
Scarcity thinking and ironies of abundance (Score:2)
I agree with your point "computer security is a necessary response to the realities of a more interconnected world." That said, in many cases, I feel the deeper issue is, as in my sig, the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
I write about those ironies in regards to militarism here: http://pdfernhout.net/recogniz... [pdfernhout.net]
"Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic i
Technology is a gift (Score:4, Interesting)
The choice people have to make is if it frees us or enslaves us.
We had our decision point in the 80s and 90s (Score:5, Insightful)
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.
These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.
IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.
Re: (Score:2)
Re: (Score:2)
No it doesn't.
There are thousands of compromised boxes in china, and malware infections are a routine problem in chinese companies.
A lot of the spam and hack attempts that come from chinese addresses aren't launched by the chinese, they are boxes that have been hacked.
Re: (Score:2)
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route.
Amen! However, also along the way is that the entire tech community decided that real security wasn't possible, it somehow became unobtainable. The problems were SOLVED in the 1970s in response to the data processing problems encountered with multi-level data security for Viet Nam, but we failed to heed the lessons, and eventually they fell into obscurity.
Capability based security offers a way to have general purpose computing that humans can manage and secure. The core concept is to never, ever, trust an
Re: (Score:2)
People can't deal with trivial UAC prompts because they don't understand what's being asked of them and you are suggesting THIS?
Re: (Score:2)
UAC suck, quite frankly. It's a "this might be bad, do you want to do it anyway" type of question, conveying no useful information other than horrid boolean choice (Yes - your machine might get PWND along with everything on it, No - Your machine won't do what you want because of "Security")
Replacing dialog boxes with "power boxes" makes almost no difference in terms of ease of use, but it shifts permissions away from the application code and puts it back where it belongs.
Insisting that users can't manag
Re: (Score:2)
the current OS design would have you hand your wallet (and a non-revocable power of attorney) to the clerk, and just hope that they take the right amount out of your account before handing it back.
Which is exactly how credit/debit cards work...
Re: (Score:1)
The OS file dialogue is exactly how OS X handles sandbox applications for opening a file.
It goes further, that it gives a file handle back that is signed by the OS, so it can store the user-given-permission in a preference file, so that the next time the application is opened it will still have access to that file.
Re: (Score:2)
Re: (Score:2)
Why should a program even know about the existence of "djfhgkl.dll"? It shouldn't see any of the file system, except when handed a capability for a file or folder.
Every gas station clerk I hand $20 to as a form of payment doesn't have the ability to take out a mortgage in my name... they only have the $20. There are zero clerks asking to touch each note in my wallet by serial number, etc.
Malware are just programs that are written to do evil, everything else does evil by mistake. Capabilities just prevent
Re: We had our decision point in the 80s and 90s (Score:2)
Re: (Score:2)
probaby yes (Score:1)
Locked Doors Are Barriers to Experimenting/Learnin (Score:1)
I know that when I first started hacking around with Linux in the mid 1990s that I had an easy time experimenting with networking compared to somebody just trying things out today.
Samba was out and all the security in it, and in Microsoft products that used SMB, were loose and easy to use. NFS was a breeze to use, so you could boot up a machine with an NFS install floppy diskette and put a whole freenix (I like NetBSD) on a system quickly.
A lot of that has changed now. It's even a hassle now just to get t
Re: (Score:1)
Re: (Score:2)
Exactly.
It's also making stuff harder to repair, because new vulnerabilities mean you lose the ability to fix it yourself.
Think about a fingerprint reader. In days gone by, they were simply cameras and you got an image from them, then run your algorithms on them. But nowadays it's such a big deal that fingerprint data must be encrypted and if your hardware supports it, sent over a secure bus to a secure processor, using PKI encryption to ensure both endpoints haven't been compromised.
All this because a bad
Simple answer: Yes. (Score:2, Insightful)
Aka "both". But by and large, worse, and this will worsen until we fix two things:
The atrocious state of our technology, IOW the "hyoooooooge" technical debt. That mountain is so big we don't know where to start looking at it. But it's still there. It's become so big it has its own abyss, staring at you. That makes it even harder to look at.
Our willingness to be oppressed by technology. It doesn't matter if it's because of some "security" threat or other ("for the childrun", "terrists", you name it), govern
Yes. (Score:1)
The logical value of (A or (not A)) is always True.
I am simplifying somewhat here because "better" is not the opposite of "worse" (we must also consider "equal"), however the probability of the situation being exactly equal is zero, so you get the same result.
You could also ask if it is better AND worse, and the answer would still be yes. Just as you could say Slashdot is both bad and good. There are plenty annoyances, but hey - after 20+ years I am still here reading, so it can't be all bad.
Some of these p
Security Tech and the Orwellian society (Score:3)
First we have to ask ourselves, what is security?
Security, as in locked doors, encrypted drives, encrypted mail and digital wallets?
Or...
Security as in personal security (the rights to roam free and pursue our own dreams), free from oppressors, freedom of speech, information freedom.
In a time of fake news where it's possible to manipulate another country just by doctoring the news and opinions of the masses, this is certainly not good.
Another bad is that if we take away our freedom of speech, we get less say - and the power handed to a privileged few, aka "your" chosen government.
Internet gave us a lot of freedom. We could exchange information faster than ever before, play games with our friends overseas, book travels and earn money no matter were you where in the world.
But it also blinded us, with information this fast, there was no time for peer reviews of the news, what source can you truly trust? "Likes" almost became the new "law". Getting likes was almost like the new religion, and nevermind the reliability of the actual sources, just as long as a bunch of likes came along, and the rest thought "meh...might as well join the crowd", and what crowd? These are just numbers. A very real but dangerous development.
Time to take a step back - and understand that we should keep this technology free, putting too many locks on it also censors our freedom of speech, but security starts with us, we need to educate ourselves and not trust everything blindly. Turn off the net, breathe - go out there, say hi to your neighbor once in a while, talk amongst yourselves.
Re: (Score:2)
> "Likes" almost became the new "law".
The Orville even did an episode on that: Majority Rule [denofgeek.com] (aired in 2017) which was a repeat of a Black Mirror episode Nosedive [wikipedia.org] (aired in 2016), which is similar to a Community, App Development and Condiments [wikipedia.org] (aired in 2014)
It's actually worse then that. Security (or the lack of it) -- whether it be public security (prevention of intrusion) or personal security (protecting your rights) -- can be summarized with two phrases and how they are linked:
1. Follow the money, a
Mis-allocated energies (Score:2)
Time spent protecting operating systems from possible bad behaviour of applications is time wasted.
The current state of Operating Systems is akin to having only single phase AC power, but no fuses or circuit breakers anywhere in the system. Because applications are trusted with everything, any bug can result in the wholesale mis-direction of everything down the wrong path. Most (but not all) of our problems with security result from this misplaced trust.
It's probably going to be another decade before capab
Re: Mis-allocated energies (Score:1)
The current state of things is like having fuses designed into equipment, but then finding that somebody has shoved a 30 amp fuse into the holder. I find that from time to time now on equipment I am repairing. Sometimes it causes dramatic equipment failure.
Security is a side effect of good code.. (Score:1)
Re: Security is a side effect of good code.. (Score:1)
Better, but narrowly (Score:2)
Much of the internet is built on a model of reasonably open trust. This proved to not be a mistake, but a particularly galling one, which has required patch after patch.
The problem, as I see it, occurred starting in about the mid 90s. At this point, what the internet actually was, was clear to all. Making assumptions of trustworthiness in 1985 was still quite reasonable: it was possible that all meaningful internet connections were to continue to be monitored for bad behavior manually and actioned when a
Prevent bad things from happening (Score:3)
As a cybersec professional of many years tenure (and now an exec at one of the major firms), I have to admit I've asked this same question many many times. If we didn't need to put so much effort into security, and instead put it into features with direct customer benefits, wouldn't we all be better off?
I think the OP approaches the answer to his question when he refers to preventing bad things from happening. A basic part of engineering is system robustness, resiliency and safety. We don't question the effort we put into assuring those things. We manage, in a variety of ways, the potential impacts arising from possible system failures.
With cybersecurity, we manage in a variety of ways the potential impacts arising from system vulnerabilities exploitable by bad actors. It's work we'd be doing anyway.
anonymity (Score:3)
anonymity and security,
can't have both
if criminals know they will be identified and caught they will be less likely to offend.
Re: anonymity (Score:1)
There is something to be said for woeking at a really small company, or on a small team secured ay somewhere. Therw is far, far less anonymnity, but things are then looser and more free.
The place I am working has a 'news' bulletin that consists of a 'txt' file in a shared network folder. Everybody is expected to open and read and update it every day or so with notepad. The less computer adept have a shortcut to the file on their taskbar. It works because their are only 8 of us in the company. It's secure be
Java Anecdote (Score:3)
It's a rather open ended question, but here's an anecdote to consider. A lot of free and open-source software is written in Java. However, our security administrator set an aggressive policy on Java because of past Java security holes. Java-based applications run about 20x slower than they would without the aggressive scanning done on it by our security software. It makes such software virtually useless. We either pay more for alternatives or go without. (I personally believe the security scanning software that starts with an "M" is poorly designed, but that's another topic.)
I cannot reliably say if our org's policy is too aggressive, because not getting things done may be just as bad as being hacked in the longer run.
Another oddity is that Microsoft is also leaky, but because we need some software to avoid going back to paper and pencils, Microsoft gets a pass that Java doesn't. It's crazy. Sometimes it feels the 90's were more productive because we didn't have consider security stuff. (That and stupid Web "UI" (non) standards.)
Re: (Score:2)
Re: (Score:1)
I'm talking a big org. I don't control OS decisions.
Re: (Score:2)
Worse, IMHO (Score:2)
Everyone has failed so hard at the first three levels of OSI through shitty programming that they rely upon several more layers of OSI to cover up for even shittier programming now.
Security comes through good programming practices, thorough testing, and sticking to KISS ideas.
Security as a pretext for surveillance (Score:2)
The problem with security is that it's used as a pretext for surveillance and spying. We get backdoored CPUs so our data and devices are no longer under our control. All in the name of security.
I'll choose freedom over security any day.
What About Food? (Score:2)
This is obviously important, and I don't necessarily see it as a distraction, but rather a complex problem that has some added thrill to being solved. I can't help but wonder though if I (and my species) would have been X times more productive or have come up with some amazing new culture or technology, if we didn't have to deal with obtaining agricultural products.
In a utopian world, where there are no metabolic processes, we would have likely forfeited many of the farms and fisheries that have been put into place to prevent starvation from happening. So my question is -- are we more technically advanced because of the thoughtfulness that has gone into creating these systems?
Or are we just losing precious resources and time dealing with the necessity of fending off starvation?
Point being: OP is a euphoric tard. Security is a natural consequence of game theory, you might as well stop coding if you don't want to deal with it. It's no different than food or water for base survival - it's a result of existence.
Better off than with guns ... (Score:2)
... that's for sure.
https://youtu.be/0rR9IaXH1M0 [youtu.be]
In other news (Score:2)
Cares would totally be much cheaper if we could make them from cardboard or something and like do away with brakes and all that shit.
Betteridge's law of headlines: (Score:2)
No. And in this case "no" means you really shouldn't be asking this kind of question. The world is not better or worse, a specific application is, a specific scenario is.
Re: Betteridge's law of headlines: (Score:1)
Security measures and amazing new concepts or feat (Score:2)
No, security has to be baked in at the design stage and would have no deleterious effect on the implementation of amazing new concepts or features. It's patently obvious that in the rush to get out new features the innovators failed to come up with a design that can't tell the difference between
Re: (Score:2)
NOTHING can tell the difference between
1> a program deliberately written to do something bad,
2> a program that does something bad by mistake
To make this determination requires solving the halting problem. You can not pre-determine the intent of a non-trivial program. This is the root cause of most computer security issues.
What you can do, is to pre-determine which side effects of running the program you are willing to allow. Most systems place NO limits on side effects of a program, however capabili
Who are the perilous few? (Score:1)
Re: Importance of human intel (Score:1)
The places where shrill and paranoid 'high tech security' are mandatory tend to burn themselves up.
Over time, secure and well adjusted people will come along and build anew on the scortched patches of land.
Some would say that containment and provision of weapons and combustibles to the 'problem spots' is a sufficient means of correction.
Utopia means NOWHERE (Score:2)
And NOWHERE is there a lack of bad actors.
What a spectacularly stupid question.
Re: Utopia means NOWHERE (Score:1)
Re: Utopia means NOWHERE (Score:1)
Utopia means never bothering to ask about those really old skeletons over there. Obviously reality self-corrected itself.
Re: Replacement for TCP/IP (Score:1)
'More complex' can be the answer, but simplification also sometimes works.
Tearing out unneeded layers can improve security.
A piece of 'scorekeeping' equipment I work on for a sporting activity transmits to large displays for spectators and a judge's stand reciever . Originally I wondered why there wasn't more security in place, it just uses vanilla zigbee radio channels. Then I noticed that the communication protocol is simplex... and only the instrument that makes the actual measurement has transmit capabi
Technological Darwinism (Score:2)
Since then, technology and its security systems have evolved dramatically. But so has hacking. Tools stolen from the NSA are now in the hands of those they were fighting. One has t
Re: Gaming has more investment, more of a WASTE o (Score:5, Interesting)
Bull. Music, art, dance, board games - these things exist in practically every culture in the the world, and have for at least several thousand years. Poverty is no great impediment to entertainment. Even in our hunter-gather days it's estimated that the average person only spent a few hours a day in survival-oriented activities. Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.
Re: (Score:3)
Abject poverty, along with the idea that anyone should spend more than half their waking life at work, are purely modern constructs of greed-oriented society.
I was with you until that sentence. Abject poverty and spending more than half your waking life at "work" tasks long, LONG predates modernity.
Re: (Score:2)
I'll admit I use "modern" in a somewhat long-viewed sense. But estimates are that our hunter-gatherer ancestors averaged about 3-4 hours per day on survival-oriented tasks - we were truly the kings of the animal world. Agriculture changed that considerably - but even agriculture involves long months of relatively idle time to counterbalance the crunch of planting and harvest.
Re: (Score:2)
The fact that you had time to post that waste-of-space comment of yours proves that you are one of the "pampered first worlders".
Re: (Score:2)
Warner Bros and Disney will keep pumping out movies while the people who work on it are slowly drained of their time and wealth by the companies they work for, and the people who buy the worst of their products will keep producing "a market" for that slop.
Worse than that, disney keep selling the same movies again every few years, each time targeting new kids with the same old crap rather than making any effort to create any new content.
Re: (Score:2)
Sure it's a timesink - but there's no need for constant labor, it'd be a complete waste. We could give every person on the planet adequate food, shelter, and medical care using only a small fraction of the current global productivity. After that, pretty much everything else is about either increasing future potential or entertainment.
Re: Gaming has more investment, more of a WASTE o (Score:1)
If only that were true.
A very small portion of global spending goes to entertainment.
Simple objectives don't meet simple methods to obtain them. You know how much time is wasted handling paper records? Well electronic ones solve that, but require industry to support them. It's actually a net positive but it diversifies the workforce.
We no longer spend most of our time farming, but to say the extra work is unnessecary is too simple minded.
Re: (Score:2)
Everything beyond food, shelter and (arguably) medical care is by its nature unnecessary. *Desirable* maybe, but not necessary - and thus I would group it into some form of entertainment - science (satisfying intellectual curiosity = entertainment), dining out (spending less time cooking, more time focused on company = entertainment),etc. And of course, lots and lots of busywork that produces very little of value other than jobs to keep people fed, and could be eliminated without any loss so long as the P