Security vulnerability #1 is hubris

Once upon a time there was an amoeba, and zap millions of years later with have human beings.

Not the greatest living being but very good at adapting making tools.

And funnily enough we are not perfect; since our brain has limited capacity of memory and analysis, most our reasoning is made by simplifying, abstracting, forgetting details to focus on the big picture, and sometimes doing the opposite.

In doing so we get very proud of our creation, and maybe too proud. Humans logic is strongly biased by emotions with the biased person strongly ignoring them.

Human are imperfect, so are our tools and abstraction.

We are easily confused, but due to Moore law we are required to remember increasingly long and numerous credentials.

We are so proud of our tools that we think better than us that we entrust mechanical turks with our secrets, bank account number, IDs. But remember that there are humans having physical access to the computers, the RAM, hard drives, the screen. Yes, screen can be photographed and leaked without triggering a single alarm in software. A cam can be used to watch you type your pin code...

And also, at one moment trading require a physical delivery. What is the use of a globalized economy if your expensive electronic gadget made in a sweat shop does not get delivered to your house?
Delivered by someone so poor he/she has incentive to steal it because it worth more than days of her own wages. This is also part of the surface of vulnerability.

Still we are bad at seeing the world. Most security threats are about software, but most efficient attacks are coming from human.

When passwords will be too long to remember, people will write them, and physical attack will be worthy.

When software are too complex, the dev/integrator may discard a complex stuff, because their project manager also did so under the pressure of the time to market. Solving a problem by ignoring its complexity is not incompetence, it is just we have imperfect knowledge on which we base engaging business decisions. Or the person in charge maybe over confident and trusting the project manager obviously wrong claim a NP problem can be solved easily.

Compared to the rest of the population, coders are living in a bubble of both insane work conditions (don't start me on this one), lack of diversity and economical security. Having a correct mental picture of who your users are is important: they can be blind, death, colour blind, poor, old, not sharing the exact same understanding of your culture...
Users can misuse a software not by malignity but by being like everyone of us: different from what the coder imagined. Exposing themselves to threats, and indirectly the environment in which your software run.
Coders can be interrupted all the time, over-loaded with noise (like meetings, bike shedding), technological religious wars distracting them from the problem at hand. He might be experiencing a crunch and a lack of sleep.
The maniac and busy industry standard of the work places do not help, it is toxic.

Our complex software often requires workarounds. Degraded behavior of software is the norm. Imagine if plane where like software: it would be as if we casually expected engine to take fire while on board. Our concerns in terms of quality are slipping because we have always experienced poorly working software as the norm.

Thus we overpromise, underdeliver in a virtuous circle of something we call progress. Making a huge industry of patching broken software on the fly. Security business being one of this kind. Imagine you'd buy a non functioning car, and you'd find normal to pay an external company to add extra soldering and firewall for it to be safe.

In computer industry, this is the normal state!

Our excessive pride reinforced by our commercial successes due to network effects and natural lock in that we see as a proof of our natural genius.

Being used to anticipate catastrophes -I did left linux 3 years ago because of systemd and I am glad of it- I also notice that the IT crowd is the weakest link in security: their intuition is wrong, they are so proud of their work they over-trust over people's work. They are back patting themselves so much, and shutting down all the pessimists that they are taking poor decisions for complex infrastructural choices trusting themselves and everything new. They think they are over-informed. They are over-exposed to noise, they live far away from the population.

The it's new, thus it must be good has became a mantra since web 2.0. Valid approach are being discarded as too old. A rush forward on immature technology thinking that unknown risks are equivalent to no risks, trusting the process of growing and patching endlessly.

This is hubris.

IT industry is the biggest security threat to our world since physical locks, physical security, economical transactions, medical devices, cars depends increasingly on people that deny any legal and financial liabilities for the result of their actions and rush forward like headless chickens.

This is insane, we should begin to finally make laws to demand software industry to be liable for their work, and ease the class actions of software users to let the market get rid of the bad apples. Let the market be a free market, and in a free market we get rid of the bad apples by making them financially liable for the loss they induced.

That is the only way we will not head for a second internet bubble explosion.

No comments: