Far more than security. Most of society is built on the honor system.
In half-full bar at an hour when there isn't a bouncer (usually before 9pm in NYC), the only thing keeping twenty or thirty people from pouring their own booze for free is a large slab of wood and a person behind it. The name tags and maybe a counter do the same thing at a retail store with one or two checkout people.
Society is almost entirely built on a simple trust system and the fear we've built into ourselves of the repercussions for going against societal norms.
I would hope that it's also a mutual respect for others work as well. I don't refrain from theft because I might get caught but because society functions because of a mutual respect for their work.
This is partly why we have such a business problem in finance and the media, both severely lack mutual respect between parties.
Mutual respect is merely a social norm, and a desire not to break "mutual respect" is a reflection of the natural human pressure to avoid breaking social norms.
Agreed. Societal norms are needed to build the trust required for all large enough groups to function efficiently. This is why there is less crime in mono-cultures: everyone is a member of the same social order. The danger is that agents outside of the particular social order (hackers in this case) aren't bound to the rules within that social order.
Maybe we should have TV shows like this, I can't help but feel anything that gets the general public a bit more aware about how this stuff really works and makes them more suspicious about "bad" practices is a net win. Not to mention that if it had some pretty good writers it would make for quite compelling TV. I'm thinking something in the Crime genre, maybe like CSI?
I would watch it too but only if it was 100% BS-free. Simplified, fine. I would even stand for a fair bit of handwaving. But it all needs to be possible.
The words of Sherlock Holmes are apropos: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth."
It doesn't have to be like that though, your focusing on the parts that just wouldn't be interesting enough to get air time.
I was thinking about it more in terms of a show where a fake independent group get called in to deal with security situations. A corp getting hacked repeatedly and they have to deal with it. Being called in to audit security and finding illegal activities, etc.
If you sit and analyse real processes like the judicial system, or actual crime scene investigation or corporate law, or hospital systems. You rarely find things that make for immediately interesting and compelling television. However that hasn't stopped very successful tv shows being produced that are about these areas. Mostly because these shows focus on the people and issues than the system.
I'm only saying that it should be possible to create a entertaining tv program that does highlight the issues in this area. Greater public awareness here can't be a bad thing. :)
People find culture fascinating and any show which can present new cultures and institutions in an easily digestible fashion will be popular.
With the "easily digestible" part in in mind I would have to disagree that there is room for a show about software security, The IT crowd is about as close as you are going to get. Obviously I would love for a West Wing or The Wire-esque show in this area but we know how popular they turned out to be.
at first i thought this was just the standard party line. but then i got to the part that describes how i develop over-complex systems just so that i can charge more, and i realised just how deep the insight was.
then an amazing hn-libertarian-market-forces thought hit me: why not have a market for software, where people have to pay for it? and then competition would push the people that make over-complex software out of business.
of course, if that happened, then the world described in the article would be replaced by a different one: one where no-one wants to spend money on things that don't immediately show a profit. like security. but that would be a different article...
Exactly. The article was quite interesting up until the introduction of the trojan kitten that systems are only overly complex because the people who build them need to justify spending 40 hours a week in a cubicle to build them.
Systems are complex because the world is complex. If it could be done simpler, faster and more secure, it would be done simpler, faster and more secure.
>If it could be done simpler, faster and more secure, it would be done simpler, faster and more secure.
With imperfect information, an optimal market cannot exist, security and complexity is one of those things that is very hard to assess before, and even after a purchase.
Except the 'market' for software is not comparable to any other real market because it is built on so called "Intellectual Property" which is basically government granted monopolies.
This is again one of the reasons why complex software 'wins' in the 'market': more complex software over which you have a monopoly increases lock-in.
Add in software patents, and real competition in this 'market' is almost impossible.
I don't know what this would solve, since many of the most grave vulnerabilities in big company networks are in software those companies wrote themselves.
We don't need to pad our work. Two e-mails a day, updating the requirements document (sometimes in contradictory ways, sometimes in self-contradictory ways) is enough to turn a two-week CRUD app into a six-month application.
No network of any reasonable size/complexity can keep out a focused attacker. If you think yours can, you are wrong.
Today's threat models are dominated by the criminal, opportunistic attackers looking for user information or computing power. Real discussion and countermeasures for focused attacks are severely lacking.
Governments know this. CISOs know this. They speak of it privately to each other, but rarely in public because the issues are so sensitive. Messaging from industry is dominated by the vendors who both have significant equities in the "we're secure!" message and speak very narrowly about the security of their applications, but rarely/never about the collection of those applications into these beasts we call networks.
Posts like this are becoming more commonplace, but neither industry nor academia are making tangible strides to solutions. If you want a startup idea, focus on security and go disrupt.
Good luck with that. Security is lousy with product startups.
The opportunities for technical disruption are clearly there.
But no sector outside Business Process Software like SAS and Oracle has so much built-up institutional knowledge of how to run direct sales and marketing to enterprise customers as security. The crappiest me-too products are weaponized for enterprise sales 6 months before they're launched.
The noise is incredibly annoying. There's no industry-accepted way to distinguish between a security expert and the guy with the A+ cert. We really need to raise the bar and instuitionalize better standards.
Your points re: difficulty of enterprise sales are hard-learned, I assume. My intuition says there's an opportunity to exploit there, given the disconnect between users and industry. Of course, the same is true of cell providers, but no one has managed that one yet either.
The one disruptive approach I've seen work over the last 10 years is open source.
There are early adopters and there are influencers. But in enterprise sales, they're rarely the same people.
Among 2000 billion dollar enterprises, there are perhaps 20-30 with strong security teams with the bandwidth to truly engage with new technology (as opposed to simply running a bakeoff and deploying a product in a category that a trade press magazine says is important). Those are influencer early adopters.
Open source allows you to release something early and maybe catch the attention of those influencer early adopters. A scrappy sales team that can take a meeting with a new customer and put a couple F-500 deployments on the logo slide because they've got Github followers has a shot at getting pilot deployments.
Open source is also "free", in the sense that enterprises can't not spend money on software; deployment decisions follow purchasing decisions, not the other way around, so the drumbeat of technology at an enterprise is purchase orders. Try hard to give your software away at an enterprise; nothing will happen until you give them a way to pay you money.
One idea for startups: http://simplecybersecurity.com
I'll be publishing exactly what steps have been done to each AMI and blogging about improving security of individual products. Still half stealth as the landing page isn't exactly optimized.
It's a system in which most participants have a vested interest in the system itself working with integrity as a whole, and a substantial downside cost of being caught.
While single-round shorting of a system is highly feasible in many systems, an iterative game (there is more than one round being played) means that cheaters have to contend with the possibility of detection and retaliation. This is what keeps many meatspace systems largely honest: it's a restricted domain, biological socialization tendencies work fairly effectively (even a large city can have a "small town" feel), and reputations matter.
In the online/digital space, complexity throws most of this to whack. Any public IP is exposed, largely equivalently, to any other public IP. Attacks are generally launched through compromised systems, and those systems themselves have little reputation risk (Joe/Jane Sixpack's WinXP box doesn't particularly care if it's considered "untrusted" by small segments of the Internet).
The complexity of systems being defended makes detection of attacks in realtime (and distinguishing these from self-inflicted damage) difficult. Most attacks, if detected at all, are detected well after the fact. The noise level of constant low-grade attacks has to be factored in (or more likely: ignored). And it may be a slight escalation of an otherwise largely benign attack that takes down a system -- too high a hit rate on an expensive query, resource exhaustion, cascade effects.
Complex attacks (like complex systems) are prone to failure. Your attacker is also most likely going to KISS -- unless she has a very specific and high-payoff interest in your systems (say, Stuxnet / Duqu).
The main difference between online and physical security systems is that honor and socialization systems don't work nearly as effectively. There are measures which can help resolve this: while the Internet is vast, its infrastructure is highly concentrated among a small number of firms and entities: major routing centers, backbone links, registrars, hosting centers, and payment processors. Countering attackers at any of these points can be effective, though this usually comes with significant friendly casualties.
I'd call the premise of the article flawed, and I don't watch TV.
29 comments
[ 3.1 ms ] story [ 59.7 ms ] threadIn half-full bar at an hour when there isn't a bouncer (usually before 9pm in NYC), the only thing keeping twenty or thirty people from pouring their own booze for free is a large slab of wood and a person behind it. The name tags and maybe a counter do the same thing at a retail store with one or two checkout people.
Society is almost entirely built on a simple trust system and the fear we've built into ourselves of the repercussions for going against societal norms.
This is partly why we have such a business problem in finance and the media, both severely lack mutual respect between parties.
You can make claims about why you express mutual respect, that doesn't make it the only reason why someone might do so.
Heck, I'd watch it! I might learn something =D...
The words of Sherlock Holmes are apropos: "Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth."
(sorry for the reddit-esque share, originally there. But it's relevant and accurate)
I was thinking about it more in terms of a show where a fake independent group get called in to deal with security situations. A corp getting hacked repeatedly and they have to deal with it. Being called in to audit security and finding illegal activities, etc.
If you sit and analyse real processes like the judicial system, or actual crime scene investigation or corporate law, or hospital systems. You rarely find things that make for immediately interesting and compelling television. However that hasn't stopped very successful tv shows being produced that are about these areas. Mostly because these shows focus on the people and issues than the system.
I'm only saying that it should be possible to create a entertaining tv program that does highlight the issues in this area. Greater public awareness here can't be a bad thing. :)
With the "easily digestible" part in in mind I would have to disagree that there is room for a show about software security, The IT crowd is about as close as you are going to get. Obviously I would love for a West Wing or The Wire-esque show in this area but we know how popular they turned out to be.
then an amazing hn-libertarian-market-forces thought hit me: why not have a market for software, where people have to pay for it? and then competition would push the people that make over-complex software out of business.
of course, if that happened, then the world described in the article would be replaced by a different one: one where no-one wants to spend money on things that don't immediately show a profit. like security. but that would be a different article...
Systems are complex because the world is complex. If it could be done simpler, faster and more secure, it would be done simpler, faster and more secure.
With imperfect information, an optimal market cannot exist, security and complexity is one of those things that is very hard to assess before, and even after a purchase.
https://en.wikipedia.org/wiki/Market_for_lemons
I think purely from personal experience, what you are saying is absolutely untrue.
This is again one of the reasons why complex software 'wins' in the 'market': more complex software over which you have a monopoly increases lock-in.
Add in software patents, and real competition in this 'market' is almost impossible.
How about the publishing industry for books, movies, games, and other media?
How about the pharmaceutical industry where lock-in is due to patent rights?
(Also, people trying to pad their work exist, but are not the chief cause of software complexity.)
Today's threat models are dominated by the criminal, opportunistic attackers looking for user information or computing power. Real discussion and countermeasures for focused attacks are severely lacking.
Governments know this. CISOs know this. They speak of it privately to each other, but rarely in public because the issues are so sensitive. Messaging from industry is dominated by the vendors who both have significant equities in the "we're secure!" message and speak very narrowly about the security of their applications, but rarely/never about the collection of those applications into these beasts we call networks.
Posts like this are becoming more commonplace, but neither industry nor academia are making tangible strides to solutions. If you want a startup idea, focus on security and go disrupt.
The opportunities for technical disruption are clearly there.
But no sector outside Business Process Software like SAS and Oracle has so much built-up institutional knowledge of how to run direct sales and marketing to enterprise customers as security. The crappiest me-too products are weaponized for enterprise sales 6 months before they're launched.
It's hard to break through the noise.
Your points re: difficulty of enterprise sales are hard-learned, I assume. My intuition says there's an opportunity to exploit there, given the disconnect between users and industry. Of course, the same is true of cell providers, but no one has managed that one yet either.
There are early adopters and there are influencers. But in enterprise sales, they're rarely the same people.
Among 2000 billion dollar enterprises, there are perhaps 20-30 with strong security teams with the bandwidth to truly engage with new technology (as opposed to simply running a bakeoff and deploying a product in a category that a trade press magazine says is important). Those are influencer early adopters.
Open source allows you to release something early and maybe catch the attention of those influencer early adopters. A scrappy sales team that can take a meeting with a new customer and put a couple F-500 deployments on the logo slide because they've got Github followers has a shot at getting pilot deployments.
Open source is also "free", in the sense that enterprises can't not spend money on software; deployment decisions follow purchasing decisions, not the other way around, so the drumbeat of technology at an enterprise is purchase orders. Try hard to give your software away at an enterprise; nothing will happen until you give them a way to pay you money.
It's a system in which most participants have a vested interest in the system itself working with integrity as a whole, and a substantial downside cost of being caught.
While single-round shorting of a system is highly feasible in many systems, an iterative game (there is more than one round being played) means that cheaters have to contend with the possibility of detection and retaliation. This is what keeps many meatspace systems largely honest: it's a restricted domain, biological socialization tendencies work fairly effectively (even a large city can have a "small town" feel), and reputations matter.
In the online/digital space, complexity throws most of this to whack. Any public IP is exposed, largely equivalently, to any other public IP. Attacks are generally launched through compromised systems, and those systems themselves have little reputation risk (Joe/Jane Sixpack's WinXP box doesn't particularly care if it's considered "untrusted" by small segments of the Internet).
The complexity of systems being defended makes detection of attacks in realtime (and distinguishing these from self-inflicted damage) difficult. Most attacks, if detected at all, are detected well after the fact. The noise level of constant low-grade attacks has to be factored in (or more likely: ignored). And it may be a slight escalation of an otherwise largely benign attack that takes down a system -- too high a hit rate on an expensive query, resource exhaustion, cascade effects.
Complex attacks (like complex systems) are prone to failure. Your attacker is also most likely going to KISS -- unless she has a very specific and high-payoff interest in your systems (say, Stuxnet / Duqu).
The main difference between online and physical security systems is that honor and socialization systems don't work nearly as effectively. There are measures which can help resolve this: while the Internet is vast, its infrastructure is highly concentrated among a small number of firms and entities: major routing centers, backbone links, registrars, hosting centers, and payment processors. Countering attackers at any of these points can be effective, though this usually comes with significant friendly casualties.
I'd call the premise of the article flawed, and I don't watch TV.