OSDev.org

The Place to Start for Operating System Developers
It is currently Sat Sep 22, 2018 11:03 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Engineering for active threats versus passive ones
PostPosted: Thu Aug 09, 2018 9:11 am 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1308
Location: Athens, GA, USA
I was already thinking of linking to yesterday's XKCD here, but it is something that the Explain XKCD wiki page for the comic that really caught my attention, as it put into words something that is rarely said so clearly.

First, the cartoon in question:
Image

The part of the explanation that caught my eye was this:
Quote:
This is a result of a fundamental difference between computer security and other types of safety measures -- in cryptography, there is always somebody trying to undo what you've built. Not only that, but new advances in cryptography tend to point out vulnerabilities with previous versions, making them not only obsolete, but dangerously so.


This is actually a very big point that I think everyone sort of knows, but few really take into consideration in such a lucid fashion. It is as if every bridge designer had to include active protections against an army of saboteurs who not only could but invariably will be actively trying to bring the bridges down, every day for as long as the bridge stands - some of whom aren't targeting the specific bridge, just randomly targeting any bridge they find.

This leads to a situation where even game developers have to take a stance closer to military counter-intelligence than entertainers. It colors the entire field in a way which is so pervasive that it fades into the background, yet most developers ignore the topic, blithely assuming that the operating system and development tools will protect them, despite (or perhaps because of) the fact that no software can fix the biggest security risk - human nature and the strong possibility of the users being careless, ignorant, tired, intoxicated, greedy, gullible, or in some other way vulnerable to social engineering tactics.

Discuss.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
μή εἶναι βασιλικήν ἀτραπόν ἐπί γεωμετρίαν
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: Engineering for active threats versus passive ones
PostPosted: Thu Aug 16, 2018 3:22 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7265
Location: Germany
Even the XKCD wasn't as lucid as it could have been.

Modern aircraft are incredibly resilient. Against weather, mechanical failure etc.; but not against someone exploding a bomb to bring it down.

Elevators are protected by multiple failsafe mechanisms. But not against someone intentionally taking out those mechanisms.

That is the one angle.

The other angle is that aircraft and elevators need to undergo rigid testing before getting a type permit (or whatever the English word is...). Software, however, is by definition a one-shot affair -- and some specific exceptions nonwithstanding, there does exist neither formal procedure nor authority for actually testing it. Not even against simple stupidity (which has been found in more than one computerized voting "solution"), let alone malicious tampering.

What is rigorous testing in the case of airplanes and elevators, is replaced with marketing and lobbying by software companies that want to make the quick sale. You basically have to take the manufacturer's word for it.

Aircraft are produced by Boeing, Airbus etc.; elevators are produced by ThyssenKrupp, Mitsubishi, Fujitec etc.; all these companies are interested in maintaining an image of quality.

Name a manufacturer of computerized voting software who's made a name for delivering quality. Anyone? This is a government call for bids we're talking here. That usually goes to the lowest bidder.

My favourite metaphor is a bridge engineer, who has learned the characteristics of steel, concrete, stone etc. while in training, and who can rely on knowledge acquired by bridge engineers over many decades. "Please build a bridge at this location." -- "{doing calculations} The best thing will be a suspension bridge. This will require X tons of steel bars and Y meters of gauge Z cabling. We will have to build foundations that need to be A meters deep and B meters wide. The overall cost will be roundabout THIS, unforeseen problems notwithstanding."

"OK."

Now compare that to a software engineer, who pretty much by definition will encounter something new in every project (because otherwise we'd be using the existing software, wouldn't we?). "Please build this software." -- "{doing calculations that involve a lot of guesswork} The best thing will be technology X. It will require about Y months, including Z months of testing. We should have a probation phase of A months before we can be sure the software works as intended. The overall cost will be roundabout THIS, unforeseen problems notwithstanding."

"No, we already decided on a different technology. It has to be finished in half the time; just skip the lengthy testing, and nobody needs documentation anyway. And you must be kidding about the price; we already made an offer and your budget may not exceed that number. You better get it working or you'll be fired."

See the difference? No bridge engineer worth his salt would work under these circumstances. He'd throw down his slide rule and leave, secure in the knowledge that any other bridge engineer would refuse those requirements as well.

But there is always some software company that says it can do it... and then delivers the equivalent of a rotten plank labelled "bridge".

And all that is still not taken malicious tampering into account.

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: Engineering for active threats versus passive ones
PostPosted: Thu Aug 16, 2018 8:49 am 
Offline
Member
Member
User avatar

Joined: Fri Oct 27, 2006 9:42 am
Posts: 1308
Location: Athens, GA, USA
So what your saying is, to quote Peter Welsh, "we don’t even worry about [crackers trying to trash your system or steal your information] because another nuke doesn’t make that much difference in a nuclear winter"?

I can see that. (or at least hear it. I doubt you will see the video below, hence the link to it here, but that's OK, because it's just a reading of the same essay.)



I've come to the conclusion that commercial software development isn't a career, it's an abusive co-dependent relationship with a spouse whom you never leave no matter how horrible they are to you because they keep enabling your addiction to awesome hacks and the power trip you get when things actually work.

_________________
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
μή εἶναι βασιλικήν ἀτραπόν ἐπί γεωμετρίαν
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.


Top
 Profile  
 
 Post subject: Re: Engineering for active threats versus passive ones
PostPosted: Fri Aug 17, 2018 9:09 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7265
Location: Germany
Or you make yourself a niche and enough of a name in the department that, when you say "nope, not going to fly", that your superiors are actually listening.

But it's a handful of work, I can tell you.

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group