Posted by: Ken Harthun
Opinion, Rant, Secure Computing, Security
Complexity, they say, is the enemy of security. Actually, I think it was Bruce Schneier who I first heard it from. It has come to be one of those “everybody knows” things, however, so it’s irrelevant who first said it. Nevertheless, it’s true. The more complicated the software, device, or campus, the more room for error.
Good security for your stash of cash would be to encase it in a 3′x3′x3′ concrete cube and bury it where no one but you can find it. That’s pretty simple. Of course, this isn’t practical, so we have to look at other means. Enter complexity.
We keep the concrete, but add a sealed access panel. Security hole #1. It’s a little easier to breach now, but still impractical to access, so we remove the sealant and add a lock. But what if we lose the key? Add a hidden back door access panel that only the owner knows about. But what if the owner dies? No problem, have a secret, secret back door that only the manufacturer knows about. On and on, ad nauseam it goes until there are so many “features” to accommodate every possible scenario that all it would take is a six-year-old kid with a big stick to open the “vault.”
Think about it. Used to be that you had to enter data in every field of a database manually. It didn’t matter if you were entering the same thing for a certain field in each record, you had to type it in. These days, you start typing and the software suggests the contents based on your last few entries. Convenient, but that’s cached somewhere and unless that cache is encrypted, it’s subject to compromise.
That’s just one “feature” of modern software. As we all know, modern software is all about giving everyone everything they want. And when you try to please everyone (which you can’t do anyway), you make software very complex. When you try to make all of those features play well with each other, you take shortcuts and you make mistakes.
Bye, bye security.
When I was programming back in the day–in assembly language–when you said “jump,” that’s what happened, the program did what you told it to do. These days, when you say “jump,” the program asks you if you really want to jump and suggests that the last command you gave was “leap,” which is almost the same, but not quite.
I know, I’m ranting. I’m tired. And my spell checker just misinterpreted my Latin phrase above and suggested that it was “nauseous.”
I hope I’m not nauseous to people, but right now, I’m a bit nauseated (the correct term for having the feeling of nausea, as in “that nauseates me,” NOT “that makes me nauseous”).
Oh, well. People program the spell checkers, too. And people make mistakes.
Bye, bye security.