Chris Wysopal, aka “Weld Pond” wrote about the recent DDoS attacks against South Korea and the root cause being that we have an insecure software ecosystem. Chris is spot on with this statement and he brings up an interesting analogy:
There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.
Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers
I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?
This is exactly the same with computer security. We talk a lot about “securing cyberspace” and the government pushes lofty goals about treating our “digital infrastructure… as a strategic national asset” but the it’s exactly the same. Most people don’t want to have secure software. They want to have their Bonzi Buddy and their 3D Dancing Pigs on their website. The software has a horrible security track record? It requires tons of security settings to be disabled on the computer? Your entire HR system uses Microsoft Access as a back end? Who cares?
Chris is right. We need to make EVERYTHING secure. Every operating system, every application, every library. This is nowhere near an easy fix. Ideally we need to start the software industry at tabula rasa and start everything from scratch. It is possible: Just look at OpenBSD. However, we are not going to be able to convince anyone to start taking these steps until we start making a gigantic culture change starting from the ground up. Aunt Ethel and Uncle Mortimer need to start understanding that they are doomed in the current environment and start demanding their software be secure. Companies need to stop dealing with vendors that have repeated security problems. In house staff need to be trained in secure computing practices. Computer science students need to be taught about secure coding methods. This needs to be EPIC. However, until then, we are all going to be stuck on the hamster wheel of pain by dealing with massive botnets, scrambling to patch zero day vulnerabilities, and holding our breath waiting for the next “big one.”
How do we make it so we can escape? I have no clue and I doubt anyone else does either. The only thing I could see possibly breaking us out is everything going up in a giant cloud of smoke. All the cyberwar pundits are correct and we have a massive attack on our infrastructure. Blackouts! ATMs Jackpotting! Computers turning into Bombs! Dogs and cats, living together! Mass Hysteria! Only then will we learn the error of our ways!
Of course the pessimistic side of me says that we’ll still want our Bonzi Buddy and 3D dancing pigs.
(On a tangent, did you know Weld Pond was 43? I feel old now.)
Twitter
LinkedIn
Facebook
Flickr
FriendFeed