Computer Security Is a Political Struggle

> We are struggling with a broken model of "security" and the emergence of a global insecurity industry.

I have a take that isn't too close to the focus of this article, but there is a big underlying point.

There are known vulnerabilities in consumer and enterprise tech that are purposefully not closed in order to maintain a tactical advantage. Consider the tech used to break into phones, Pegasus. This is a highly visible peak of an iceberg in an otherwise massive industry of finding and weaponizing vulnerabilities that can have real world consequence, see WannaCry.

This is both hugely political, and not political at all. It's almost a guarantee that a nation-state with cyber resources will use said resources to find a tactical advantage and constantly lob attacks back and forth. Each side will loudly exclaim "Look they're hacking us!" while staying quiet on their own attacks. You can set your watch to it.

Basically any government is spending vast resources to find vulnerabilities and keep them open, which makes everyone less safe. Coupled with the constant war on encryption, gov sponsored "Cyber" is a money pit for hawks that wish to start trouble.

We need strong legal protections for security researchers. "Red teams" should be protected so long as they responsibly report their findings and they should be given the benefit of the doubt. Security researchers should even be allowed to test the security of systems without permission.

This is a matter of national security, and personal security. Why can't I personally test the security of my bank? Why can't I ask an organization I trust to test the security of my bank?

Currently we threaten to jail security researches if they go so far as to press F12 and inspect the HTML source of a webpage. The personal data of half the nation is leaked twice a month. Companies have no financial incentive to build secure systems. Despite all this, we will be surprised when our critical infrastructure goes down and wonder "what more could we have done?"

We sacrifice national security for the convenience of companies. Companies don't want researchers reporting the poor security of their systems. We allow companies to tightly control how their systems are tested, while also holding that companies are not liable for the security of their systems. When it comes to corporate security, they can have their cake and eat it too--they have authority over their systems but are not responsible / liable for their systems.

Is there a trustworthy source for this claim¹ the post makes?

It does not conform to what I see today, nor the plans I see for the future when it comes to governments use of software.

¹ "" Thankfully the political systems of Europe have started to wise-up and stand-up to US BigTech hostility and have mandated that all software used for public services, government and state apparatus must be Libre open source code that is auditable, verifiable and under control of the people. ""

>We can't look to history for guidance.

Sure we can. When's the last time a defective toaster took down a major power grid?

Never. Because we don't place all of our trust in every appliance plugged in everywhere. We haven't done anything like that in more than a century.

Equivalent mechanisms exist for computing. They can be made equally easy to use.

We simply lack the will to upgrade everything and are willing to band-aid everything forever instead.

This kind of apocalyptic manifesto concerns me on two fronts...

One, it makes me worry about the mental health of the author. They are clearly really not having a good time living in our reality, and I hope they can find a way to relieve the suffering.

Two, I hope no one else gets caught up in it. There are a lot of strong words and claims but nothing remotely actionable. It's pushing pure panic/fear/angst.

cloudstrike is just a company that is strong on sales/marketing but weak on tech, who found a market that requires you to be strong on both. I don't think there's anything wrong with such companies existing, but it seems clear they should never be in a position to break everything. The fix could be the market, regulatory, and/or technical. There are tradeoffs, so we probably need to work through the arguments of different approaches and different combinations of approaches.

This article is fundamentally missing the point of why computer security is incomplete: even if we wanted to, we are currently not able to make useful systems that are also secure to the degree that the current user base is still able to use it.

We don't need to "work on keeping it insecure", the entire industry produces bad software just fine, no active planning required. Hanlon's razor applies, even if there are a double digit set of examples where a backdoor (or similar) was added. Especially when you consider that next to the backdoor the front door is wide open anyway.

>"The sooner we stop pretending these are technical problems and start speaking the truth about the fundamental political problems..."

The problem is that cyberspace was designed to be apolitical [0]. Power abhors a vacuum and as such the traditional powers (gov/corp) once again reign supreme even in cyberspace.

[0] https://www.eff.org/cyberspace-independence

The struggle of hacker against hacker is a what struggle?

Fire is technology. It can be used well to serve us or can be used to destroy us. Consider the current phase of tech as early humans with fire sometimes accidentally (or on purpose) burning down their environment yet at the same time making food more accessible. We must create the fireplace, boiler, forge of technology and rules to produce and consume it safely or else we will continue to be burned as a human race. I am optimistic we will wrangle this problem how we did thousands of years ago for fire. Baby steps.

After reading half of this long, dramatic screed, I realised I had not been told a single new fact. I’ll skip the second half.

Great article. Read all of it twice. Don't fixate on one or two sentences.

I once worked in Fed Govt IT system. Remember the 2015 OPM (Office of Personnel Management) data breach? If not, read up on that (use a search engine). Over 22 million government personnel records were released into the wild. The Wikipedia article "blames China," but some folks told me that multiple agency personnel and multiple agency contractors had simply put everyday Fed Govt OPM spreadsheets on everyday Web sites to make them easy to share.

"Experts" rarely grasp the everyday 1. incompetence, 2. indifference, 3. recklessness and 4. even corruption pervasive across and thriving in all our "elite institutions."

We need to take Robert Salow's Productivity Paradox (look it up) very seriously. All the incentives line up for "experts" to sell more things and sell newer things. But we are often (always?) selling bandaids for the previous bandaids, while users (customers) are swallowing birds to catch the spiders to catch the flies. Solved problems cease being problems. That's sadly bad for the IT business.