Comment by bitcharmer
5 years ago
This. I was not expecting HN crowd to almost universally blame the attackers and fully absolve Funke. It just doesn't make any sense if you have the faintest idea about cyber security in modern age.
5 years ago
This. I was not expecting HN crowd to almost universally blame the attackers and fully absolve Funke. It just doesn't make any sense if you have the faintest idea about cyber security in modern age.
With physical security I can walk around and check it for myself. I can even watch the contractors put it in place. There are several people involved that can spot mistakes.
With cyber security I need to trust that some programmer didn't make a mistake 15 years ago when they wrote the TCP stack in a 12 hour crunch shift because their boss needed to meet a deadline. It's impossible to check for the layman and extremely hard even for experts.
This is a great comparison!
With physical security, you need to trust that the lock designers and manufacturers didn't make material mistakes. It is impossible to check for the layman and extremely hard even for experts. You can watch people install it, but that only offers so much assurance and is limited mostly to their expertise in installation. Further, we know that any lock can be bypassed given enough effort, so we have insurance against theft and maybe additional layers of security (cameras, a fence, watchful neighbors, etc.).
With cyber security your position is similar. You're working with a series of tools, none of which you can trust completely, and most of which have limitations or flaws. You layer them with the goal of increasing the amount of effort requires to breach all your defenses to be too high for your adversaries to want to take on.
In both security domains, the basic positions are the same. Non-experts need to layer imperfect defensive systems atop one another to make successful attacks more difficult to achieve. Risk assessments play an important role in helping people decide how much is enough.
The difference is the scale. While you may have one burglar try and break in, in cyberspace, you could have thousands of state sponsored hackers trying to break in.
A burglar needs to quickly break in, otherwise they risk getting caught. Hackers never get caught. There is absolutely no risk, and high reward.
I still blame the company in the second scenario. Pay a multiple for a secure setup or don't store data, even if that means funding new development when no secure solutions exist. I would like people to take user data so seriously that they would go so far as to develop a new operating system to securely handle it. That should be the burden we put on companies that want to collect data on people.
I think there's a strong incentive for a lot of small-business people and software engineers alike to wholly blame attackers. If it's the attackers fault, you don't have to wonder if your insurance is good enough. You don't have to examine if you keep your software sufficiently patched. You don't have to examine if your company's custom internal infrastructure is resilient or if it's one giant shared CIFS drive full of sensitive customer data without backups.
Often, taking security seriously feels like directing a certain amount of resources for uncertain returns at a domain that feels like it should come for free. Software engineering feels like it is like manufacturing, where you produce artifacts and ship them. It's jarring to recontextualize this as actively engaging in an adversarial, human-driven domain.
Between the two, our fellow users are heavily incentivized to find ways that they and people like them are blameless. It's a way to avoid engaging with what can feel like an impossible problem. Without attackers there wouldn't be any cybersecurity issues, right?
well just previously we had a story where a company was taken to task for how they implemented a test of cyber security by using an email that promised bonus money or such.
such is the issue at hand, the attackers know no bounds and it will take coordination among governments to track them down and hold them or their master's accountable.
this does not excuse the victims of such attacks but even the best efforts of many can be circumvented by the latest method, a careless employee or even a malicious one.
I am sure many have experience having access we routinely expected yanked which felt unfair but also be on the other side of the issue trying to lock down users only to have push back that we went too far; the heartache our support team got in locking out what users could do on their desktop could fill novels