A symphony of failure
August 12, 2015 12:15 PM   Subscribe

Not Even Close: The State of Computer Security: Microsoft's James Mickens gives us a light-hearted survey of the bleak, hideous security present and why things are going to get much, much - much - worse in the future.

From this year's NDC Oslo:

In this bleak, relentlessly morbid talk, James Mickens will describe why making computers secure is an intrinsically impossible task. He will explain why no programming language makes it easy to write secure code. He will then discuss why cloud computing is a black hole for privacy, and only useful for people who want to fill your machine with ads, viruses, or viruses that masquerade as ads. At this point in the talk, an audience member may suggest that Bitcoins can make things better. Mickens will laugh at this audience member and then explain why trusting the Bitcoin infrastructure is like asking Dracula to become a vegan. Mickens will conclude by describing why true love is a joke and why we are all destined to die alone and tormented. The first ten attendees will get balloon animals, and/or an unconvincing explanation about why Mickens intended to (but did not) bring balloon animals. Mickens will then flee on horseback while shouting “The Prince of Lies escapes again!”

Via Boing Boing.
posted by ryanshepard (50 comments total) 43 users marked this as a favorite
 
You're missing the tag:

#WeWillLocateTheMissingBrownAnd
FemaleDiversityPeopleWhoAreHaveingA
FantasticTimeOnTechCompanyWebsites
ButDon'tActuallyAppearToWorkAtThe
ActualCompanies.

If you could get right on adding that, that would be great.
posted by bonehead at 12:30 PM on August 12, 2015 [10 favorites]


I do not think that a von Neumann architchture computer, where code and data are interchangeable, can ever be truly secure, since there will always be a possibility of someone tricking you into running code that you did not realize was code.
posted by thelonius at 12:30 PM on August 12, 2015 [3 favorites]


You also forgot the OH NO tag.
posted by eriko at 12:34 PM on August 12, 2015


James Mickens has been featured here before, with this gem. He's the funniest man in software engineering.
posted by Harald74 at 12:36 PM on August 12, 2015 [2 favorites]


Is a transcript available?

The transcript is only available in Sumerian. Reading it will tangle the proteins of your mindmeat.
posted by infinitewindow at 12:38 PM on August 12, 2015 [9 favorites]


Had to stop the video around the ten minute mark to Google "smart lightbulbs". I did not believe that there were such things as smart lightbulbs. He's right, it's the end times.
posted by Sing Or Swim at 12:38 PM on August 12, 2015 [2 favorites]


It might help if his employer wasn't doing things like this... So not cool MS.

And I *want* to like you.
posted by symbioid at 12:38 PM on August 12, 2015 [2 favorites]


Where is the lie...
posted by odinsdream at 12:42 PM on August 12, 2015


Well, that was actually Lenovo, but MS is configuring Win10 to share you wireless key with your contacts by default, so yeah...
posted by KGMoney at 12:43 PM on August 12, 2015 [1 favorite]


Well - MS is making it possible to do that - Lenovo merely utilized a tool that MS allowed/created.

But yeah... (not to derail this thread)...

Re: the video - When I was a kid - I wanted to have a chip in my brain to communicate with technology, but the older I get and more tech experienced I become, the less I would ever want that to be the case.
posted by symbioid at 12:50 PM on August 12, 2015 [2 favorites]


(Sorry - mild derailing continues...)

Here's a link to the "Windows Platform Binary Table Paper PDF"
posted by symbioid at 12:53 PM on August 12, 2015


Had to stop the video around the ten minute mark to Google "smart lightbulbs". I did not believe that there were such things as smart lightbulbs. He's right, it's the end times.

...I actually like my Philips hue bulbs. More so than the LIFX I backed as well. Being able to type a cli command from my laptop right before I go to sleep to turn off the lights is pretty nifty, as is making a hand gesture over my desk to turn them on.

Switches are for people who still use internal combustion engines, lol.

That said, I'm under no illusions the small scripts I've written are secure at all.
posted by qcubed at 12:54 PM on August 12, 2015 [1 favorite]


I do not think that a von Neumann architchture computer, where code and data are interchangeable, can ever be truly secure, since there will always be a possibility of someone tricking you into running code that you did not realize was code.

In a turing complete system (e.g., every useful computer) there is no way in principle of examining a program to determine whether it has any non-trivial property. This means, for example, that in general there is no way of analyzing a program to determine whether that program is an interpreter (like python.exe) that will interpret data as instructions and follow them (a program that can execute other programs)-- which makes any attempt to segregate data from code impossible.
posted by Pyry at 12:58 PM on August 12, 2015 [8 favorites]


The IoT is a fucking dumb, dumb, dumb pile of marketing-driven shite.
posted by GallonOfAlan at 12:59 PM on August 12, 2015 [12 favorites]


What an odd talk. Veered from the incredibly broad to random specifics via the deflationary aspects of Bitcoin (where he seemed to be complaining that crypto can't arrest you) and that Thomas Jefferson would think mobile phones are built from demons (well, they are, but he was a scientifically-minded son of the Enlightenment...).
posted by Devonian at 1:02 PM on August 12, 2015 [6 favorites]


> I do not think that a von Neumann architchture computer, where code and data are interchangeable, can ever be truly secure, since there will always be a possibility of someone tricking you into running code that you did not realize was code.

Sorry, but even with a Princeton architecture you're still screwed. Modern exploits use ROP which just re-purposes existing code to execute their payloads. While there are still some exploits that use RWX memory (which is almost exclusively found in javascript/JIT's on desktop computers), nearly everything that's compiled with sane settings has NX by default.

For interesting research in this area, check out the Langsec people's work (example (SLYT). Basically it says that any non-trivial program effectively implements a virtual machine for which any input is it's bytecode.
posted by yeahwhatever at 1:03 PM on August 12, 2015 [11 favorites]


I do not think that a von Neumann architchture computer, where code and data are interchangeable, can ever be truly secure, since there will always be a possibility of someone tricking you into running code that you did not realize was code.

Okay, so here's where things always go off the rails between computer architecture theorists and the real world.

The problem really isn't that we lack the platonic ideal of secure computing, though that is a problem that is interesting to think about.

No, the problem is that due to human nature, it is apparently impossible for people to even want to use systems securely. It's why you have huge companies making "rookie" mistakes like using the same static key on baked-in firmware, or using low-entropy passwords. Theorists and researchers look at these examples as "ah, classic mistake there, choosing your keys poorly" which completely misses the goddamn point. People will not use these systems "ideally", ever. They won't even try.
posted by odinsdream at 1:06 PM on August 12, 2015 [18 favorites]


Oh man I forgot about this guy he's great.
posted by atoxyl at 1:07 PM on August 12, 2015 [2 favorites]


Wendigos and internet security jokesterism. My internet for the day is complete.
posted by sparklemotion at 1:16 PM on August 12, 2015


People will not use these systems "ideally", ever. They won't even try.

Then shouldn't security developers take that into account when designing systems? I feel like so many security schemes are premised on users behaving perfectly, when it seems like almost everyone does things like write down their passwords on a slip of paper they keep in their desk.
posted by Sangermaine at 1:19 PM on August 12, 2015 [2 favorites]


Actually - that is a good question. This seems to be a design issue, then.
posted by symbioid at 1:21 PM on August 12, 2015


> No, the problem is that due to human nature, it is apparently impossible for people to even want to use systems securely. It's why you have huge companies making "rookie" mistakes like using the same static key on baked-in firmware, or using low-entropy passwords.

I think there's room for both honestly. You can have people unable to use systems securely while still pointing out that those systems are inherently insecure. Things like 'Why Johnny Can't Encrypt (PDF)' (which just won an award!) and the whole rediscovered emphasis on UX in security point to this.

I agree with Devonian in that this talk was very strange, and kinda all over the place. However, his also-comical essay (PDF) was pretty good, and much more focused.

Probably the best talk recently on the "state of the industry" was Haroon Meer here (SLYT). It's quite good, I'd enthusiastically recommend it.
posted by yeahwhatever at 1:22 PM on August 12, 2015 [10 favorites]


@symbioid (and the rest of the world): oh, wow.

That WBPT is just inherently stupid.

It's insanely stupid.

A whole host of smart people have done a complex thing ... and no-one had the guts to say: 'Hey, maybe this is a stupid idea? Maybe this shortcuts any security we build in to the system? Maybe we should not only not do this, but actually guard against this being possible?'. And then get the guy who's idea this was originally fired. And maybe hung, drawn and quartered. Just a little bit.
posted by MacD at 1:25 PM on August 12, 2015 [2 favorites]


Probably the best talk recently on the "state of the industry" was Haroon Meer here (SLYT) yt . It's quite good, I'd enthusiastically recommend it.

Man, that's excellent - thanks for the link.
posted by ryanshepard at 1:37 PM on August 12, 2015 [1 favorite]


I feel like so many security schemes are premised on users behaving perfectly, when it seems like almost everyone does things like write down their passwords on a slip of paper they keep in their desk.

There's not much wrong with that actually -- your password is far more exposed by actually being used (database breaches, keyloggers) than it is by being on that slip of paper. If it keeps you from re-using passwords (a strict no-no) it's a net win.

It might make your accounts less secure against Bob from Accounting, but he's not the guy to be worrying about.
posted by neckro23 at 1:42 PM on August 12, 2015 [11 favorites]


Plus anyone with physical access to your computer could just install a hardware keylogger and get all your passwords that way.
posted by Pyry at 1:46 PM on August 12, 2015 [3 favorites]


Veered from the incredibly broad to random specifics via the deflationary aspects of Bitcoin (where he seemed to be complaining that crypto can't arrest you) and

What made this part difficult to understand was the lack of citations. It's not informative or insightful to assert "bitcoin < strong regulatory system by government" (which is a category error anyways). Abstract arguments are hard to convey, and are easy to fudge, when other people don't share the same context as you.
posted by polymodus at 1:48 PM on August 12, 2015


Well, the IoT is here. I work at a place where "Innovation, makerslab, hackathons, etc." are the norm. Nobody cares about security except for IT, and with shadow IT/cloud services/hundreds of newly-connected-who-knows-what-it-does-yet toys on the rise, even IT can't keep up. I assume this is the same everywhere, just in varying degrees.

Nobody cares. What's the solution? I personally don't want to be shot in the face...
posted by Chuffy at 2:11 PM on August 12, 2015


People don't do encryption, like they don't do quantum maths or recycle. It's not part of the programming; we're a social species and we behave in innate ways where complex things that do not do us an immediate benefit are not easy.

That doesn't mean we can't do social engineering that makes security more prevalent and better behaved. We already do that for a lot of safety-of-life related engineering fields, where you're not allowed to produce something that will allow others to come to harm through design faults, because you won't be in business long (or worse) if you do. Fields like aviation have gone from incredibly dangerous to incredibly safe, albeit at the cost of making it practically impossible to be a small aircraft maker. Transport as a whole does it. Medicine does it.

There's a lot of talk about the IoT being insecure, and indeed a lot of it is and a lot of it will go wrong. But the IoT isn't about smart toasters and funky lightbulbs, it's about industrial re-engineering and better use of data, and the people who are doing that side of it are properly focussed on security. Regulators are waking up to the idea of - wow - making manufacturers responsible for their products.

Where there are systematic technological problems with implementing functional security within platforms, there are people working on solutions, such as the per-chunk virtualisation stuff, and things are getting better. Reduce attack surfaces, do end-to-end engineering, be defensive and minimalist in general, understand psychology. We do these things, and they work.

You'll never get away from the problem that to be useful, computers have to do what people tell them to, and some people shouldn't be allowed to use a pocket calculator without adult supervision. I know of one large organisation which appointed a Superbeing of Social Media, whose first action was to distribute the official Twitter account password to a whole bunch of departments. I have a small bet on that "LARGE ORGANISATION HACKED!" headlines will be with us shortly. Against stupidity, the gods themselves...
posted by Devonian at 2:12 PM on August 12, 2015


It might make your accounts less secure against Bob from Accounting, but he's not the guy to be worrying about.

I agree with you a little bit, but Bob from Accounting isn't who you should be worried about...Craig from Office Services might be the culprit. He's in Office Services because he couldn't get an IT job, and he found some cool key generators online which led him to reading about Kevin Mitnick and then it was all over...

The most dangerous people to your security are people you know. The biggest threat in any company is someone on its own staff...either maliciously/with intent or the neophyte that clicks on every link they see.
posted by Chuffy at 2:15 PM on August 12, 2015 [1 favorite]


There is exactly not one goddamn reason light bulbs should have to communicate with anything but we all know perfectly well there will be no other option than to buy SMART SMART SO VERY SMART light bulbs in like 5 years.

#ButlerianJihad
posted by 3urypteris at 2:37 PM on August 12, 2015 [6 favorites]


There is exactly not one goddamn reason light bulbs should have to communicate with anything but we all know perfectly well there will be no other option than to buy SMART SMART SO VERY SMART light bulbs in like 5 years.

Programming your lighting to be controlled by a tablet PC, or possibly your smartphone is an awesome thing if you want to have various lighting options (movie time, reading time, on vacation, party, falling asleep on the couch...)

There is exactly not one GD reason to have stores on the Internet...or credit cards...or a phone that takes pictures...
posted by Chuffy at 2:44 PM on August 12, 2015 [4 favorites]


Absolutely +1 on the Haroon Meer talk. Do watch it.
posted by Devonian at 2:48 PM on August 12, 2015


Anyone who'd prefer to read a transcript and wonders if it's worth watching the video anyway, the answer is NO. This is not the sort of video you would enjoy if you are the sort of person who prefers to read transcripts.
posted by Joey Buttafoucault at 3:11 PM on August 12, 2015 [2 favorites]


pretty nifty, as is making a hand gesture over my desk to turn them on.

You don't need "smart" light bulbs for that, just a smart switch. If lightbulbs are going to be called smart, I want them tracking the eye movements of everyone in the room and only lighting up the parts people are looking at.
posted by sfenders at 3:49 PM on August 12, 2015 [2 favorites]


Superbeing of Social Media

S-level executives?
posted by thelonius at 3:53 PM on August 12, 2015 [1 favorite]


Computers (Von Neuman and otherwise) can definitely be secure. The operating system's job is to divide the available resources fairly among the programs the user chooses to run, with the resources the user chose to make available to them. (If you didn't get asked what resources to use, your OS is poorly designed and won't ever be secure, don't blame the hardware).
posted by MikeWarot at 5:01 PM on August 12, 2015


James Mickens? The man who came up with the immortal line "I HAVE NO TOOLS BECAUSE I’VE DESTROYED MY TOOLS WITH MY TOOLS."? Oh yeah.
posted by benito.strauss at 5:33 PM on August 12, 2015 [2 favorites]


Someday lightbulbs will be smart enough to have ideas, and mankind will have to contend with the problem of how to depict that in a cartoon.
posted by dephlogisticated at 5:49 PM on August 12, 2015 [11 favorites]


I feel like so many security schemes are premised on users behaving perfectly...

Well, to be more accurate, the premise is that users will do exactly as the nerds and geeks do (which is far from perfect, and tends to involve complex tech solutions that no one will use other than those who achieve nerdgasms from the complex tech.)
posted by Thorzdad at 6:48 PM on August 12, 2015


The problem isn't even passwords or encryption. The problem is that we delegate our authority to our tools.

Our risk exposure, whenever we delegate authority to an agent, is defined by the constraints we can put on the agent (i.e., the valet has a key to the ignition but not to the trunk) and our recourse against an agent that misbehaves. But we have no recourse against software; and we don't have the patience to carefully constrain every program against every possible attack - or the self-control to decline to use programs that demand access to our location, to the accelerometer, to our camera, etc. Consequently, everybody carrying a smartphone is basically carrying around a spy; a careless spy that likes getting drunk and blabbing about your secrets.

So even if we had perfect encryption and solid passwords and so forth, we'd still be at the mercy of a dating app that records our location and travels, or a camera app that records our keystrokes (via the accelerometer), or whatever. And even if we find out what they're doing, the worst we can do is delete that application. So from a security perspective, we're screwed.
posted by Joe in Australia at 7:00 PM on August 12, 2015


The problem isn't even passwords or encryption. The problem is that we delegate our authority to our tools.

Which is why Linux, Windows, MacOS are all bad choices... none of them let us decide what to delegate to a program at run time.
posted by MikeWarot at 7:37 PM on August 12, 2015 [1 favorite]


No, the problem is that due to human nature, it is apparently impossible for people to even want to use systems securely. It's why you have huge companies making "rookie" mistakes like using the same static key on baked-in firmware, or using low-entropy passwords.
I think there's room for both honestly. You can have people unable to use systems securely while still pointing out that those systems are inherently insecure. Things like 'Why Johnny Can't Encrypt (PDF)' (which just won an award!) and the whole rediscovered emphasis on UX in security point to this.
On that theme, I increasingly believe anyone who works in IT needs to read – and understand – A story about Jessica. It's easy to say users don't care, are too stupid, etc. but that's just an excuse to avoid having to do our jobs better. Almost everyone wants to have their data protected and prevent abuse but the systems we've collectively given them make that too hard, regularly forcing everyone to make decisions which require significant expertise and time to answer accurately and tending to failing badly when someone makes a mistake.

The problem is that fixing that would require a lot of places spending considerable amounts of money fixing deeply entrenched bad IT policy. Since software have generally managed to dodge liability for their errors and a determined IT person can always find something the user could have done better, everyone takes the path of least resistance and blames the victim.

As a trivial example, think about how much money everyone wastes on things like condescending annual security “training” or security-weakening password rotation policies but never seem to find the pocket change needed to approach even World of Warcraft-level security. That's for authentication, which is one of the easiest problems to fix because it doesn't require any significant architectural changes and that doesn't bode well for our ability to fix the harder problems.
posted by adamsc at 8:06 PM on August 12, 2015 [3 favorites]


Linux, Windows, MacOS are all bad choices... none of them let us decide what to delegate to a program at run time.

But you see, that's the problem. Even if we could decide at run-time, we wouldn't be able to determine what the program is doing with our authority. And in the unlikely event that we really could micro-manage to the extent that we can tell a program "you may send my photos to Snapchat, but only after I select and confirm each one, and only to Snapchat, and you may not alter them in any way via steganography or whatever" , we'd effectively be doing all the work ourselves.
posted by Joe in Australia at 8:08 PM on August 12, 2015


But you see, that's the problem. Even if we could decide at run-time, we wouldn't be able to determine what the program is doing with our authority

When I hand the guy $5.00 at Dunkin Donuts a $20.00 bill for my $3.20 morning snack... he can't magically take $500 out of my bank account... he can only take the $20, and it's obvious. The side effects are limited by my a-priori choice. We're all used to making these type of choices.

When you are not allowed to chose, it's like being forced to hand over your life savings to the Donut Guy, and hoping that you set the permissions on everything right so he doesn't get to steal your retirement account... it's a lot simpler to hand over $5, or $20, or whatever you choose.

People have no problem deciding what to risk, or when... but the OS doesn't allow the choice... which is the root cause of the pickle we find ourselves in.
posted by MikeWarot at 9:01 PM on August 12, 2015 [2 favorites]


Really, smart lightbulbs giving hackers a backdoor to your network is a step up from DoSing your home.
posted by ckape at 9:39 PM on August 12, 2015


What an odd talk. Veered from the incredibly broad to random specifics

That's Mickens's schtick. It irritates the tripe out of me. Until now I've only been irritated by it in his writing, so I thought I'd give a live presentation a go. Yep! Still irritating.

For my money, Tom Scott is the funniest man in software development. Mickens doesn't rate.

People have no problem deciding what to risk, or when

That is entirely not the case. People are almost completely unable to make rational decisions about risk once the likelihood of a bad outcome from any given single choice drops below a few percent. And this is why Mickens's central claim - that IT security sucks, and will continue to suck for the foreseeable future - is completely correct. Security is, and always has been, a people issue first and a technical issue second.

John Oliver, as usual, nails it.
posted by flabdablet at 9:44 PM on August 12, 2015 [3 favorites]


Ooh! I'd heard Mickens - who should also get tagged here - had left the magazine or whatever was funding his awesome, *awesome* writing! I didn't think I'd see it again! Yay!
posted by Pronoiac at 12:38 AM on August 13, 2015


"No one had the guts to say, 'hey, maybe this is a stupid idea.'"

So many areas of my university where this applies...
posted by persona au gratin at 4:06 AM on August 13, 2015


KGMoney: " MS is configuring Win10 to share you wireless key with your contacts by default, so yeah..."

Just upgraded and was floor when I saw this was an opt out option. Who the heck would think this is a good idea?
posted by Mitheral at 5:40 AM on August 13, 2015


« Older "Almost no-one in Britain spoke Japanese"   |   “Those who deny freedom to others, deserve it not... Newer »


This thread has been archived and is closed to new comments