a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by goobster

I'm mostly with you on this, @veen. @rd95 and @kleinbl00 make excellent points, but I think they are trying to put the worms back in the can, at this point.

Defensive security doesn't work. We have proved this since castle sieges in the 15th century. No matter what defenses you build, the baddies will innovate a way around, and get in.

The thing is, that these security breaches happen with services.

Every single one of these data breaches have one thing in common: The user of the data has abdicated responsibility for the data to a disinterested third party.

1. Equifax. This is just an intermediary who tells you data about a person, that you are too lazy to look up yourself. You want a loan? OK. Show me what you own. Show me your bank statement and pay stubs. Ok, sure. You look like a safe bet, here is your loan/credit card.

Instead, people pay Equifax for a "rating", which is just elementary-school level math applied to the data points above. This provides the lender with plausible deniability in the event you default on your loan. "But Equifax said they were a 720!"

2. Deloitte. Covering your ass is Deloitte's entire business. You hire Deloitte to investigate data, or build a system for you. They are a consulting firm, and their entire reason for existence is that you won't spend the money to have in-house experts to do the data analysis. So you hire Deloitte (or PWC, or The Heritage Foundation, or ,or, or...) to do the analysis FOR you, so that - if it is wrong - then you can blame someone else for it.

3. Yahoo/Hotmail/Gmail. Instead of saving your email on your computer, and having to sort it, back it up, recover it if your computer dies, etc., you go to a cloud service for your email. It is YOU washing your hands of the responsibility for doing software updates, defragging your hard disks, updating your RAM, managing server loads, etc., and "paying" someone else to do it for you.

4. Target. Target's credit card data was hacked, because Target knew they were protected by the CC companies, and didn't actually issue the CCs themselves, or protect the data themselves. If they had issued their own CCs, instead of purchasing the service from a third party, they would have been much more careful.

Anyway, this premise can be extrapolated to just about any "service" out there. They are monetizing the transaction, and therefore interested solely in transmission. WHAT they are transmitting in immaterial, and of no real interest or value to them. And that's why the hackers target service providers, because it is a choke point, where the orgs are not motivated to protect the data, only enable the transaction.

What's the alternative?

Figure it out. Go back to base principles: Do it in-house. Hire the skills and talent you need to deliver your product, rather than outsourcing to the lowest bidder.

We KNOW that defending from attackers doesn't work in the long run.

So maybe we need some radical new thinking about the entire system.

If your Target data is only useful for getting you a Target credit card, then it has no value to a hacker. Because you already have a Target credit card, and if another one gets created, then flags go off. Or the creation of a second one is simply impossible.

If a bank uses their own internal logic to determine who is worthy of a home loan, then all the data can be public. It has no value to a hacker, because they can't use that data for other systems. (Broadly speaking.)

Remove the service providers, and suddenly security looks very very different.





veen  ·  2351 days ago  ·  link  ·  

    I'm mostly with you on this, @veen.

Are you though? If I understand you correctly, you argue that users should take responsibility for their own security because services can't be trusted to do this for you. Defensive security doesn't work when you outsource it, so you have to take responsibility for your own security.

In the abstract I think I agree, but I don't think that principle holds up in practical situations. You make the assertion that users can choose these services, when the reality is that they don't know they are part of a service, are forced into a service, have to choose the lesser of evils or aren't aware of their data being shared.

You're not putting agency into the equation here. So as soon as you get to practical situations like Equifax and IRS breaches, I don't think it's fair to say to the users "stop crying, you fool, you should've been responsible for your security." Because those users usually can't do that. Take email for example:

    It is YOU washing your hands of the responsibility for doing software updates, defragging your hard disks, updating your RAM, managing server loads, etc., and "paying" someone else to do it for you.

Are you really suggesting that people should run and configure their own email server just to be able to communicate? To take your argument to its logical extreme, should they also run their own internet cables then, because that would be more secure? Should they build their own ISP to prevent their internet from being tapped? Should I run my own NSA instead of paying for the current service through taxes?

    The user of the data has abdicated responsibility for the data to a disinterested third party.

Offloading difficult tasks and abdicating responsibility to a third party is how society works. I don't know how to run a bank myself, so I pay a bank a fee under the very reasonable expectation that they protect my data. I don't know how to protect myself against foreign enemies, so I offload that task to the government through taxes under the expectation that they protect me.

Your 'radical new thinking' sounds an awful lot like libertarianism to me.

goobster  ·  2351 days ago  ·  link  ·  

Ah. I see where I was unclear. Thanks for taking the time to explain how you read my post, because I did not mean what you read.

This isn't a problem for the USER to solve. My problem is with the BUSINESS.

It is the BUSINESS that washed their hands of the responsibility for your data, thereby endangering you in the first place.

To take my Target breach example; If Target had their own credit card that they underwrote, issued, and processed, they would be FAR more careful with your data. Because any breach hits them directly in the bottom line.

Instead, they offload the responsibility to a credit card issuer/processor (Visa, MasterCard, etc), who do not have as much skin in the game, and are therefore less interested in maintaining the highest level of security around YOUR data, because YOU are not their customer: Target is. And Target is paying them for TRANSACTIONS, not for fabulous security.

If you think about the tech used in a CC transaction, there are 5 companies handling your data, and only ONE of them has any real motivation to protect you, as an individual. To all 4 of the other intermediaries, you don't even exist: you are just a packet of data within gigabytes of data they transfer every day.

The parallel I tried to draw with email is that we choose offload the responsibility to someone else, when we choose to use a service (Gmail, Hotmail, Yahoo, etc.), instead of configuring our own server. Things were a lot more secure when you had to give a shit and actually understand how all the parts and pieces fit together, from hardware to software. Now it takes 10 seconds to set up an email account, and all you need to do is come up with a 4-letter password. Offloading all the responsibility for the infrastructure and security onto a disinterested third party is the risk we decide to take.

The key place where you took my words off in a new direction, is when you moved away from my conjecture - that services are the problem - and abstracted to armies, cable companies, etc. And yeah... libertarianism to me is the domain of 13-year old keyboard jockeys who have never had to pay rent. It is stupid to its core.

The bone I want to pick is with SaaS, which, incidentally, pays my considerable wages.

Everyone is so quick to invent a new middle-man service, that streamlines a process and takes a half-a-penny per transaction... but every middle-man "service provider" is one more incredibly weak link in the chain.

From the 1500s up to about the 1920s, a business took care of itself. Everyone from the janitor to the CEO worked for the company, and all customer processes were handled in-house.

But that is expensive. Having your own Credit Department that has to research every new application for a credit card is expensive. And it SHOULD be! It is a critical, important, and delicate function of the business.

But then Johnny McStartup shows up and says that he can do all that for you for 1/10th of the price, so you fire all your skilled people and pay McStartup to do all your credit accounts.

Why does McStartup cost less? Because they are less rigorous. Or hire junior-level researchers and analysts. Or whatever. They cut corners. That cuts costs.

But McStartup's customer is the Company, not the Individual. So they keep the Company happy by providing a service that Company used to do in-house, and they do it for a fraction of the price. And hey... if they fuck it up, who cares? It isn't Company that takes the blame! And McStartup is one-step removed from you, Mr Customer, so they are insulated from you as well.

THIS is my problem with the way businesses are structured today, and why it is so easy for hackers to ALWAYS get the data they want, with little effort. There are too many middle-men, with too little respect for the data they handle, and hackers always find a way through. Hell... they don't even need tech to do it... they can just call up Customer Service and social-engineer them, to get the info they want.

Yeah. So, fuck Libertarianism.

And security is ALWAYS going to be a problem, when you create choke-points in the data stream that are lucrative to hack. If every single retailer had to issue their own credit cards, instead of using Visa or MasterCard, there would be little to no reason for hackers to target that data.

And maybe now that we have sorta unlimited bandwidth, RAM, and disk space, maybe widening the choke points is a better way to reduce the tastiness of the data to hackers...

veen  ·  2349 days ago  ·  link  ·  

    This isn't a problem for the USER to solve. My problem is with the BUSINESS.

I did understand that you were talking about businesses, but I don't think that's a useful or necessary distinction. Businesses and users are both facing the same security problems. Businesses try to protect their proprietary data, their passwords, their sensitive information, but so are you and I. There's B2B services, and there's B2C services, and security revolves around the same question for both: can I offload some difficult aspect of my work without jeopardizing that work?

My disagreement was mostly with your suggestion that businesses should tell services to GTFO and develop those services in-house instead. I don't think that's a reasonable think to ask of businesses: the ocean of sensitive data has become so incredibly wide (from passwords and pdf's to credit card info and blockchain keys) and deep (big data). It's not the 1920s anymore, which is why SaaS is such a vital part of modern business and why it is incredibly inefficient to have every company and user reinvent the wheel.

Just to give an example, my last gig and my current internship both run everything on Citrix thin clients. Is that safe enough? Maybe not.... Should hundreds if not thousands of companies develop their own OS-integrated remote client solutions just so they have their data back in control? I don't think so.

SaaS is pretty much unavoidable these days even though its incentives are misaligned. My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option.

goobster  ·  2348 days ago  ·  link  ·  

    "My solution, for both users and businesses, is to be way more strict about security in what kind of services they demand. To vote with their wallet and pick the more expensive, more secure option over the bargain hacked together startup solution. I think that's a much more attainable goal for security problems, even though it will never be a perfect option."

I hear ya, but this requires defensive security, which has been proven to be ineffective for centuries now.

I was hoping to open the conversation to radical new ways of thinking about data and security.

The only reason why CCs and personal data are under constant attack by hackers, is because they are broadly valuable.

A "simple" solution to that problem is to go back to having a Macy's card, and a Shell card, and an Amazon card - essentially a card-per-business - because then hacking your personal and CC data has no value to the hacker. They get ONE person's info, which can be used for ONE store, and is, in fact, already in use, so any attempt to use that data to establish a NEW account, would immediately be flagged. "That user already exists in the system."

I dunno.

It's just a different way to think about security. Remove the choke-points that hackers love to target, and suddenly hackers won't be cracking your system, because there is no big financial gain to be had.

It was just a thought experiment...