goobster innocently sent me a whitepaper last week about IoT and security. I bit his head off because it was yet another tired, tawdry "users should be more careful" scold about all those horrible things that can happen to you if you aren't careful" from yet another publicly-traded internet infrastructure company.
- The computer and the car have become utilities where the manufacturers are given great value by society. Cars have roads, and computers have access to the Internet. Both have utilitarian necessity. But cars are expected to maintain certain safety features. It would seem reasonable that an industry whose failures can wreak havoc globally should be expected to build security into its own systems.
I've got cameras on the Internet now. They're talking to an NAS that's on the Internet. And they're from the most esteemed company in security. And you can type "axis root password" into Google and get into a million of them.
And you can't disable the root user.
And I'm fucking sick of the automobile industry telling people that if they don't want their Pintos to explode they should stop getting run into.
Security is a design choice. It is a choice that needs to be made from the get-go, one that will always cost a significant amount of money and time and one that can work against the intended goal of a project. I just don't think companies and the people in them consider it a priority enough to pay for that design choice - the risk appears small and distant while investments are large and upfront. Security usually comes in to play when something is large enough that it's too late to "make" it secure. (I once had an airport logistics professor yell at me something along the line of "security is binary! is it secure considering the adversaries, or not?") I totally agree that secure solutions should be standard, but I just don't see a good way to make it the default. At the same time, I also think we're fighting a losing battle. This morning I read about Tinder storing 800 pages of data for just one female journalist. Privacy and system security are not the same thing, but the same reasoning is used - we, the user, should just never have anything to hide. Just don't be an idiot! The problem is that my digital footprint is probably already too large for me to be anonymous. My IP's been linked to my home address. My grocery store probably keeps track of what debit card I use. And now fuckin' Tinder keeps a record of when, where and with whom I had a date last year and could totally sell that to some ad company to influence what ad I get to see. goobster, were you careful enough when picking your IRS? You weren't, because by engaging in society you inevitably leave a (digital) footprint. In very much the same vein that our privacy has eroded beyond the point that we can be careful enough to avoid harm, I think the security of our digital systems in general has dwindled to a point where "just be careful" doesn't cut it anymore.
I was approached my freshman year at college to work on a Formula SAE car. This is a little race car powered by motorcycle engine, designed and built by college students. My school was renowned for doing all sorts of crazydumb stuff - whereas UW welded theirs up out of chrome-moly, WWU had billet aluminum uprights holding four large carbon fiber tubes for rigidity and weight savings. And rather than going with standard disc brakes, they decided they were going to use grade 8 Allen screws to hold discs to the insides of the rims. I looked at these discs and said "...I don't have a real good feeling about that. It looks a lot like an expensive way to shear a dozen allen screws the first time you tap the brakes." No, no, the grad student running the program said; they'd run the calcs and they had a factor of 100 more shear than they needed. I nodded uneasily and affirmed that I wouldn't be driving the thing so, okay, I guess their math is better than my gut. After all, they were vehicle design engineers, and I was just a guy who built cars. It's worth noting that, minus the engineering-speak, they were basically replacing Ussain Bolt's starting blocks with number 2 Ticonderoga wood pencils stuck into the ground and then saying "not only is Usain Bolt not going to kick these things in half the first time he launches, we could replace Usain with a Clydesdale horse and we'd still be fine because math." Sure'nuff, the first time they tapped the brakes on that thing the discs stripped right the fuck out of the rims and sheared two dozen teensy little Allen screws as if they weren't hardly there. Didn't really slow the car an iota. Fortunately the thing was going only about 50mph, in a straight line, in a parking lot. I bring this up because piker experimenter engineers can make mistakes, and they're awful mistakes, and you end up without brakes. It's obvious to anyone who watches closely that the more innovative you are, the more likely you are to encounter problems no one has ever faced before. Even in a mature industry there are still ample opportunities for terrible outcomes - General Motors has been in business for over a hundred years and by their own estimates, has sold more than half a billion cars. But they still managed to kill 153 people with a poorly designed ignition switch. And that's a mature industry governed by physics. Computing and information technology? They're still celebrating "go fast and break things." The first Model T rolled out in 1908. Seat belts weren't even offered until 1949 and weren't mandatory until 1968. At the rate we're going, I'll be able to Google anyone's DNA and retina scan before the iPhone 12 is out. Meanwhile, 30 flipping years ago:Security is a design choice. It is a choice that needs to be made from the get-go, one that will always cost a significant amount of money and time and one that can work against the intended goal of a project.
I helped with a student team at my current uni that was building a hydrogen race car. The Formula Student team was just down the hall. Our uni's team was primarily fetishizing optimizations - I heard that they got one aerospace engineering student to spend an entire year on just the curve of the spoiler. While I had nothing to do with the technical stuff, adding enormous batteries and super high pressurized hydrogen tanks on student engineering calculations doesn't really...instill confidence. They got a Dutch former Formula 1 driver to give it a spin, and while he supported the project he was also very adamant that nobody should ever drive it that isn't a safety-trained racecar driver. (It's also not a large go-kart - more like a Lotus Elise size.)It's obvious to anyone who watches closely that the more innovative you are, the more likely you are to encounter problems no one has ever faced before.
One of the greatest insights I experienced was in switching programs from WWU to UW. The WWU car was this thing with That the grad students basically got to design and the rest of us got to "work on." And, okay, innovation, whatever. But then I came down to UW and every year, that class started with steel tubing and spare parts and built a goddamn race car. Did it win? Rarely. Did it compete? Every time. Did it have to fucking work? Every goddamn time. The UW kids learned how to build a fucking car. The WWU kids learned how to work on someone else's car. Sure - you can spend a year on the curve of the spoiler. The WWU kids spent a year on keeping the brakes from peeling out of the wheels. The UW kids spent a year learning how a car goes together.6″ filament wound carbon tube chassis, turbocharged fuel injected CBR600 engine, spool rear end (no differential), and suspension geometry designed to promote jacking to enable rotation with the spool. The car also used 10″ wheels, inside-out front disk brakes, and dual floating inboard rear brake rotors
I found this true when I worked in the fashion (menswear) industry, as well. Graduates from the Art Institute were dippy blonde girls driving daddy's Escalade, who went to school to learn to draw. Badly. These people became wives of Microsoft employees. Graduates from the International Academy of Design and Technology (my school) were able to design amazing one-off garments that broke existing clothing expectations. Couture designers. Graduates from Seattle Central could make any piece of clothing quickly, and fit it perfectly (tailoring). Manufacturing pros. Then, when I ran my own clothing company, I threw away resumes from the Art Institute, and I fawned over the amazing and clever stuff the IADT graduates showed me. But I hired people from Seattle Central. Every single one of them that applied. Because they knew how to handle fabric, they knew garment construction techniques, and they could make things fit real human beings.
Yep, same WWU story here. To make matters worse, the spoiler is the ugliest thing I have ever seen on a vehicle, ever.
Dude general purpose computing is dead. Got a website? Go browse Google Analytics and see what devices it's reporting. I'll betcha it's 70% handsets. Shit, I'll betcha it's 40% iPhone, the most locked-down, no-touchy mass-market computing device ever sold to the public. I've got a Synology NAS. I'm running Surveillance Station on it. And I can get that on any web browser anywhere and it works great. And I've also got OS-specific apps to talk to that thing but they're busted because fuck you, that's why. If it runs in the browser, it adheres to standards. If it runs natively, Apple can decide to bork this thing because it doesn't match their revenue plan anymore. Kinda how Time Machine only works on AFP, but AFP is being deprecated so they can run a proprietary file system, so now your backup solution is putting your iTunes in the cloud for $9.95 a month and if you have anything else like photoshop or Avid it's your own damn fault for not using iPhoto and iMovie. Meanwhile anything you want to do you can do on a RaspPi and chances are good someone has already breadboarded it, coded it and has uploaded an STL file to thingverse so you can print a case. Flightaware wants more ADSB receivers in the world so they're selling their hardware at cost and posting their BOM publicly. And all that stuff is open-source and out in the world and promoted by a thriving community - my kid's school has a computer club where they mess around with RaspPi in 4th-flipping-grade. All my devices will happily do SSL, happily do VPN, happily do all sorts of magic secure stuff but these "open" computers I got? They don't talk to the world por shit. "General purpose" computing is big bloated dinosaur companies that grudgingly keep selling you Macbooks for too goddamn much money, or Dell hitting you with a $300 premium for installing Linux. If a death of "general purpose computing" means I don't have to create a proprietary email address just so I can get bloody DDNS to work I will dance on its goddamn grave.
I'll acknowledge the death of GPC when RMS quits shouting at clouds. And....on a vaguely related tangent. I never say no to my daughter when she asks to use my computer. We control her screen time and most the time she want's to watch TV, play tablet or use my phone. I have never once said no to her request to use my computer. She hasn't figured this out yet and when she does I'm sure that I'll have to start saying no. I want her to be a comfortable computer user. Of all the kids I know the only ones who use computers are the smart ones. The dim bulbs all use touch screens or consoles. I wan't her to have a smidgen more control over the options of what she can install and what she can use compared her dumbed down peers.
I fear a time (And I think you might feel similarly) where she CAN'T install what she wants, where she CAN'T choose what she uses because of DRM/Proprietary devices. When I think about the death of 'general purpose computing' I see the ossification of our current technological caste system, with it's different levels of brahmin techno-magi.I wan't her to have a smidgen more control over the options of what she can install and what she can use compared her dumbed down peers.
It's here, dude. What's that? you want to install an app you didn't get from the app store? Try running it, then get shut down, then open system preferences, then security, then click the button, then enter your password, then close out, then open the app. This is Apple's 5-year-old "fuck you for stepping outside our ecosystem" nuisanceware, and that's on OS X, which is Unix. I ran a jailbroken Android phone. It was awesome. Except for updating. It wasn't. Download a gig worth of developer kit on the laptop. plug in via USB. Scour the Internet for scripts. bash into the kernel and sudo a frickin' bluetooth update. Have half your apps not work right. I lost $500 worth of .tifs because Apple decided that Preview was written poorly enough that you could backdoor into the kernel through a malformed image header. So what did Apple do? It rewrote my .tifs so they contained no information. Not "we think this is a problem" not "this sure looks like a 5mb monochrome TIF, is it?" not "we've quarantined these files because they make us nervous" but "yeah, we're gonna replace these with black because fuck you." If you are seriously thinking that you're having any sort of adventuresome experience on the desktop if you aren't running an alternative operating system you're high. That shit been dead.