Security is a design choice. It is a choice that needs to be made from the get-go, one that will always cost a significant amount of money and time and one that can work against the intended goal of a project. I just don't think companies and the people in them consider it a priority enough to pay for that design choice - the risk appears small and distant while investments are large and upfront. Security usually comes in to play when something is large enough that it's too late to "make" it secure. (I once had an airport logistics professor yell at me something along the line of "security is binary! is it secure considering the adversaries, or not?") I totally agree that secure solutions should be standard, but I just don't see a good way to make it the default. At the same time, I also think we're fighting a losing battle. This morning I read about Tinder storing 800 pages of data for just one female journalist. Privacy and system security are not the same thing, but the same reasoning is used - we, the user, should just never have anything to hide. Just don't be an idiot! The problem is that my digital footprint is probably already too large for me to be anonymous. My IP's been linked to my home address. My grocery store probably keeps track of what debit card I use. And now fuckin' Tinder keeps a record of when, where and with whom I had a date last year and could totally sell that to some ad company to influence what ad I get to see. goobster, were you careful enough when picking your IRS? You weren't, because by engaging in society you inevitably leave a (digital) footprint. In very much the same vein that our privacy has eroded beyond the point that we can be careful enough to avoid harm, I think the security of our digital systems in general has dwindled to a point where "just be careful" doesn't cut it anymore.
I was approached my freshman year at college to work on a Formula SAE car. This is a little race car powered by motorcycle engine, designed and built by college students. My school was renowned for doing all sorts of crazydumb stuff - whereas UW welded theirs up out of chrome-moly, WWU had billet aluminum uprights holding four large carbon fiber tubes for rigidity and weight savings. And rather than going with standard disc brakes, they decided they were going to use grade 8 Allen screws to hold discs to the insides of the rims. I looked at these discs and said "...I don't have a real good feeling about that. It looks a lot like an expensive way to shear a dozen allen screws the first time you tap the brakes." No, no, the grad student running the program said; they'd run the calcs and they had a factor of 100 more shear than they needed. I nodded uneasily and affirmed that I wouldn't be driving the thing so, okay, I guess their math is better than my gut. After all, they were vehicle design engineers, and I was just a guy who built cars. It's worth noting that, minus the engineering-speak, they were basically replacing Ussain Bolt's starting blocks with number 2 Ticonderoga wood pencils stuck into the ground and then saying "not only is Usain Bolt not going to kick these things in half the first time he launches, we could replace Usain with a Clydesdale horse and we'd still be fine because math." Sure'nuff, the first time they tapped the brakes on that thing the discs stripped right the fuck out of the rims and sheared two dozen teensy little Allen screws as if they weren't hardly there. Didn't really slow the car an iota. Fortunately the thing was going only about 50mph, in a straight line, in a parking lot. I bring this up because piker experimenter engineers can make mistakes, and they're awful mistakes, and you end up without brakes. It's obvious to anyone who watches closely that the more innovative you are, the more likely you are to encounter problems no one has ever faced before. Even in a mature industry there are still ample opportunities for terrible outcomes - General Motors has been in business for over a hundred years and by their own estimates, has sold more than half a billion cars. But they still managed to kill 153 people with a poorly designed ignition switch. And that's a mature industry governed by physics. Computing and information technology? They're still celebrating "go fast and break things." The first Model T rolled out in 1908. Seat belts weren't even offered until 1949 and weren't mandatory until 1968. At the rate we're going, I'll be able to Google anyone's DNA and retina scan before the iPhone 12 is out. Meanwhile, 30 flipping years ago:Security is a design choice. It is a choice that needs to be made from the get-go, one that will always cost a significant amount of money and time and one that can work against the intended goal of a project.
I helped with a student team at my current uni that was building a hydrogen race car. The Formula Student team was just down the hall. Our uni's team was primarily fetishizing optimizations - I heard that they got one aerospace engineering student to spend an entire year on just the curve of the spoiler. While I had nothing to do with the technical stuff, adding enormous batteries and super high pressurized hydrogen tanks on student engineering calculations doesn't really...instill confidence. They got a Dutch former Formula 1 driver to give it a spin, and while he supported the project he was also very adamant that nobody should ever drive it that isn't a safety-trained racecar driver. (It's also not a large go-kart - more like a Lotus Elise size.)It's obvious to anyone who watches closely that the more innovative you are, the more likely you are to encounter problems no one has ever faced before.
One of the greatest insights I experienced was in switching programs from WWU to UW. The WWU car was this thing with That the grad students basically got to design and the rest of us got to "work on." And, okay, innovation, whatever. But then I came down to UW and every year, that class started with steel tubing and spare parts and built a goddamn race car. Did it win? Rarely. Did it compete? Every time. Did it have to fucking work? Every goddamn time. The UW kids learned how to build a fucking car. The WWU kids learned how to work on someone else's car. Sure - you can spend a year on the curve of the spoiler. The WWU kids spent a year on keeping the brakes from peeling out of the wheels. The UW kids spent a year learning how a car goes together.6″ filament wound carbon tube chassis, turbocharged fuel injected CBR600 engine, spool rear end (no differential), and suspension geometry designed to promote jacking to enable rotation with the spool. The car also used 10″ wheels, inside-out front disk brakes, and dual floating inboard rear brake rotors
I found this true when I worked in the fashion (menswear) industry, as well. Graduates from the Art Institute were dippy blonde girls driving daddy's Escalade, who went to school to learn to draw. Badly. These people became wives of Microsoft employees. Graduates from the International Academy of Design and Technology (my school) were able to design amazing one-off garments that broke existing clothing expectations. Couture designers. Graduates from Seattle Central could make any piece of clothing quickly, and fit it perfectly (tailoring). Manufacturing pros. Then, when I ran my own clothing company, I threw away resumes from the Art Institute, and I fawned over the amazing and clever stuff the IADT graduates showed me. But I hired people from Seattle Central. Every single one of them that applied. Because they knew how to handle fabric, they knew garment construction techniques, and they could make things fit real human beings.
Yep, same WWU story here. To make matters worse, the spoiler is the ugliest thing I have ever seen on a vehicle, ever.
