5 votes

Software remains insecure because the existence of insecure software has so far helped society far more than it has harmed it

4 comments

  1. [3]
    Akir
    Link
    Well, I was really hoping he was going to go into some level of detail. By which I mean any level of detail whatsoever. I think a far more exhaustive reason why software still is insecure is that...

    Well, I was really hoping he was going to go into some level of detail. By which I mean any level of detail whatsoever.

    I think a far more exhaustive reason why software still is insecure is that perfect security is impossible in any and all situations. For instance, most software security devices will fail if the device it is run on is simply stolen. Encryption helps, but every encryption eventually gets broken. And then there is social engineering - think of all the people who got their identity stolen after they told the nice man from Microsoft their password so they could get rid of their viruses. Software doesn't run in a vacuum; it's part of a greater system with many faults in them.

    10 votes
    1. Octofox
      Link Parent
      Perfect security may be impossible but what we have is far from perfect security. Most data breaches happen due to absolutely trivial mistakes like forgetting to put a password on a database or...

      perfect security is impossible in any and all situations.

      Perfect security may be impossible but what we have is far from perfect security. Most data breaches happen due to absolutely trivial mistakes like forgetting to put a password on a database or using a non type safe language when languages like Rust exist.

      The real reason we have so much insecure software is because security is expensive and data breaches are cheap. There is next to no business risk for most companies in having their personal data leaked so the expense it would take to write more secure software is not worth it. No business is going to spend 5x as long performing rigorous testing on any new code which has a very real cost to prevent some user data getting leaked which everyone will forget about next week.

      Encryption helps, but every encryption eventually gets broken.

      AES encryption has been around since the late 90s and has still not been broken. Encryption is never what is broken, its always another part of the system. If you encrypt a HDD with a secure password and it gets stolen there is pretty much 0 chance even the government will be able to get the data on it unless they have some super secret tech they never use. The reason phones can be hacked by the government at great difficulty is you have a very short password on them which is not cryptographically secure. Phones have built in protections which try to prevent brute force attacks against the password which would not stand up on its own and this is the part that often gets broken

      3 votes
    2. NaraVara
      Link Parent
      It’s also the general problem of assurance. Nobody ever went into business to be the best at complying with audits or to have the best legal department. They went into business to do stuff and...

      It’s also the general problem of assurance. Nobody ever went into business to be the best at complying with audits or to have the best legal department. They went into business to do stuff and these other things are just kind of hassles that get in the way.

      It’s the same deal with privacy and security now. They’ll never be a top priority and they will always be fighting against business and personal pressures to get a seat at the table.

      1 vote
  2. Emerald_Knight
    Link
    An interesting take, but I'd say it's a rather naive one. Software remains insecure due to a combination of a few different reasons: People don't know what the fuck they're doing. Human beings are...

    An interesting take, but I'd say it's a rather naive one.

    Software remains insecure due to a combination of a few different reasons:

    1. People don't know what the fuck they're doing. Human beings are naturally stupid creatures. We have to spend twelve years of our lives attaining what is considered a base level of education and then four or more years of specialized training on top of that for entry-level knowledge into a particular field of work. We're constantly reinventing the wheel, so it's only natural that we end up building the wrong wheel several times before we get it right.
    2. Security isn't baked into the process. People are allowed to create whatever code they want, so it's only natural that these misshapen wheels that can't even rotate correctly without busting an axle end up driving entire businesses on pure momentum alone. Frameworks help tremendously with this, but even frameworks often suffer from supporting features that are inherently insecure.
    3. Money is king. If it costs more to fix the problem than to pay for the damages caused by it, business don't give a shit. They have to choose between pushing out new features that users are hounding them for and fixing a problem that they rarely ever need to think about and causes very little damage to their bottom line.

    In short, good security only comes about when you have the experience to implement it, the policy to enforce it, and the resources to maintain it. And even when you have all of those, problems will still slip through the cracks because humans are flawed and will either forget something or not notice the zero-day exploit staring them in the face. After all, even businesses who stake their entire reputation and business models on their security are subject to vulnerabilities, despite having entire teams of experts dedicated to the subject.

    7 votes