34 votes

Cyber security: A pre-war reality check

4 comments

  1. [3]
    patience_limited
    (edited )
    Link
    This is Bert Hubert's lightly edited transcript of his ACCSS/NCSC/Surf seminar, ‘Cyber Security and Society. It's difficult to excerpt because he gently and humorously builds a compelling case...

    This is Bert Hubert's lightly edited transcript of his ACCSS/NCSC/Surf seminar, ‘Cyber Security and Society.

    It's difficult to excerpt because he gently and humorously builds a compelling case that Europe's digital infrastructure is fragile, devastatingly vulnerable to attack, and dependent on potential enemies.

    Unlike most cyber security talks, Hubert avoids technical jargon and pitches to a more general audience. It's a great summary, and I encourage anyone with even a passing interest in security to read it.

    15 votes
    1. [2]
      infpossibilityspace
      Link Parent
      I think there's a common theme here. We've lost sight of how difficult generational knowledge transfer really is, and the complexity of modern systems has become too bloated for things to be...

      I think there's a common theme here. We've lost sight of how difficult generational knowledge transfer really is, and the complexity of modern systems has become too bloated for things to be robust.

      Connecting this with the broader fields of hardware and programming, Jon Blow has a great talk about this where he goes over some modern and historical examples.

      https://youtu.be/ZSRHeXYDLko

      7 votes
      1. papasquat
        Link Parent
        It's not even necessarily that these systems have gotten too complex because they're doing anything particularly advanced. They've gotten complex because they've changed to suit the types of...

        It's not even necessarily that these systems have gotten too complex because they're doing anything particularly advanced. They've gotten complex because they've changed to suit the types of patterns that accountants like, instead of what makes the most sense from a resilience standpoint.

        When you think about the basic suite of business applications, their capabilities and requirements really haven't changed much in the last 20 years.

        White collar workers need email, they need a calendar, they need voice communication, they need a word processor, a spreadsheet application, a presentation application, and file storage.

        That's it. There are a handful of domain specific applications that a worker will require depending on their role and industry, but the applications above are the only ones that everyone actually needs

        None of these applications do anything particularly better or faster than they did 20 or 30 years ago. They may look better and have a few features they didn't, but realistically, if you put a worker from today in front of office 95, lotus notes, a digital desk phone, and mIRC, with a few weeks of training they'd be just as effective as they are today, and wouldn't be missing a whole ton of features they actually rely on.

        The thing that m365, teams, slack and so on offered that was attractive appealed to the accountants. You get to pay a regular, predictable yearly fee you can build into your operating expenses. The cost of your IT is nice and neatly captured in black and white for you.

        You don't need to buy expensive servers that need to be regularly refreshed and depreciated on a spreadsheet somewhere. You don't need to buy software licenses with terms that change regularly, you don't need to purchase colo space or build a data center, and most importantly, you don't need to headhunt and recruit expensive, temperamental, and sometimes difficult to manage sysadmins.

        All of this stuff is almost always cheaper than paying the Microsoft license cost, but actually managing all of it may not be cheaper, and can be kind of a headache.

        Because of that, the entire enterprise IT space has changed to satisfy the accountants. From a system design standpoint it's completely nonsensical.

        Want to get a file from Bob in HR to Alice in accounting?
        Bob uploads to file to OneDrive, making a connection from his computer to a Microsoft POP 500 miles away, uploading the file, creating a link, putting the link into teams, which makes another connection to a different Microsoft server. Then Alice does the entire thing in reverse to get the file.

        Either of those Microsoft servers goes down? No business is done. Microsoft has a production bug that affects either of those products? No business is done. Your Internet connection goes down? No business is done. Alice or Bob's network or computer has issues? No business is done.

        In the 90s, Bob would have just uploaded the file to a local file share and given her the link via an email, verbally, or on a chat app. The internet connection could go down, terrorists could attack all Microsoft data centers simultaneously, there could be a hurricane outside, but Alice would still get that file.

        It's a fundamental axiom in systems design that systems with fewer dependencies are more resilient. Simple technical systems designs have been traded for simple accounting systems designs. So far it's served businesses fairly well, because businesses tolerate dealing with IT, they don't like having to deal with it.

        If you live in a place where a sophisticated government can gain even a slight advantage by disabling your business, they will exploit those dependencies to leave you dead in the water.

        If the businesses risk department aren't detailing that very real threat to the decision makers, they're not doing their jobs, and at this point in Europe, I get the feeling that many of them are not doing their jobs.

        16 votes
  2. Webwulf
    Link
    Fantastic article and it really drives home the current state of everything right now.

    Fantastic article and it really drives home the current state of everything right now.

    4 votes