7 votes

Unsecure at any speed?

15 comments

  1. [9]
    NaraVara
    Link
    Talks about the issues with how the technology industry develops products without security or privacy in mind and makes an analogy to automotive design prior to the 60s. More of a polemic than...

    Talks about the issues with how the technology industry develops products without security or privacy in mind and makes an analogy to automotive design prior to the 60s. More of a polemic than solution on how to do better though.

    6 votes
    1. [8]
      onyxleopard
      Link Parent
      Is there a technical reason why the same sorts of safety standards that were introduced for motor vehicles can't be introduced for computer networking and software? Things like federal regulation...

      Is there a technical reason why the same sorts of safety standards that were introduced for motor vehicles can't be introduced for computer networking and software? Things like federal regulation and creating equivalents of the US's National Highway Traffic Safety Administration and (NHTSA, as the article suggests) and the New Car Assessment Program (NCAP)? Or to analogize to another domain, regulate it like the Food and Drug Administration does with food and drugs? I understand that government regulation can be undesirable, but it seems like we have a model for this sort of thing that is well established when safety is actually of sufficient public value.

      4 votes
      1. [4]
        NaraVara
        (edited )
        Link Parent
        It's a really slow process and wouldn't really gel with Agile or any of the iterative design methods of the software industry. That stuff is all designed for an industrial/assembly line model...

        It's a really slow process and wouldn't really gel with Agile or any of the iterative design methods of the software industry. That stuff is all designed for an industrial/assembly line model where you do it once and run it a thousand times since it's expensive to retool an assembly line. It's actually pretty cheap to pull a new version to production though (as in the literal task of pushing the button, not all the due diligence stuff you need to do before pushing the button). So the practice of going through long audit processes of certifying that something is up to standard has a hard time keeping up with how often versions get updated.

        For example, cars have manufacturing pipelines that stretch years before they actually hit the showroom and they're doing compliance checks the whole way. In software development you might not even know what features you're implementing 2 weeks from now until you have a sprint planning meeting.

        8 votes
        1. [2]
          joplin
          Link Parent
          I don't buy this. If agile works at all, then teams should be able to pivot to handle new regulations just fine. It might mean they couldn't push updates too often, which would also likely be a...

          I don't buy this. If agile works at all, then teams should be able to pivot to handle new regulations just fine. It might mean they couldn't push updates too often, which would also likely be a good thing. They'd have to think through any updates they do push instead of just randomly changing features for one set of users vs. another because it was an interesting experiment that might increase conversions by 0.1%.

          I think what it would do is strongly curtail the collection of unnecessary data, which would be a good thing. Don't want to go through a 6 to 9 month certification process? Then stop collecting data you don't need! Either keep data local to the device or add a method so users can sync between their devices without going through your servers. Sounds like a win-win to me!

          5 votes
          1. NaraVara
            Link Parent
            They can pivot in a "we can check the box" way, but I don't know if they can pivot in a "we can do the analytical work this task requires" way. The GDPR cookie law is a good example. There is a...

            then teams should be able to pivot to handle new regulations just fine

            They can pivot in a "we can check the box" way, but I don't know if they can pivot in a "we can do the analytical work this task requires" way.

            The GDPR cookie law is a good example. There is a very straightforward way to comply that involves forcing a banner in people's faces and using dark patterns to make them accept cookies. This is the pitfall of trying to use a regulatory hammer that's focused on a specific feature rather than holistically addressing the business decisions that lead to all the unnecessary data collection requiring the cookie law to go into effect in the first place.

            8 votes
        2. onyxleopard
          Link Parent
          I can understand that. I know at the company I work for, engineering has put Sonarqube into their CI pipeline so that they can triage security issues. (Though, it's used as more of a way to...

          So the practice of going through long audit processes of certifying that something is up to standard has a hard time keeping up with how often versions get updated.

          I can understand that. I know at the company I work for, engineering has put Sonarqube into their CI pipeline so that they can triage security issues. (Though, it's used as more of a way to surface issues, and they don't hold up a build just because Sonarqube found something. They also hire independent security auditors to do penetration testing, but usually only when it's required by a customer.)

          I feel like there has to be a development process that meets somewhere in the middle.

          3 votes
      2. [2]
        spctrvl
        Link Parent
        It would be harder because software is produced in a much less centralized manner than cars or food. The barriers to entry for software are about as low as they get, so you'd either end up needing...

        It would be harder because software is produced in a much less centralized manner than cars or food. The barriers to entry for software are about as low as they get, so you'd either end up needing a massive certification program to cover countless startups and open source projects, or you'd end up further entrenching the largest companies by defacto having them be the only writers of certified software. Either way, you'd also need stringent regulations about running uncertified software or the whole program would fall apart whenever some hot new app comes out that didn't go through all the proper channels. Whole thing just sounds like a nightmare of locking down what few open platforms remain to us.

        7 votes
        1. post_below
          Link Parent
          And also, legislators so far completely fail to understand digital technology. They want to improve consumer privacy, we get cookie popups that drain bandwidth and screenspace without...

          And also, legislators so far completely fail to understand digital technology. They want to improve consumer privacy, we get cookie popups that drain bandwidth and screenspace without accomplishing anything at all.

          They'd love the opportunity to regulate, but it would indeed be a nightmare which only the tech giants would survive.

          6 votes
      3. joplin
        Link Parent
        The cynical side of me says that the government doesn't want things to be more secure because it allows them to snoop on us. We literally have senators and representatives asking companies to put...

        The cynical side of me says that the government doesn't want things to be more secure because it allows them to snoop on us. We literally have senators and representatives asking companies to put "backdoors" into their software, naively thinking that there's some way they could make it easy for the government to access it without also making it easy for malicious actors to access it.

        6 votes
  2. [6]
    onyxleopard
    Link
    On a side note, I know hardly anything about it, but online finance and payment systems in the US seem to be much more strictly regulated than other kinds of online systems. Does anyone know more...

    On a side note, I know hardly anything about it, but online finance and payment systems in the US seem to be much more strictly regulated than other kinds of online systems. Does anyone know more about how that regulation was prioritized? Where did that pressure come from? The government, banks, elsewhere?

    2 votes
    1. [5]
      NaraVara
      Link Parent
      Financial systems are mostly governed by PCI/DSS requirements (see here). Though, as far as I know, those standards should apply globally. If it "feels" more strictly regulated in terms of...

      Financial systems are mostly governed by PCI/DSS requirements (see here). Though, as far as I know, those standards should apply globally. If it "feels" more strictly regulated in terms of legalese and hoops to jump, that may just be an artifact of the fact that most US Banks were, until very recently, still relying on systems that run COBOL mainframes and are held together by several decades worth of hot-fixes.

      There are also a lot of reporting and compliance requirements for them that also contribute to the friction. These are mostly Sarbanes-Oxley (SarbOx), stuff related to anti-terrorism/money-laundering efforts, or stuff related to the Foreign Corrupt Practices Act (FCPA). SarbOx stuff shouldn't really affect anything you encounter on a consumer level, though it is a giant pain on the administrative end for the banks themselves. The FCPA mostly just comes into play if you do business abroad in countries where bribery for services is common. The anti-terror stuff does tend to slow things down if you have to manage financial assets or transfer of funds overseas though.

      There's also some regulations around compliance with various embargoes we have against North Korea, Cuba, Iran, Russia, (and probably Afghanistan soon). This, again, probably doesn't affect an end-user unless you're directly dealing in industries heavily influenced by import/export of something that comes out of those countries such as cigars, rum, oil, saffron, etc.

      In many cases, I'd say a big part of the reason for these sorts of financial regulations and disclosure requirements is probably just Wall Street pressure. Hedge Funders are politically influential and they exert pressure in their capacity as shareholders in most major companies as well as their capacity as rich, politically connectors donors to make sure regulations that help them do their jobs stay in place.

      6 votes
      1. [2]
        onyxleopard
        Link Parent
        Thanks for taking the time to answer. Do you know about software companies that offer products to handle payment processing, like PayPal, Venmo, Stripe, Square, etc.? I was under the impression...

        Thanks for taking the time to answer. Do you know about software companies that offer products to handle payment processing, like PayPal, Venmo, Stripe, Square, etc.? I was under the impression that they also are pretty strictly regulated, but I can’t imagine it’s also Wall Street who is scrutinizing them.

        2 votes
        1. NaraVara
          Link Parent
          If you're doing any kind of payment processing you're subject to the same rules. It's a pretty blanket thing.

          If you're doing any kind of payment processing you're subject to the same rules. It's a pretty blanket thing.

          2 votes
      2. [2]
        vord
        Link Parent
        Don't know about banks, but I still see a lot of COBOL out there. There's still commercial compilers available, and I'm sure they make bank.

        most US Banks were, until very recently, still relying on systems that run COBOL mainframes

        Don't know about banks, but I still see a lot of COBOL out there. There's still commercial compilers available, and I'm sure they make bank.

        2 votes
        1. NaraVara
          Link Parent
          They do. It can actually be a pretty cushy sinecure for old programmers.

          They do. It can actually be a pretty cushy sinecure for old programmers.

          1 vote