It all comes full circle to democracy in the end, doesn’t it?
I love Bruce Schneier. My go-to source for internet security thinking. His blog is top notch.
This is one of the many things that makes the DIY/open-source software movement such a huge challenge, especially when it becomes infrastructure:
Our computers and smartphones are as secure as they are because companies like Microsoft, Apple, and Google spend a lot of time testing their code before it’s released, and quickly patch vulnerabilities when they’re discovered. Those companies can support large, dedicated teams because those companies make a huge amount of money, either directly or indirectly, from their software — and, in part, compete on its security.
That being said, if you asked any sysadmin about the relative security capability of Windows and Linux, you can more or less guess what their reaction will be.
For the tl;dr folks (he expands on each of these points, eloquently):
Truism No. 1: On the internet, attack is easier than defense.
Truism No. 2: Most software is poorly written and insecure.
Truism No. 3: Connecting everything to each other via the internet will expose new vulnerabilities.
Truism No. 4: Everybody has to stop the best attackers in the world.
Truism No. 5: Laws inhibit security research.
So many quotable passages:
In general, there are two basic paradigms of security. We can either try to secure something well the first time, or we can make our security agile. The first paradigm comes from the world of dangerous things: from planes, medical devices, buildings. It’s the paradigm that gives us secure design and secure engineering, security testing and certifications, professional licensing, detailed preplanning and complex government approvals, and long times-to-market. It’s security for a world where getting it right is paramount because getting it wrong means people dying.
The second paradigm comes from the fast-moving and heretofore largely benign world of software. In this paradigm, we have rapid prototyping, on-the-fly updates, and continual improvement. In this paradigm, new vulnerabilities are discovered all the time and security disasters regularly happen. Here, we stress survivability, recoverability, mitigation, adaptability, and muddling through. This is security for a world where getting it wrong is okay, as long as you can respond fast enough.
These two worlds are colliding. They’re colliding in our cars — literally — in our medical devices, our building control systems, our traffic control systems, and our voting machines. And although these paradigms are wildly different and largely incompatible, we need to figure out how to make them work together.
Facebook motto: move fast and break things.