« The Great Enterprise of this age is the Asshole Industry. | Main | The Servitude Bubble »
September 30, 2016
All computers are reliably this bad:
the ones in hospitals and governments and banks, the ones in your phone, the ones that control light switches and smart meters and air traffic control systems.Industrial computers that maintain infrastructure and manufacturing are even worse. I don’t know all the details, but those who do are the most alcoholic and nihilistic people in computer security. Another friend of mine accidentally shut down a factory with a malformed ping at the beginning of a pen test. For those of you who don’t know, a ping is just about the smallest request you can send to another computer on the network. It took them a day to turn everything back on. Computer experts like to pretend they use a whole different, more awesome class of software that they understand, that is made of shiny mathematical perfection and whose interfaces happen to have been shat out of the business end of a choleric donkey. This is a lie. The main form of security this offers is through obscurity — so few people can use this software that there’s no point in building tools to attack it. Unless, like the NSA, you want to take over sysadmins. Everything Is Broken – The Message – Medium
Posted by gerardvanderleun at September 30, 2016 9:06 AM. This is an entry on the sideblog of American Digest: Check it out.
Your Say
It looks to me that most consumer software (Windows, Office, various web browsers, various PDF viewers, etc.) worked pretty well in their first or second iterations. But as they "improved" it was just patch upon patch upon patch. The original programmers/developers no longer were on the project. The code wasn't particularly well-documented.
So it's like the story of the guy taking down a fence without knowing why the fence was there in the first place. One adds a function to a program (or removes one) and the law of unexpected consequences takes over and the whole damned thing grinds to a halt.
Sadly, it seems the same thing goes for a lot of technical software (system software, control software for electrical systems/the electrical grid, electronic medical records, and so forth).
As an aside, why is our electrical grid attached to the Internet as a whole in the first place? It should be air-gapped from it to help prevent unauthorized access. (Similarly for other systems that seemingly should be fenced off -- military systems, hospital systems just for a couple of examples.)
Posted by: OldFert ![[TypeKey Profile Page]](http://americandigest.org/sidelines/nav-commenters.gif)
at September 30, 2016 10:47 AM
Fert - I've always figured all these systems use the internet because it's cheaper due to economy of scale. The old make or buy problem. Of course when you buy you lose quality control, except to quit buying. It's just speculation on my part, but makes sense, to me.
Posted by: BillH at September 30, 2016 1:45 PM
I wrote software for many an embedded system in my day, much of which could be placed in the category of "infrastructure". None of it ever had any concern whatsoever for security; it was assumed that those systems would only ever be connected to some private (today we would say "air-gapped") control network which only administrators had access to.
I've been gone from that industry for a while now, but I have a hard time believing that they have successfully addressed security issues in that time. Such lessons are only learned by getting burned, multiple times.
Posted by: Grizzly at September 30, 2016 6:52 PM