Today's reminder that security and crypto will, by design, reduce reliability and cause breakage and extra work, was brought to you by Mozilla Firefox and code signing. ๐Ÿคช

This is the expected outcome, folks!

(The reason I point this out is not to deny the need for security, but to point out that security has real costs and should be weighed accordingly.)

... the math people need to be doing, is to calculate whether (cost of exploitation) is greater than (cost of denial of service).

If the expected cost of attacks is lower than what it costs to not be able to use your tools when they inevitably break due to human error, hardware malfunction or code bugs getting amplified by security complexity... then the security isn't worth it.

Obviously this is impossible to know for sure. But always choosing one or the other is guaranteed to be incorrect.

... aside from reliability, security also has other hidden costs.

Security requirements raise the cost of development to the point that some tools just don't get written at all. We don't know how often this happens.

A real example: 's MacOS packages still haven't been published, in part because I got bogged down by the complexity of fulfilling Apple's code signing requirements.

Not saying it's wrong. But this is part of the price we collectively pay to thwart "hackers."

Today's tech culture of security-uber-alles is, on the one hand, a sign of our industry growing up and becoming more mature.

On the other hand, it's also playing right into the hands of big corporations.

Small shops and hobby projects already struggle to meet our security expectations. Every time we raise that bar, projects die and the big guys have less competition.

Is Apple code signing protecting the end user? Or Apple's app store revenue and veto power?

Bit of both, probably. ๐Ÿคทโ€โ™‚๏ธ

ยท Web ยท 4 ยท 6 ยท 8

@HerraBRE

> Today's tech culture of security-uber-alles is, on the one hand, a sign of our industry growing up and becoming more mature. On the other hand, it's also playing right into the hands of big corporations.

Hmm, that's an interesting perspective. Based on the fairly amateur mistakes that often lead to massive data breaches and devs' collective willingness to use unverified code ( #docker, #npm, etc), I wouldn't have said we have a security-focused culture

@codesections @HerraBRE
I wouldn't say we have a security focused online culture either. But that's because putting workable security into practice is difficult, especially when security "experts" insist on fragile, complicated tech and rarely, if ever, weigh the costs.

That said, things are getting better. Let's Encrypt is a step forward. But solutions like that are not common. (And I know security researchers who rage about Let's Encrypt because it is not pure enough).

@codesections @HerraBRE
BGPSec is a classic example of security tech that just went too far. Because it is too cumbersome, brittle, and expensive, it is dead on-arrival. And thanks to BGPSec, attempts to talk about routing security in any reasonable fashion are nearly impossible. The well has been poisoned.

@codesections I didn't say we were good at security.

But there is an expectation that if someone finds a "security flaw", you drop everything to go fix it.

And people (admins and devs) relentlessly use "security" as a sledgehammer to crush ideas they don't like.

And our industry uses security to justify breaking things that worked fine last week.

But maybe we run in different circles...

@HerraBRE security throughout history has been concerned with raising the cost of intrusion against the perceived value. This was one of my eye openers when I started researching physical security.

Digitally, the cost of intrusion is calculated vastly differently in terms of power and time and cryptography has been trying to outpace the many factors of attack with rapid innovation. That's a recipe for failures and high implementation cost.

@HerraBRE I'm just observing, though, and have no suggestions to improve the overall situation with regard to security.

The browser plugin signing bit is interesting because it's not really a security issue (except tangentially) but really an identity one. Did this come from who it says it comes from is a very different problem than "keep out unless authorized", and arguably much harder to solve well.

@HerraBRE
Availability is also part of Security. And "Denial of Service" is also an attack security people want to protect against. At least in theory.

What people often forget is that "how to prevent things from going wrong" is only half of the problem. The other half is "what do you do if things go wrong anyway?" . Because things will go wrong anyway, and you'll often have 2 failure modes to chose from. Both will be bad, but depending on your usecase /threat model, one of them will be worse.

@Wolf480pl Just about everything can be lumped under the security umbrella if you try hard enough. I don't think it's helpful to do so.

A loss of availability may well be caused by a security breach, but there are tons of other things that may degrade availability, including the security systems themselves.

Having different words for different things is important, otherwise you just get muddled discourse and muddle thinking.

@HerraBRE
Well, the most common definition of Security I've heard is:

Confidentiality + Integrity + Availability

3 terms for 3 things.

By saying they're all part of security I meant that anyone who claims to care about security without considering about availability, is probably incompetent.

And of course there are tradeoffs between these 3 aspects.
I just wish people more often included "forgot to renew cert" or "forgot to pay for domain" in their threat models.

@Wolf480pl @HerraBRE or, like the .io shenanigans a while ago, โ€œdidnโ€™t use a TLD that one user can register the nameservers for, intercepting trafficโ€

@Wolf480pl If your definition of threat modelling becomes too broad, it risks becoming another word for "management."

Security threat modelling concerns itself with a subset of management, where those attributes (CIA) all matter. But not everything concerning those attributes is a "security" concern.

Natural disasters, corporate mismanagement, failed business plans, power outages... all sorts of things are generally considered out of scope.

At some point you draw the line. Where, varies... ๐Ÿ˜€

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!