back to article The Internet Society is unhappy about security – pretty much all of it

The Internet Society (ISOC) is the latest organisation saying, in essence, “security is rubbish – fix it”. Years of big data breaches are having their impact, it seems: in its report released last week, it quotes a 54-country, 24,000-respondent survey reporting a long-term end user trend to become more fearful in using the …

  1. Andrew Commons

    Security is rubbish

    Absolutely. Serious efforts by major organisations have clearly shown that with current technology it will remain so.

    Abandon all shiny things and go back to simplicity. We may actually have a chance of improving things, after we have ditched all the 20th century technology we rely on that was built for an era where hats were all White.

    1. Trevor_Pott Gold badge

      There was never an era where all hats were white

      Though there certainly were some where all the people in positions of power were.

      1. Anonymous Coward
        Anonymous Coward

        Re: There was never an era where all hats were white

        "Though there certainly were some where all the people in positions of power were."

        Human nature as expounded by Machiavelli suggests that has never been the case.

        "Power corrupts - absolute power corrupts absolutely" John Dalberg-Acton 1887.

        1. Tim99 Silver badge
          Headmaster

          Re: There was never an era where all hats were white

          "Power corrupts - absolute power corrupts absolutely". Not quite. The relevant section of Lord Acton's letter; which was about the doctrine of papal infallibility in the First Vatican Council was, perhaps, even more damning:-

          "Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men, even when they exercise influence and not authority, still more when you superadd the tendency or the certainty of corruption by authority. There is no worse heresy than that the office sanctifies the holder of it... ...and the end learns to justify the means."

      2. Andrew Commons

        Re: There was never an era where all hats were white

        My hair is very white :-)

        My comment is based on the lack of success seen in all 'secure coding' initiatives. We see this every month.

        While we are obsessed with shiny it will never change.

    2. Charles 9

      Re: Security is rubbish

      So what are you saying? Go back to the Sears catalog?

    3. Anonymous Coward
      Coat

      Re: Security is rubbish

      And it will stay rubbish until there's a monetary incentive to do something about it...

    4. bombastic bob Silver badge
      Big Brother

      Re: Security is rubbish

      "Serious efforts by major organisations have clearly shown that with current technology it will remain so."

      particularly when "that technology" includes Win-10-nic [spyware], Facebook [tracking you everywhere], and SHA1 [only just now being abandoned].

      no WONDER people don't see any real security on "teh intarwebs"...

    5. Lotaresco

      Re: Security is rubbish

      "Serious efforts by major organisations have clearly shown that with current technology it will remain so."

      I couldn't agree less on this point. Any analysis of security breaches shows that the exploits used tend to be old, easily avoided and mostly not technical. Nothing much has changed from the days of Mitnick. It's easier to trick someone into giving you access than it is to hack into a system. That's nothing to do with "current technology" and everything to do with "average stupidity".

      If tricking someone doesn't work then rubber hose cryptography does.

      The countermeasures for these attacks are simple, easy to implement and effective but people, company bosses in particular, tend to assume that "it can't happen here" so they do nothing to avoid the inevitable. And why should they? They can save the money, kid their customers into thinking their data is safe - usually by saying "Your data is safe with us." accompanied by a reassuring smile and if absolutely necessary a firm handshake.

      If it all goes hideously Pete Tong then there's an easy way out as pioneered by Diana Mary "Dido" Harding, Baroness Harding of Winscombe. Just look serious and hassled and state loudly that the first rate security systems installed by the company were defeated by highly-skilled evil hackers. That's so much better than admitting that your systems were either secured by the equivalent of leaving a key in a plant pot by the side of the door or that you had no security at all.

      1. Prst. V.Jeltz Silver badge
        Coffee/keyboard

        Re: Security is rubbish

        that last paragraph cracked me up , fortunately i've been to lazy to make a coffee.....

        1. Frumious Bandersnatch

          Re: Security is rubbish

          10 i've been to lazy to make a coffee.....

          20 maybe a coffee would help you get motivated?

          30 goto 10

          1. herman

            Re: Security is rubbish

            The Windows 10 version:

            10 i've been to lazy to make a coffee.....

            15 send lazy count to walgreens.com for abilify re-order

            20 maybe a coffee would help you get motivated?

            25 send coffee cup count to starbucks.com

            30 goto 10

            1. Yes Me Silver badge

              Re: Security is rubbish

              whereas on all earlier Windows the last line is

              30 goto Windows 10

    6. oldcoder

      Re: Security is rubbish

      Actually, the problem was pointed out when MS started connecting systems to the net.

      And the majority of the problems are STILL caused by Microsoft systems.

  2. Pascal Monett Silver badge

    "[..] has no way to learn how well it has been protected from attackers.”

    Another nail driving the coffin of IoT security in the minds of the masses. Enough of this, and we just might get the message through to the companies responsible for this mess.

    Of course, one response to the problem would be a Board of Certification, judging IoT products and giving a rating, including security concerns. That, however, would probably end up as useful as MPA ratings and just as ignored.

    Official ratings on computer games or films do not have for consequence the possible loss of one's identity to a hacker. Bad or nonexistent security in an IoT thingy does and, as these bloody are invading the vehicular aspect of our lives, danger to life and limb is looming.

    That needs legislation and enforcement, not just certifications.

    IoT security should literally be open source, it's the only way to be sure.

    1. Charles 9

      Re: "[..] has no way to learn how well it has been protected from attackers.”

      Nope. Look at Shellshock and other gaping holes in Open Source software. It's like Global Thermonuclear War: the only winning move is not to play.

      The openness of society today is raising the specter of trivial actions bringing grave consequences with sovereignty preventing any worthwhile action.

      How long before NOT being online becomes a selling point? How long before Big Brother suggests a Stateful Internet with no anonymity?

      1. choleric

        Re: "[..] has no way to learn how well it has been protected from attackers.”

        With global thermonuclear war the only winning move is to convince no one to play, including yourself. If it's only you that doesn't play then everyone still loses.

        With IoT security if you don't play you will win in the short term, but at least some of the consequences of everyone else's catastrophes will catch up with you eventually.

        1. Anonymous Coward
          Anonymous Coward

          Re: "[..] has no way to learn how well it has been protected from attackers.”

          You can't control other people's actions in the long run. If someone throws the switch, all you can do at that point is kiss your kiester goodbye. If you're screwed, you're simply screwed. If someone is convinced MAD is a winning scenario, it's already game over.

          IOW, do what you CAN do...and then pray.

    2. oldcoder

      Re: "[..] has no way to learn how well it has been protected from attackers.”

      There wouldn't be a problem if people were not forced int using NAT.

      Nearly all the IoT things already use non-routing IP numbers as specified by their DHCP controlled network.

      Unfortunately, those same networks are also bypassing the inherent security by applying NAT to them "for convenience" just because the ISP refuses to migrate to IPv6, and stop using NAT.

  3. Anonymous Coward
    Anonymous Coward

    Executive summary

    tl;dr: we're all completely screwed unless something that isn't going to happen, happens.

    I'm in infosec. Sometimes I wake up to the radio reporting news of the latest big hack -- San Francisco public transport this morning -- and think: "I've got a job for life. Yayyyyy!" Other days I wake up to the news of the latest big hack and think: "I've got a job for life. Oh godddddddddd nooooo..." It's a well-paid line of work, admittedly, but the psychic damage from making a living repainting deckchairs for Cunard adds up, you know.

    1. James 36

      Re: Executive summary

      you are Richard Hollis, I claim my free beer

      if you aren't then his presentation called "dance band on the titanic" sums it up nicely

      Until security is seen as something with value outside if the IT/security community it ain't gonna happen

      forcing companies to declare breaches like they do in the US would be a good place to start.

      At least it would show it is much more common that is perceived

  4. VinceH

    Optional

    "attackers cannot steal data that is not stored, and cannot use data that is encrypted.”

    This is a point that not enough people are considering, as well. Too many things require a log-in for no reason other than to get our information to store for future [marketing] reference, and/or for the benefit of ne'er do wells in the event of a breach.

  5. Lotaresco

    It's not "security" that is rubbish

    It's the way that businesses choose to run their IT systems.

    I get contacted by large organisations who get my name from people I have done a good job for, or via the professional body that certifies me as an information assurance specialist. (I refuse to call myself "cyber professional"). Enough of them take me on to keep my life ticking along nicely but the majority and that's about 75% of those asking for help then refuse to accept what they will have to do.

    Large companies tend to have IT networks that are poorly conceived and badly executed. Software is unpatched, Windows XP and Server 2003 lingering on in dark corners, flat networks on which the only security appliance is an aging firewall that has had rule after rule pushed onto it to the point that it's so open that there's no point having it.

    The reason for this is budget and nothing else. Businesses don't like spending on IT unless the result of the spend can be seen and understood by the CEO. So shiny new desktops for offices in management land, good. Faster connection to the porn vital business communciations good. Spending several thousand on sorting out the fact that some idiot wired all the ILO cards to the user LAN[1] bad.

    [1] Like the Highlander, there will be only one. Networks flatter than E A Abbott's fantasy world are the norm. Once you're in, you're in with access to everything.

    1. Missing Semicolon Silver badge
      Devil

      Re: It's not "security" that is rubbish

      +lots!

      Only when executives have personal responsibility for customer data security will things change. Right now, the cost to a company of a data breach is still much less than the cost of providing enough security.

      Personal liability is the only way, as the alternative - company liability - requires fines so large that the shareholders are justified in suing the executives. They can't do that, of course, as incompetence isn't a crime, only malfeasance is.

      And, the law would need to be written in such a way that the liabilities are uninsurable. At the moment, most executives insist on corporate liability insurance, which would simply push the cost back on the company.

      Only then would a CEO bestir himself to investigate the companies' security arrangements and satisfy himself that he could argue in a court of law that all reasonable steps were taken. "Don't understand computers"? Then learn!

      1. Charles 9

        Re: It's not "security" that is rubbish

        And that will NEVER happen because one states purpose of corporations is to DEFLECT responsibility. Otherwise, no one will be willing to invest in it. So you either wither on the vine or you rot. No-win situation.

  6. Anonymous Coward
    Anonymous Coward

    Its a double edged sword...

    Sure, I agree that recent developments have shown us that user security can be quite lacking within some companies. I'm sure we all remember the classic stories about those companies who stored their user credentials in plain text, which included passwords. Way to go!

    But on the other hand I also think it's fair to say that in some cases users also allow themselves to get compromised. The classic "I use the same passwords everywhere, even when I'm trying to download this game hack from that website which has a reputation of hacking". Some users will easily do that without thinking, only to end up seeing their beloved game accounts getting compromised (or worse).

    Security isn't a one way street where we can simply shove all the responsibility into the lap of the "big bad companies". Sure, users should be protected, but users should also stop every once in a while and think about what valuable information they're about to give away.

    1. Charles 9

      Re: Its a double edged sword...

      "Security isn't a one way street where we can simply shove all the responsibility into the lap of the "big bad companies". Sure, users should be protected, but users should also stop every once in a while and think about what valuable information they're about to give away."

      NO!!!

      You MUST assume the worst, because otherwise Murphy WILL beat you. Every. Damn. Time. You can't teach things to a brick, and bricks happen to be pretty high up on the intelligence scale of the human race.

      IOW, you MUST account for the type of people who would willingly give up their identity for porn, who couldn't remember a password if it comprised their first name, because otherwise THEY'LL be the ones who blow your Internet wide open. Plus, odds are, they're the ones who can dictate terms.

  7. Steve Davies 3 Silver badge
    Mushroom

    Yes, Security is Rubbish

    Yes, go fix it.

    But don't forget to leave those backdoors for the TLA's to get access to your hardened device.

    Otherwise the lawyers who are politicans might be tempted to ban your newly secured device.

    stop the world, I wanna get off (and not on a one-way trip to Mars)

  8. cantankerous swineherd

    special mention for experian, who've made a business of libelling people who haven't borrowed money from banks too lazy to check up on who they are actually handing cash over to.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like