SlideShare une entreprise Scribd logo

Computers will never be secure due to complexity of software

CAST
CAST

1) Computers will never be completely secure due to the immense complexity of software and the many potential vulnerabilities across entire technology supply chains. 2) The risks of computer insecurity are growing as computers are integrated into more physical systems like cars, medical devices, and household appliances through the "Internet of Things". 3) While technical solutions can help, the incentives for companies to prioritize security are often weak, and economic and policy tools may be needed to better manage cyber risks, such as through regulation, liability standards, and cybersecurity insurance.

Technologie
1  sur  5
Télécharger pour lire hors ligne
Why computers will never be safe APRIL 8TH–14TH 2017 The Pearl river delta: a special report Hospitals of the future Jacob Zuma must go Parking, wrong on so many levels
The Economist April 8th 2017 9 COMPUTER security is a con- tradiction in terms. Consid- er the past year alone: cyber- thieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an in- ternet firm, by Verizon, a tele- coms firm, was nearly derailed by two enormous data breaches; and Russian hackers inter- fered in the American presidential election. Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is boom- ing. The problem is about to get worse. Computers increasing- ly deal not just with abstract data like credit-card details and databases, but also with the real world ofphysical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into every- thing from road signs and MRI scanners to prosthetics and in- sulin pumps. There is little evidence that these gadgets will be any more trustworthy than their desktop counterparts. Hack- ers have already proved that they can take remote control of connected cars and pacemakers. It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for height- ened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind ofculti- vated paranoia which does not come naturally to non-tech firms. Companies ofall stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of. But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must managearound2bnlinesofsourcecode—errorsareinevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought (see page 69). Leaving the windows open This is not a counsel of despair. The risk from fraud, car acci- dents and the weather can never be eliminated completely ei- ther. But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives forsaferbehaviour. Start with regulation. Governments’ first priority is to re- frain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impos- sible to weaken encryption for terrorists alone. The same pro- tection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer se- curity is best served by encryption that is strongfor everyone. The next priority is setting basic product regulations. A lack ofexpertisewillalwayshampertheabilityofusersofcomput- ers to protect themselves. So governments should promote “public health” for computing. They could insist that internet- connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they ortheirproductsarehacked.Thatencouragesthemtofixapro- blem instead ofburyingit. Go a bit slowerand fixthings Butsettingminimum standardsstill getsyouonlyso far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of botnets, net- works of computers, from desktops to routers to “smart” light bulbs, that are infected with malware and attackother targets. Most important, the software industry has for decades dis- claimed liability for the harm when its products go wrong. Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws. Firms should recognise that, ifthe courts do not force the li- ability issue, public opinion will. Many computer-security ex- perts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In1965 Ralph Na- der published “Unsafe at Any Speed”, a bestselling book that exposedandexcoriatedtheindustry’slaxattitude.Thefollow- ing year the government came down hard with rules on seat belts, headrests and the like. Now imagine the clamour forleg- islation afterthe first child fatality involvingself-driving cars. Fortunately, the small butgrowingmarketin cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insur- ancepayoutthatwillstopitfromgoingbankrupt.It isherethat some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law, limitingtheirliability forold products. One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changingattitudesandbehaviourwillrequireeconomictools, not just technical ones. 7 The myth of cyber-security Computerswillneverbe secure. To manage the risks, lookto economics ratherthan technology Leaders
The Economist April 8th 2017 69 1 OVERacoupleofdaysinFebruary,hun- dreds of thousands of point-of-sale printers in restaurants around the world began behaving strangely. Some churned outbizarrepicturesofcomputersandgiant robots signed, “with love from the hacker God himself”. Some informed their own- ers that, “YOUR PRINTER HAS BEEN PWND’D”. Some told them, “For the love of God, please close this port”. When the hacker God gave an interview to Mother- board, a technologywebsite,he claimed to be a British secondary-school pupil by the name of “Stackoverflowin”. Annoyed by the parlous state of computer security, he had,heclaimed,decidedtoperformapub- lic service by demonstrating just how easy it was to seize control. Not all hackers are so public-spirited, and 2016 was a bonanza for those who are not. In February of that year cyber-crooks stole $81m directlyfrom the central bank of Bangladesh—and would have got away with more were it not for a crucial typo. In August America’s National Security Agen- cy (NSA) saw its own hacking tools leaked all over the internet by a group calling themselves the Shadow Brokers. (The CIA suffered a similar indignity this March.) In October a piece of software called Mirai was used to flood Dyn, an internet infra- structure company, with so much mean- one’s guess (most small attacks, and many big ones, go unreported). But all agree it is likely to rise, because the scope for malice is about to expand remarkably. “We are building a world-sized robot,” says Bruce Schneier, a securityanalyst, in the shape of the “Internet of Things”. The IoT is a buzz- phrase used to describe the computerisa- tion ofeverythingfrom cars and electricity meters to children’s toys, medical devices and light bulbs. In 2015 a group of comput- er-security researchers demonstrated that it was possible to take remote control of certain Jeep cars. When the Mirai malware isusedtobuildabotnetitseeksoutdevices such as video recorders and webcams; the botnet forfridges is just around the corner. Not OK, computer “The defaultassumption isthateverything is vulnerable,” says Robert Watson, a com- puter scientist at the University of Cam- bridge. The reasons for this run deep. The vulnerabilitiesofcomputersstemfromthe basics of information technology, the cul- ture of software development, the break- neck pace of online business growth, the economic incentives faced by computer firms and the divided interests of govern- ments. The rising damage caused by com- puter insecurity is, however, beginning to spur companies, academics and govern- ments into action. Modern computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The op- erating system that lets the machine run particular programs comes from someone ingless traffic that websites such as Twitter and Reddit were made inaccessible to many users. And the hackingofthe Demo- cratic National Committee’s e-mail servers and the subsequent leaking of embarrass- ing communications seems to have been part of an attempt to influence the out- come ofthe American elections. Away from matters of great scale and grand strategy, most hacking is either show-off vandalism or simply criminal. It is also increasingly easy. Obscure forums oil the trade in stolen credit-card details, sold in batches of thousands at a time. Data-dealers hawk “exploits”: flaws in code that allow malicious attackers to sub- vert systems. You can also buy “ransom- ware”, with which to encrypt photos and documents on victims’ computers before charging them for the key that will un- scramble the data. So sophisticated are these facilitating markets that coding skills are now entirely optional. Botnets—flocks of compromised computers created by software like Mirai, which can then be used to flood websites with traffic, knock- ingthemofflineuntilaransomispaid—can be rented by the hour. Just like a legitimate business, the bot-herders will, for a few dollars extra, provide technical support if anythinggoes wrong. The total cost of all this hacking is any- Computer security Why everything is hackable Computersecurityis broken from top to bottom. As the consequences pile up, though, things are starting to improve Science and technology
70 Science and technology The Economist April 8th 2017 1 2 else. The programs themselves from some- one else again. A mistake at any stage, or in the links between any two stages, can leave the entire system faulty—or vulner- able to attack. It is not always easy to tell the differ- ence. Peter Singer, a fellow at New Ameri- ca, a think-tank, tells the story of a manu- facturing defect discovered in 2011in some of the transistors which made up a chip used on American naval helicopters. Had the bug gone unspotted, it would have stopped those helicopters firing their mis- siles. The chips in question were, like most chips, made in China. The navyeventually concludedthatthedefecthadbeenanacci- dent, but not without giving serious thought to the idea it had been deliberate. Most hackers lackthe resources to mess aroundwithchipdesignandmanufacture. But they do not need them. Software offers opportunities for subversion in profusion. In 2015 Rachel Potvin, an engineer at Goo- gle, said thatthe companyasa whole man- aged around 2bn linesofcode acrossits va- rious products. Those programs, in turn, must run on operating systems that are themselves ever more complicated. Linux, a widely used operatingsystem, clocked in at 20.3m lines in 2015. The latest version of Microsoft’s Windows operating system is thought to be around 50m lines long. An- droid, the most popular smartphone oper- atingsystem, is12m. Getting each of those lines to interact properly with the rest of the program they are in, and with whatever other pieces of software and hardware that program might need to talk to, is a task that no one cangetrightfirsttime.Anoft-citedestimate madebySteveMcConnell,aprogramming guru, is that people writing source code— the instructions that are compiled, inside a machine, into executable programs—make between ten and 50 errors in every 1,000 lines. Careful checking at big software companies, he says, can push that down to 0.5 per 1,000 or so. But even this error rate implies thousands of bugs in a modern program, any one of which could offer the possibility of exploitation. “The attackers only have to find one weakness,” says Kathleen Fisher, a computer scientist at TuftsUniversityinMassachusetts.“Thede- fenders have to plug every single hole, in- cludingones they don’t know about.” All that is needed is a way to get the computerto accept a set ofcommands that it should not. A mistake may mean there are outcomes of a particular command or sequence of commands that no one has foreseen. There may be ways ofgetting the computer to treat data as instructions—for both are represented insidethe machine in the same form, as strings of digits. “Stack- overflowin”, the sobriquet chosen by the restaurant-printer hacker, refers to such a technique. If data “overflow” from a part of the system allocated for memory into a part where the machine expects instruc- tions,theywillbetreatedasasetofnewin- structions. (It is also possible to reverse the process and turn instructions into unex- pected streams of data. In February re- searchers at Ben-Gurion University, in Isra- el, showed that they could get data out ofa compromised computer by using the light thatshowswhethertheharddriveiswork- ingtosendthosedatatoawatchingdrone.) Shutting down every risk of abuse in millionsoflinesofcodebeforepeoplestart to use that code is nigh-on impossible. America’s Department of Defence (DoD), Mr Singer says, has found significant vul- nerabilities in every weapon system it ex- amined. Things are no better on civvie street. According to Trustwave, a security- research firm, in 2015 the average phone app had14 vulnerabilities. Karma police All these programs sit on top of older tech- nologies that are often based on ways of thinking which date back to a time when security was barely a concern at all. This is particularly true of the internet, originally a tool whereby academics shared research data. The first versions ofthe internet were policed mostly by consensus and eti- quette, including a strong presumption against use forcommercial gain. When Vint Cerf, one of the internet’s pioneers, talked about building encryp- tion into it in the 1970s he says his efforts were blocked byAmerica’sspies, who saw cryptography as a weapon for nation- states. Thus, rather than being secure from the beginning, the net needs a layer of ad- ditional software half a million lines long to keep things like credit-card details safe. New vulnerabilities and weaknesses in that layerare reported every year. The innocent foundations of many computersystems remain a source forcon- cern. So does the innocence ofmany users. Send enough people an innocuous-look- ing e-mail that asks for passwords or con- tains what look like data, but is in fact a crafty set of instructions, and you have a good chance that someone will click on somethingthattheyshouldnothavedone. Try as network administrators might to in- stil good habits in their charges, if there are enough people to probe, the chances of trust, laziness or error letting a malefactor get in are pretty high. Good security cultures, both within software developers and between firms and their clients, take time to develop. This is one ofthe reasons to worry about the In- ternet of Things. “Some of the companies making smart light bulbs, say, or electricity meters, are not computing companies, cul- turally speaking,” says Graham Steel, who runs Cryptosense, a firm that carries out automated cryptographic analysis. A data- base belonging to Spiral Toys, a firm that sells internet-connected teddy bears through which toddlers can send mes- sages to their parents, lay unprotected on- line for several days towards the end of 2016, allowing personal details and tod- dlers’ messages to be retrieved. Even in firms that are aware of the is- sues, such as car companies, nailing down security can be hard. “The big firms whose logos are on the cars you buy, they don’t really make cars,” points out Dr Fisher. “They assemble lots of components from smallersuppliers, and increasingly, each of those has code in it. It’s really hard for the carcompaniestogetanoverviewofevery- thingthat’s goingin.” On top of the effects of technology and culture there is a third fundamental cause of insecurity: the economic incentives of the computer business. Internet business- es, in particular, value growth above al- most everything else, and time spent try- ing to write secure code is time not spent adding customers. “Ship it on Tuesday, fix the security problems next week—maybe” is the attitude, accordingto Ross Anderson, another computer-security expert at the University ofCambridge. To infinity and beyond Sources: Company reports; press reports; The Economist *Minimum estimate †Upper estimate Lines of text/source code, m Log scale 0.10.01 1.0 10 100 1,000 2,000 Sim pleiOSapp Heartpacem aker WarAndPeace SuperMarioBros.(1985) Spaceshuttle Windows3.1(1992) MarsCuriosityrover GoogleChrom e* Boeing787 Android† F-35fighterplane LargeHadron Collider Facebook MacOSX10.4 FordF-150(2016) Google(allproducts)
The Economist April 8th 2017 Science and technology 71 2 The long licence agreements that users of software must accept (almost always without reading them) typically disclaim any liability on the part of a software firm if things go wrong—even when the soft- ware involved is specifically designed to protect computers against viruses and the like. Such disclaimers are not always en- forceableeverywhere.ButcourtsinAmeri- ca, the world’s biggest software market, have generally been sympathetic. This im- punity is one reason why the computing industry is so innovative and fast-moving. But the lack of legal recourse when a pro- duct proves vulnerable represents a signif- icant cost to users. If customers find it hard to exert pres- sure on companies through the courts, you might expect governments to step in. But Dr Anderson points out that they suffer from contradictory incentives. Sometimes they want computer security to be strong, because hacking endangers both their citi- zensand theirown operations. On the oth- er hand, computers are espionage and sur- veillance tools, and easier to use as such if theyare notcompletelysecure. To this end, theNSAiswidelybelievedtohavebuiltde- liberate weaknesses into some of its fa- voured encryption technologies. Increasinglyparanoid android The risk is that anyone else who discovers these weaknesses can do the same. In 2004 someone (no authority has said who)spentmonthslisteningtothemobile- phone calls of the upper echelons of the Greek government—including the prime minister, Costas Karamanlis—by subvert- ing surveillance capabilities built into the kit Ericsson had supplied to Vodafone, the pertinent networkoperator. Some big companies, and also some governments,arenowtryingtosolvesecu- rity problems in a systematic way. Free- lance bug-hunters can often claim boun- ties from firms whose software they find fault with. Microsoft vigorously nags cus- tomers to ditch outdated, less-secure ver- sionsofWindowsin favourofnewerones, though with only limited success. In an at- tempt to squash as many bugs as possible, Google and Amazon are developing their own versions of standard encryption pro- tocols, rewriting from top to bottom the code that keeps credit-card details and oth- er tempting items secure. Amazon’s ver- sion has been released on an “open- source” basis, letting all comers look at the source code and suggest improvements. Open-sourceprojectsprovide,inprinciple, a broad base of criticism and improve- ment. The approach only works well, though, if it attracts and retains a commit- ted community ofdevelopers. More fundamental is work paid for by the Defence Advanced Research Projects Agency (DARPA), a bit of the DoD that was instrumental in the development ofthe in- ternet. At the University of Cambridge, Dr Watson has been using this agency’s mon- eyto design CHERI, a newkind ofchip that attempts to bake security into hardware, rather than software. One feature, he says, is that the chip manages its memory in a way that ensures data cannot be mistaken for instructions, thus defanging an entire category ofvulnerabilities. CHERI also lets individual programs, and even bits of pro- grams, run inside secure “sandboxes”, which limit their ability to affect other parts of the machine. So even if attackers obtain access to one part of the system, they cannot breakout into the rest. Sandboxing is already used by operat- ing systems, web browsers and so on. But writing sandboxing into software imposes performance penalties. Having a chip that instantiates the idea in hardware gets around that. “We can have a web browser where every part of a page—every image, every ad, the text, and so on—all run in their own little secure enclaves,” says Dr Watson. His team’s innovations, he be- lieves, could be added fairly easily to the chipsdesigned byARMand Intel thatpow- erphones and laptops. Another DARPA project focuses on a technique called “formal methods”. This reduces computer programs to gigantic statements in formal logic. Mathematical theorem-provingtoolscan then be applied to show that a program behaves exactly as its designers want it to. Computer scien- tists have been exploring such approaches for years, says Dr Fisher, but it is only re- cently that cheap computing power and usable tools have let the results be applied to pieces of software big enough to be of practical interest. In 2013 Dr Fisher’s team developed formally verified flight-control softwareforahobbyistdrone.Ateamofat- tackers, despite being given full access to the drone’s source code, proved unable to find theirway in. “It will be a long time before we’re us- ing this stuff on something as complicated as a fully fledged operating system,” says Dr Fisher. But she points out that many of the riskiest computing applications need only simple programs. “Things like insulin pumps, car components, all kinds of IoT devices—those are things we could look at applyingthis to.” Most fundamental of all, though, is the way in which markets are changing. The ubiquity ofcyber-attacks, and the seeming impossibility of preventing them, is per- suading big companies to turn to an old remedy for such unavoidable risks: insur- ance. “The cyber-insurance market is worth something like $3bn-4bn a year,” says Jeremiah Grossman ofSentinelOne, a company which sells protection against hacking (and which, unusually, offers a guaranteethatitssolutionswork).“Andit’s growingat 60% a year.” As the costs of insurance mount, com- panies may start to demand more from the software they are using to protect them- selves,andaspayoutsrise,insurerswillde- mand the software be used properly. That could be a virtuous alignment of interests. A report published in 2015 by PwC, a man- agement consultancy, found that a third of American businesses have cyber-insur- ancecoverofsomekind,thoughitoftenof- fers only limited protection. But it is the issue ofsoftware-makers’ li- ability for their products that will prove most contentious. The precedents that lie behind it belong to an age when software was a business novelty—and when com- puters dealt mostly with abstract things like spreadsheets. In those days, the issue was less pressing. But in a world where softwareiseverywhere,andcomputerised cars or medical devices can kill people di- rectly, it cannot be ducked forever. “The industry will fight any attempt to imposeliabilityabsolutelytoothandnail,” says Mr Grossman. On top of the usual re- sistance to regulations that impose costs, SiliconValley’scompaniesoftenhavealib- ertarian streak that goes with roots in the counterculture of the 1960s, bolstered by a self-serving belief that anything which slows innovation—defined rather narrow- ly—isanattackonthepublicgood.Kenneth White, a cryptography researcherin Wash- ington, DC, warns that if the government comes down too hard, the software busi- ness may end up looking like the pharma- ceutical industry, where tough, ubiquitous regulationisonereasonwhythecostofde- veloping a new drug is now close to a bil- lion dollars. There is, then, a powerful in- centive for the industry to clean up its act before the government cleans up for it. Too manymore yearslike 2016, and thatoppor- tunity will vanish like the contents of a hacked bankaccount. 7

Recommandé

6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
Cyber savvy (2)
Cyber savvy (2)Cyber savvy (2)
Cyber savvy (2)naveen p
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Cyber Warfare
Cyber WarfareCyber Warfare
Cyber WarfareJason Fernandes
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoJoão Rufino de Sales
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Beza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza Belayneh
 
FBI vs DOJ vs Microsoft
FBI vs DOJ vs MicrosoftFBI vs DOJ vs Microsoft
FBI vs DOJ vs MicrosoftOlivia Farrow
 

Recommandé

6 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 20196 Cybersecurity Trends to Watch in 2019
6 Cybersecurity Trends to Watch in 2019BluePayProcessing
 
Cyber savvy (2)
Cyber savvy (2)Cyber savvy (2)
Cyber savvy (2)naveen p
 
1. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol21. security 20 20 - ebook-vol2
1. security 20 20 - ebook-vol2Adela Cocic
 
Cyber Warfare
Cyber WarfareCyber Warfare
Cyber WarfareJason Fernandes
 
Delusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoDelusions of-safety-cyber-savvy-ceo
Delusions of-safety-cyber-savvy-ceoJoão Rufino de Sales
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
Beza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza belayneh information_warfare_brief
Beza belayneh information_warfare_briefBeza Belayneh
 
FBI vs DOJ vs Microsoft
FBI vs DOJ vs MicrosoftFBI vs DOJ vs Microsoft
FBI vs DOJ vs MicrosoftOlivia Farrow
 
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website DefendersDistil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website DefendersEnterprise Management Associates
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomStanford GSB Corporate Governance Research Initiative
 
What's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacyWhat's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacyFabrizio Gramuglio
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexAndreanne Clarke
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenienceDon Lovett
 
The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010- Mark - Fullbright
 
Tech won't build it zine
Tech won't build it zineTech won't build it zine
Tech won't build it zinePaige Panter
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?Spire Research and Consulting
 
Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Spiceworks Ziff Davis
 
Mobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to SolveMobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to SolveIcomm Technologies
 
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information OpportunityJohn Mancini
 
HE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceHE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceBrian Arellanes
 
Blue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware ReportBlue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware ReportContent Rules, Inc.
 
IT_Cutter_Publication
IT_Cutter_PublicationIT_Cutter_Publication
IT_Cutter_PublicationWesley J. Meier, CISM, CIP
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Bauer Heather Software Piracy
Bauer Heather Software PiracyBauer Heather Software Piracy
Bauer Heather Software PiracyHeather Bauer
 
The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?Pew Research Center's Internet & American Life Project
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2Shane Kite
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 

Contenu connexe

Tendances

Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website DefendersDistil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website DefendersEnterprise Management Associates
 
What's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacyWhat's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacyFabrizio Gramuglio
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexAndreanne Clarke
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenienceDon Lovett
 
The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010- Mark - Fullbright
 
Tech won't build it zine
Tech won't build it zineTech won't build it zine
Tech won't build it zinePaige Panter
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShowAdam Heller
 
Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Spiceworks Ziff Davis
 
Mobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to SolveMobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to SolveIcomm Technologies
 
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information OpportunityJohn Mancini
 
HE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceHE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceBrian Arellanes
 
Blue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware ReportBlue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware ReportContent Rules, Inc.
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper FinalLarry Taylor Ph.D.
 
Bauer Heather Software Piracy
Bauer Heather Software PiracyBauer Heather Software Piracy
Bauer Heather Software PiracyHeather Bauer
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2Shane Kite
 

Tendances (19)

Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website DefendersDistil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
 
Critical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the BoardroomCritical Update Needed: Cybersecurity Expertise in the Boardroom
Critical Update Needed: Cybersecurity Expertise in the Boardroom
 
What's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacyWhat's digital profiling and its impact on your privacy
What's digital profiling and its impact on your privacy
 
IBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence IndexIBM 2015 Cyber Security Intelligence Index
IBM 2015 Cyber Security Intelligence Index
 
Iot privacy vs convenience
Iot privacy vs convenienceIot privacy vs convenience
Iot privacy vs convenience
 
The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010The Rise of Cybercrime 1970s - 2010
The Rise of Cybercrime 1970s - 2010
 
Tech won't build it zine
Tech won't build it zineTech won't build it zine
Tech won't build it zine
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?
 
Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014Weathering mobile-storm-report-october-2014
Weathering mobile-storm-report-october-2014
 
Mobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to SolveMobility, Security and the Enterprise: The Equation to Solve
Mobility, Security and the Enterprise: The Equation to Solve
 
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
#AIIM14 keynote -- Turning Information Chaos into Information Opportunity
 
HE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSourceHE Mag_New Cyber Threats_ITSource
HE Mag_New Cyber Threats_ITSource
 
Blue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware ReportBlue Coat 2013 Systems Mobile Malware Report
Blue Coat 2013 Systems Mobile Malware Report
 
IT_Cutter_Publication
IT_Cutter_PublicationIT_Cutter_Publication
IT_Cutter_Publication
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final2010 6 Things u need 2 know in 2010 Whitepaper Final
2010 6 Things u need 2 know in 2010 Whitepaper Final
 
Bauer Heather Software Piracy
Bauer Heather Software PiracyBauer Heather Software Piracy
Bauer Heather Software Piracy
 
The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?The Internet of Things and Future Shock: Too Much Change Too Fast?
The Internet of Things and Future Shock: Too Much Change Too Fast?
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2
 

Similaire à Computers will never be secure due to complexity of software

2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017Accelerate Tech
 
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...Black Duck by Synopsys
 
Ethical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTEthical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTLuckeylama
 
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docx
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docxBulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docx
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docxRAHUL126667
 
INSECURE Magazine - 33
INSECURE Magazine - 33INSECURE Magazine - 33
INSECURE Magazine - 33Felipe Prado
 
GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)Marjola Begaj
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017Accelerate Tech
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Kim Jensen
 
Cybertorts
CybertortsCybertorts
Cybertortspanabaha
 
Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022ManviShukla4
 
286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docxrhetttrevannion
 

Similaire à Computers will never be secure due to complexity of software (20)

2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
 
A1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for CybersecurityA1 - Cibersegurança - Raising the Bar for Cybersecurity
A1 - Cibersegurança - Raising the Bar for Cybersecurity
 
Volume2 chapter1 security
Volume2 chapter1 securityVolume2 chapter1 security
Volume2 chapter1 security
 
Netop Remote Control Embedded Devices
Netop Remote Control Embedded DevicesNetop Remote Control Embedded Devices
Netop Remote Control Embedded Devices
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
 
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...
Open Source Insight: IoT, Medical Devices, Connected Cars All Vulnerable to ...
 
Ethical, Legal and Social issues IoT
Ethical, Legal and Social issues IoTEthical, Legal and Social issues IoT
Ethical, Legal and Social issues IoT
 
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docx
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docxBulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docx
Bulletinof theAtomicScientistsIT IS 5 MINUTES TO MID.docx
 
INSECURE Magazine - 33
INSECURE Magazine - 33INSECURE Magazine - 33
INSECURE Magazine - 33
 
GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)GDPR - a real opportunity for a new digital revolution (2018)
GDPR - a real opportunity for a new digital revolution (2018)
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
Top 15 security predictions for 2017
Top 15 security predictions for 2017Top 15 security predictions for 2017
Top 15 security predictions for 2017
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
 
Terrorist Cyber Attacks
Terrorist Cyber AttacksTerrorist Cyber Attacks
Terrorist Cyber Attacks
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Cybertorts
CybertortsCybertorts
Cybertorts
 
Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022Top 10 Cybersecurity Trends to Watch Out For in 2022
Top 10 Cybersecurity Trends to Watch Out For in 2022
 
286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx286CHAPTER 14CyberlawCHAPTER 15International and.docx
286CHAPTER 14CyberlawCHAPTER 15International and.docx
 
Enterprise Cyber Security 2016
Enterprise Cyber Security 2016Enterprise Cyber Security 2016
Enterprise Cyber Security 2016
 

Plus de CAST

Six steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systemsSix steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systemsCAST
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportCAST
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCAST
 
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership OverviewCloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership OverviewCAST
 
Cloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case StudyCloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case StudyCAST
 
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...CAST
 
Green indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in codeGreen indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in codeCAST
 
9 Steps to Creating ADM Budgets
9 Steps to Creating ADM Budgets9 Steps to Creating ADM Budgets
9 Steps to Creating ADM BudgetsCAST
 
Improving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based ContractsImproving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based ContractsCAST
 
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC ToolkitDrive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC ToolkitCAST
 
CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.CAST
 
Shifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business OutcomesShifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business OutcomesCAST
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityCAST
 
The business case for software analysis & measurement
The business case for software analysis & measurementThe business case for software analysis & measurement
The business case for software analysis & measurementCAST
 
Cast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance InfographicCast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance InfographicCAST
 
What is system level analysis
What is system level analysisWhat is system level analysis
What is system level analysisCAST
 
Deloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtDeloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtCAST
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platformsCAST
 
CRASH Report 2014
CRASH Report 2014CRASH Report 2014
CRASH Report 2014CAST
 

Plus de CAST (20)

Six steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systemsSix steps-to-enhance-performance-of-critical-systems
Six steps-to-enhance-performance-of-critical-systems
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
 
Application Assessment - Executive Summary Report
Application Assessment - Executive Summary ReportApplication Assessment - Executive Summary Report
Application Assessment - Executive Summary Report
 
Cloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST HighlightCloud Migration: Azure acceleration with CAST Highlight
Cloud Migration: Azure acceleration with CAST Highlight
 
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership OverviewCloud Readiness : CAST & Microsoft Azure Partnership Overview
Cloud Readiness : CAST & Microsoft Azure Partnership Overview
 
Cloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case StudyCloud Migration: Cloud Readiness Assessment Case Study
Cloud Migration: Cloud Readiness Assessment Case Study
 
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
Digital Transformation e-book: Taking the 20X20n approach to accelerating Dig...
 
Green indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in codeGreen indexes used in CAST to measure the energy consumption in code
Green indexes used in CAST to measure the energy consumption in code
 
9 Steps to Creating ADM Budgets
9 Steps to Creating ADM Budgets9 Steps to Creating ADM Budgets
9 Steps to Creating ADM Budgets
 
Improving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based ContractsImproving ADM Vendor Relationship through Outcome Based Contracts
Improving ADM Vendor Relationship through Outcome Based Contracts
 
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC ToolkitDrive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
Drive Business Excellence with Outcomes-Based Contracting: The OBC Toolkit
 
CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.CAST Highlight: Code-level portfolio analysis. FAST.
CAST Highlight: Code-level portfolio analysis. FAST.
 
Shifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business OutcomesShifting Vendor Management Focus to Risk and Business Outcomes
Shifting Vendor Management Focus to Risk and Business Outcomes
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
The business case for software analysis & measurement
The business case for software analysis & measurementThe business case for software analysis & measurement
The business case for software analysis & measurement
 
Cast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance InfographicCast Highlight Software Maintenance Infographic
Cast Highlight Software Maintenance Infographic
 
What is system level analysis
What is system level analysisWhat is system level analysis
What is system level analysis
 
Deloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical DebtDeloitte Tech Trends 2014 Technical Debt
Deloitte Tech Trends 2014 Technical Debt
 
What you should know about software measurement platforms
What you should know about software measurement platformsWhat you should know about software measurement platforms
What you should know about software measurement platforms
 
CRASH Report 2014
CRASH Report 2014CRASH Report 2014
CRASH Report 2014
 

Dernier

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Dernier (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Computers will never be secure due to complexity of software

  • 1. Why computers will never be safe APRIL 8TH–14TH 2017 The Pearl river delta: a special report Hospitals of the future Jacob Zuma must go Parking, wrong on so many levels
  • 2. The Economist April 8th 2017 9 COMPUTER security is a con- tradiction in terms. Consid- er the past year alone: cyber- thieves stole $81m from the central bank of Bangladesh; the $4.8bn takeover of Yahoo, an in- ternet firm, by Verizon, a tele- coms firm, was nearly derailed by two enormous data breaches; and Russian hackers inter- fered in the American presidential election. Away from the headlines, a black market in computerised extortion, hacking-for-hire and stolen digital goods is boom- ing. The problem is about to get worse. Computers increasing- ly deal not just with abstract data like credit-card details and databases, but also with the real world ofphysical objects and vulnerable human bodies. A modern car is a computer on wheels; an aeroplane is a computer with wings. The arrival of the “Internet of Things” will see computers baked into every- thing from road signs and MRI scanners to prosthetics and in- sulin pumps. There is little evidence that these gadgets will be any more trustworthy than their desktop counterparts. Hack- ers have already proved that they can take remote control of connected cars and pacemakers. It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for height- ened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind ofculti- vated paranoia which does not come naturally to non-tech firms. Companies ofall stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of. But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must managearound2bnlinesofsourcecode—errorsareinevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought (see page 69). Leaving the windows open This is not a counsel of despair. The risk from fraud, car acci- dents and the weather can never be eliminated completely ei- ther. But societies have developed ways of managing such risk—from government regulation to the use of legal liability and insurance to create incentives forsaferbehaviour. Start with regulation. Governments’ first priority is to re- frain from making the situation worse. Terrorist attacks, like the recent ones in St Petersburg and London, often spark calls for encryption to be weakened so that the security services can better monitor what individuals are up to. But it is impos- sible to weaken encryption for terrorists alone. The same pro- tection that guards messaging programs like WhatsApp also guards bank transactions and online identities. Computer se- curity is best served by encryption that is strongfor everyone. The next priority is setting basic product regulations. A lack ofexpertisewillalwayshampertheabilityofusersofcomput- ers to protect themselves. So governments should promote “public health” for computing. They could insist that internet- connected gizmos be updated with fixes when flaws are found. They could force users to change default usernames and passwords. Reporting laws, already in force in some American states, can oblige companies to disclose when they ortheirproductsarehacked.Thatencouragesthemtofixapro- blem instead ofburyingit. Go a bit slowerand fixthings Butsettingminimum standardsstill getsyouonlyso far. Users’ failure to protect themselves is just one instance of the general problem with computer security—that the incentives to take it seriously are too weak. Often, the harm from hackers is not to the owner of a compromised device. Think of botnets, net- works of computers, from desktops to routers to “smart” light bulbs, that are infected with malware and attackother targets. Most important, the software industry has for decades dis- claimed liability for the harm when its products go wrong. Such an approach has its benefits. Silicon Valley’s fruitful “go fast and break things” style of innovation is possible only if firms have relatively free rein to put out new products while they still need perfecting. But this point will soon be moot. As computers spread to products covered by established liability arrangements, such as cars or domestic goods, the industry’s disclaimers will increasingly butt up against existing laws. Firms should recognise that, ifthe courts do not force the li- ability issue, public opinion will. Many computer-security ex- perts draw comparisons to the American car industry in the 1960s, which had ignored safety for decades. In1965 Ralph Na- der published “Unsafe at Any Speed”, a bestselling book that exposedandexcoriatedtheindustry’slaxattitude.Thefollow- ing year the government came down hard with rules on seat belts, headrests and the like. Now imagine the clamour forleg- islation afterthe first child fatality involvingself-driving cars. Fortunately, the small butgrowingmarketin cyber-security insurance offers a way to protect consumers while preserving the computing industry’s ability to innovate. A firm whose products do not work properly, or are repeatedly hacked, will find its premiums rising, prodding it to solve the problem. A firm that takes reasonable steps to make things safe, but which is compromised nevertheless, will have recourse to an insur- ancepayoutthatwillstopitfromgoingbankrupt.It isherethat some carve-outs from liability could perhaps be negotiated. Once again, there are precedents: when excessive claims against American light-aircraft firms threatened to bankrupt the industry in the 1980s, the government changed the law, limitingtheirliability forold products. One reason computer security is so bad today is that few people were taking it seriously yesterday. When the internet was new, that was forgivable. Now that the consequences are known, and the risks posed by bugs and hacking are large and growing, there is no excuse for repeating the mistake. But changingattitudesandbehaviourwillrequireeconomictools, not just technical ones. 7 The myth of cyber-security Computerswillneverbe secure. To manage the risks, lookto economics ratherthan technology Leaders
  • 3. The Economist April 8th 2017 69 1 OVERacoupleofdaysinFebruary,hun- dreds of thousands of point-of-sale printers in restaurants around the world began behaving strangely. Some churned outbizarrepicturesofcomputersandgiant robots signed, “with love from the hacker God himself”. Some informed their own- ers that, “YOUR PRINTER HAS BEEN PWND’D”. Some told them, “For the love of God, please close this port”. When the hacker God gave an interview to Mother- board, a technologywebsite,he claimed to be a British secondary-school pupil by the name of “Stackoverflowin”. Annoyed by the parlous state of computer security, he had,heclaimed,decidedtoperformapub- lic service by demonstrating just how easy it was to seize control. Not all hackers are so public-spirited, and 2016 was a bonanza for those who are not. In February of that year cyber-crooks stole $81m directlyfrom the central bank of Bangladesh—and would have got away with more were it not for a crucial typo. In August America’s National Security Agen- cy (NSA) saw its own hacking tools leaked all over the internet by a group calling themselves the Shadow Brokers. (The CIA suffered a similar indignity this March.) In October a piece of software called Mirai was used to flood Dyn, an internet infra- structure company, with so much mean- one’s guess (most small attacks, and many big ones, go unreported). But all agree it is likely to rise, because the scope for malice is about to expand remarkably. “We are building a world-sized robot,” says Bruce Schneier, a securityanalyst, in the shape of the “Internet of Things”. The IoT is a buzz- phrase used to describe the computerisa- tion ofeverythingfrom cars and electricity meters to children’s toys, medical devices and light bulbs. In 2015 a group of comput- er-security researchers demonstrated that it was possible to take remote control of certain Jeep cars. When the Mirai malware isusedtobuildabotnetitseeksoutdevices such as video recorders and webcams; the botnet forfridges is just around the corner. Not OK, computer “The defaultassumption isthateverything is vulnerable,” says Robert Watson, a com- puter scientist at the University of Cam- bridge. The reasons for this run deep. The vulnerabilitiesofcomputersstemfromthe basics of information technology, the cul- ture of software development, the break- neck pace of online business growth, the economic incentives faced by computer firms and the divided interests of govern- ments. The rising damage caused by com- puter insecurity is, however, beginning to spur companies, academics and govern- ments into action. Modern computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The op- erating system that lets the machine run particular programs comes from someone ingless traffic that websites such as Twitter and Reddit were made inaccessible to many users. And the hackingofthe Demo- cratic National Committee’s e-mail servers and the subsequent leaking of embarrass- ing communications seems to have been part of an attempt to influence the out- come ofthe American elections. Away from matters of great scale and grand strategy, most hacking is either show-off vandalism or simply criminal. It is also increasingly easy. Obscure forums oil the trade in stolen credit-card details, sold in batches of thousands at a time. Data-dealers hawk “exploits”: flaws in code that allow malicious attackers to sub- vert systems. You can also buy “ransom- ware”, with which to encrypt photos and documents on victims’ computers before charging them for the key that will un- scramble the data. So sophisticated are these facilitating markets that coding skills are now entirely optional. Botnets—flocks of compromised computers created by software like Mirai, which can then be used to flood websites with traffic, knock- ingthemofflineuntilaransomispaid—can be rented by the hour. Just like a legitimate business, the bot-herders will, for a few dollars extra, provide technical support if anythinggoes wrong. The total cost of all this hacking is any- Computer security Why everything is hackable Computersecurityis broken from top to bottom. As the consequences pile up, though, things are starting to improve Science and technology
  • 4. 70 Science and technology The Economist April 8th 2017 1 2 else. The programs themselves from some- one else again. A mistake at any stage, or in the links between any two stages, can leave the entire system faulty—or vulner- able to attack. It is not always easy to tell the differ- ence. Peter Singer, a fellow at New Ameri- ca, a think-tank, tells the story of a manu- facturing defect discovered in 2011in some of the transistors which made up a chip used on American naval helicopters. Had the bug gone unspotted, it would have stopped those helicopters firing their mis- siles. The chips in question were, like most chips, made in China. The navyeventually concludedthatthedefecthadbeenanacci- dent, but not without giving serious thought to the idea it had been deliberate. Most hackers lackthe resources to mess aroundwithchipdesignandmanufacture. But they do not need them. Software offers opportunities for subversion in profusion. In 2015 Rachel Potvin, an engineer at Goo- gle, said thatthe companyasa whole man- aged around 2bn linesofcode acrossits va- rious products. Those programs, in turn, must run on operating systems that are themselves ever more complicated. Linux, a widely used operatingsystem, clocked in at 20.3m lines in 2015. The latest version of Microsoft’s Windows operating system is thought to be around 50m lines long. An- droid, the most popular smartphone oper- atingsystem, is12m. Getting each of those lines to interact properly with the rest of the program they are in, and with whatever other pieces of software and hardware that program might need to talk to, is a task that no one cangetrightfirsttime.Anoft-citedestimate madebySteveMcConnell,aprogramming guru, is that people writing source code— the instructions that are compiled, inside a machine, into executable programs—make between ten and 50 errors in every 1,000 lines. Careful checking at big software companies, he says, can push that down to 0.5 per 1,000 or so. But even this error rate implies thousands of bugs in a modern program, any one of which could offer the possibility of exploitation. “The attackers only have to find one weakness,” says Kathleen Fisher, a computer scientist at TuftsUniversityinMassachusetts.“Thede- fenders have to plug every single hole, in- cludingones they don’t know about.” All that is needed is a way to get the computerto accept a set ofcommands that it should not. A mistake may mean there are outcomes of a particular command or sequence of commands that no one has foreseen. There may be ways ofgetting the computer to treat data as instructions—for both are represented insidethe machine in the same form, as strings of digits. “Stack- overflowin”, the sobriquet chosen by the restaurant-printer hacker, refers to such a technique. If data “overflow” from a part of the system allocated for memory into a part where the machine expects instruc- tions,theywillbetreatedasasetofnewin- structions. (It is also possible to reverse the process and turn instructions into unex- pected streams of data. In February re- searchers at Ben-Gurion University, in Isra- el, showed that they could get data out ofa compromised computer by using the light thatshowswhethertheharddriveiswork- ingtosendthosedatatoawatchingdrone.) Shutting down every risk of abuse in millionsoflinesofcodebeforepeoplestart to use that code is nigh-on impossible. America’s Department of Defence (DoD), Mr Singer says, has found significant vul- nerabilities in every weapon system it ex- amined. Things are no better on civvie street. According to Trustwave, a security- research firm, in 2015 the average phone app had14 vulnerabilities. Karma police All these programs sit on top of older tech- nologies that are often based on ways of thinking which date back to a time when security was barely a concern at all. This is particularly true of the internet, originally a tool whereby academics shared research data. The first versions ofthe internet were policed mostly by consensus and eti- quette, including a strong presumption against use forcommercial gain. When Vint Cerf, one of the internet’s pioneers, talked about building encryp- tion into it in the 1970s he says his efforts were blocked byAmerica’sspies, who saw cryptography as a weapon for nation- states. Thus, rather than being secure from the beginning, the net needs a layer of ad- ditional software half a million lines long to keep things like credit-card details safe. New vulnerabilities and weaknesses in that layerare reported every year. The innocent foundations of many computersystems remain a source forcon- cern. So does the innocence ofmany users. Send enough people an innocuous-look- ing e-mail that asks for passwords or con- tains what look like data, but is in fact a crafty set of instructions, and you have a good chance that someone will click on somethingthattheyshouldnothavedone. Try as network administrators might to in- stil good habits in their charges, if there are enough people to probe, the chances of trust, laziness or error letting a malefactor get in are pretty high. Good security cultures, both within software developers and between firms and their clients, take time to develop. This is one ofthe reasons to worry about the In- ternet of Things. “Some of the companies making smart light bulbs, say, or electricity meters, are not computing companies, cul- turally speaking,” says Graham Steel, who runs Cryptosense, a firm that carries out automated cryptographic analysis. A data- base belonging to Spiral Toys, a firm that sells internet-connected teddy bears through which toddlers can send mes- sages to their parents, lay unprotected on- line for several days towards the end of 2016, allowing personal details and tod- dlers’ messages to be retrieved. Even in firms that are aware of the is- sues, such as car companies, nailing down security can be hard. “The big firms whose logos are on the cars you buy, they don’t really make cars,” points out Dr Fisher. “They assemble lots of components from smallersuppliers, and increasingly, each of those has code in it. It’s really hard for the carcompaniestogetanoverviewofevery- thingthat’s goingin.” On top of the effects of technology and culture there is a third fundamental cause of insecurity: the economic incentives of the computer business. Internet business- es, in particular, value growth above al- most everything else, and time spent try- ing to write secure code is time not spent adding customers. “Ship it on Tuesday, fix the security problems next week—maybe” is the attitude, accordingto Ross Anderson, another computer-security expert at the University ofCambridge. To infinity and beyond Sources: Company reports; press reports; The Economist *Minimum estimate †Upper estimate Lines of text/source code, m Log scale 0.10.01 1.0 10 100 1,000 2,000 Sim pleiOSapp Heartpacem aker WarAndPeace SuperMarioBros.(1985) Spaceshuttle Windows3.1(1992) MarsCuriosityrover GoogleChrom e* Boeing787 Android† F-35fighterplane LargeHadron Collider Facebook MacOSX10.4 FordF-150(2016) Google(allproducts)
  • 5. The Economist April 8th 2017 Science and technology 71 2 The long licence agreements that users of software must accept (almost always without reading them) typically disclaim any liability on the part of a software firm if things go wrong—even when the soft- ware involved is specifically designed to protect computers against viruses and the like. Such disclaimers are not always en- forceableeverywhere.ButcourtsinAmeri- ca, the world’s biggest software market, have generally been sympathetic. This im- punity is one reason why the computing industry is so innovative and fast-moving. But the lack of legal recourse when a pro- duct proves vulnerable represents a signif- icant cost to users. If customers find it hard to exert pres- sure on companies through the courts, you might expect governments to step in. But Dr Anderson points out that they suffer from contradictory incentives. Sometimes they want computer security to be strong, because hacking endangers both their citi- zensand theirown operations. On the oth- er hand, computers are espionage and sur- veillance tools, and easier to use as such if theyare notcompletelysecure. To this end, theNSAiswidelybelievedtohavebuiltde- liberate weaknesses into some of its fa- voured encryption technologies. Increasinglyparanoid android The risk is that anyone else who discovers these weaknesses can do the same. In 2004 someone (no authority has said who)spentmonthslisteningtothemobile- phone calls of the upper echelons of the Greek government—including the prime minister, Costas Karamanlis—by subvert- ing surveillance capabilities built into the kit Ericsson had supplied to Vodafone, the pertinent networkoperator. Some big companies, and also some governments,arenowtryingtosolvesecu- rity problems in a systematic way. Free- lance bug-hunters can often claim boun- ties from firms whose software they find fault with. Microsoft vigorously nags cus- tomers to ditch outdated, less-secure ver- sionsofWindowsin favourofnewerones, though with only limited success. In an at- tempt to squash as many bugs as possible, Google and Amazon are developing their own versions of standard encryption pro- tocols, rewriting from top to bottom the code that keeps credit-card details and oth- er tempting items secure. Amazon’s ver- sion has been released on an “open- source” basis, letting all comers look at the source code and suggest improvements. Open-sourceprojectsprovide,inprinciple, a broad base of criticism and improve- ment. The approach only works well, though, if it attracts and retains a commit- ted community ofdevelopers. More fundamental is work paid for by the Defence Advanced Research Projects Agency (DARPA), a bit of the DoD that was instrumental in the development ofthe in- ternet. At the University of Cambridge, Dr Watson has been using this agency’s mon- eyto design CHERI, a newkind ofchip that attempts to bake security into hardware, rather than software. One feature, he says, is that the chip manages its memory in a way that ensures data cannot be mistaken for instructions, thus defanging an entire category ofvulnerabilities. CHERI also lets individual programs, and even bits of pro- grams, run inside secure “sandboxes”, which limit their ability to affect other parts of the machine. So even if attackers obtain access to one part of the system, they cannot breakout into the rest. Sandboxing is already used by operat- ing systems, web browsers and so on. But writing sandboxing into software imposes performance penalties. Having a chip that instantiates the idea in hardware gets around that. “We can have a web browser where every part of a page—every image, every ad, the text, and so on—all run in their own little secure enclaves,” says Dr Watson. His team’s innovations, he be- lieves, could be added fairly easily to the chipsdesigned byARMand Intel thatpow- erphones and laptops. Another DARPA project focuses on a technique called “formal methods”. This reduces computer programs to gigantic statements in formal logic. Mathematical theorem-provingtoolscan then be applied to show that a program behaves exactly as its designers want it to. Computer scien- tists have been exploring such approaches for years, says Dr Fisher, but it is only re- cently that cheap computing power and usable tools have let the results be applied to pieces of software big enough to be of practical interest. In 2013 Dr Fisher’s team developed formally verified flight-control softwareforahobbyistdrone.Ateamofat- tackers, despite being given full access to the drone’s source code, proved unable to find theirway in. “It will be a long time before we’re us- ing this stuff on something as complicated as a fully fledged operating system,” says Dr Fisher. But she points out that many of the riskiest computing applications need only simple programs. “Things like insulin pumps, car components, all kinds of IoT devices—those are things we could look at applyingthis to.” Most fundamental of all, though, is the way in which markets are changing. The ubiquity ofcyber-attacks, and the seeming impossibility of preventing them, is per- suading big companies to turn to an old remedy for such unavoidable risks: insur- ance. “The cyber-insurance market is worth something like $3bn-4bn a year,” says Jeremiah Grossman ofSentinelOne, a company which sells protection against hacking (and which, unusually, offers a guaranteethatitssolutionswork).“Andit’s growingat 60% a year.” As the costs of insurance mount, com- panies may start to demand more from the software they are using to protect them- selves,andaspayoutsrise,insurerswillde- mand the software be used properly. That could be a virtuous alignment of interests. A report published in 2015 by PwC, a man- agement consultancy, found that a third of American businesses have cyber-insur- ancecoverofsomekind,thoughitoftenof- fers only limited protection. But it is the issue ofsoftware-makers’ li- ability for their products that will prove most contentious. The precedents that lie behind it belong to an age when software was a business novelty—and when com- puters dealt mostly with abstract things like spreadsheets. In those days, the issue was less pressing. But in a world where softwareiseverywhere,andcomputerised cars or medical devices can kill people di- rectly, it cannot be ducked forever. “The industry will fight any attempt to imposeliabilityabsolutelytoothandnail,” says Mr Grossman. On top of the usual re- sistance to regulations that impose costs, SiliconValley’scompaniesoftenhavealib- ertarian streak that goes with roots in the counterculture of the 1960s, bolstered by a self-serving belief that anything which slows innovation—defined rather narrow- ly—isanattackonthepublicgood.Kenneth White, a cryptography researcherin Wash- ington, DC, warns that if the government comes down too hard, the software busi- ness may end up looking like the pharma- ceutical industry, where tough, ubiquitous regulationisonereasonwhythecostofde- veloping a new drug is now close to a bil- lion dollars. There is, then, a powerful in- centive for the industry to clean up its act before the government cleans up for it. Too manymore yearslike 2016, and thatoppor- tunity will vanish like the contents of a hacked bankaccount. 7