Secrets & Lies
Earlier this week I finished reading “Secrets & Lies” by Bruce Schneier. Bruce is a renowned security expert. This particular book has sold over 150,000 copies.
The book is quite different than “Applied Cryptography” also by Bruce Schneier. “Secrets & Lies” is easy to read and there is little (if any) technical information that can be used by software designers or developers. The book is easy to read and provides an overall picture of security as it relates to networks and probably most important the Internet.
In “Applied Cryptography” there were several comments and statements that the software industry is a disaster. Someone said that everyone knows that no one can write good software. Being a computer scientist and software developer for over 30 years I did not take very well such comments. While reading chapter 24 “Security Process” in “Secrets & Lies” I believe to finally have understood what Bruce refers as poor software.
Allow me to digress a couple decades. At that time I was very interested in the software development process. The existing processes (then and today) (e.g., Waterfall, Spiral) did not make much sense or work. They sounded good on paper for managers without education in the subject but were not effective in producing quality software in practice. My PhD advisor at the University of Minnesota Dr. David Wei-Tek Tsai, who was very interested in software engineering, moved out in search of warmer weather (can’t blame him) and I never finished a book I was writing on a new development methodology which I named Cyclic Development Process (CDP). Given my electrical engineering formal education I generated a diagram to describe CDP, which should be quite familiar for those in process control:
The idea in a nutshell is to come up with a written initial set of requirements, a design followed by an implementation. That would be the Input to the process. Aol would represent testing at the component and system level. The Output would be the results of testing. Based on them written adjustments to the requirements and design would be implemented and feedback to the software. The diagram represents a real-time operation. The CDP process suggested three (3) passes. Each pass with a properly staffed development group should last no more than three (3) months. All software development projects should last about nine to ten months. Enough said about CDP.
CDP did not make it as a mainstream concept / product in the software development industry. Last weekend I was on Skype with my sister. We talked about the FIFA futball / soccer world cup. About 280 countries participated in the tournament, which started with eliminations played all over the world leading to the final games in South Africa. Given that more people on the world watches and plays futball than any other sport (e.g., baseball, basketball, football, golf) combined why is it that it is not the mainstream sport in the USA? The answer appears to be purely economical. Naïve Americans are fed sports in which promoters can make MONEY. That is all that counts. One of the most watched sports in our country is football. There are millions of dollars made every year in equipment, games, endorsements, and broadcasting rights among others. The game lends itself to play for a few seconds and then stop for a few minutes while, advertisements costing hundreds of thousands of dollars a minute, bombard us letting us believe that drinking beer and / or sports beverages is the cool thing to do. Soccer on the other hand is uninterrupted action for two periods of 45 minutes each. To top it off the fifteen minutes between periods do not lend singers to mount shows with wardrobe malfunctions. Overall soccer does not provide the incentives to popularize it in the USA. It appears that most Naïve Americans are not interested in sports or physical conditioning. Our main interest is making money while ignoring the health issues on players. The same holds true for a new software development methodology. If there are no sexy tools that could be sold to the vast majority of people writing software then it is better ignored.
Bruce mentioned in his book that most security issues can easily traced back to the development process. Most of the time people who have no formal education in computer science embark coding software with no requirements, design, reviews or testing. Such practice has lead to the current state of the software industry.
The other issue is that software development companies want to put out a product (or release) before it is ready and in most cases with little or no testing. I was able to map several of the ideas and points brought up by Bruce to Quality Assurance (QA) processes.
Another interesting point in the book was that of open source software. I agree that cryptographic algorithms should be made completely public. That is the only way that people will be inclined to look for flaws and correct them or discard the algorithm in its entirety. I completely disagree on having open source code. Source code (specially when it is well developed) represents the intellectual property of the individuals and companies that spent time and resources developing it. Open source is just an invitation for people to copy the state of the art and with simple modifications have a new product without prior background and knowledge. I believe that it would be foolish to believe that in a global economy all developers would follow rules to assign merit (and revenues) were they are due (just think about the millions of copies of pirated movies, music and software sold every year). In the Resources section of “Secrets & Lies” Bruce makes reference to “Securing Java” by Ed Felten. The book should provide some interesting concepts and ideas behind open source code. Will let you know my opinion after reading it.
One of the points brought up in “Secrets & Lies” is that the legal system should and will provide mechanisms to outlaw and prosecute individuals that compromise (steal or alter data) computer systems on the Internet regardless of the country where the attack is conducted. Sounds nice and looks promising but in reality if there is no money to be made legislation will never live up to the threat. In our country things only occur when there are groups that would benefit economically. Given that the Internet encompasses the entire world laws in the USA would not deter people, organizations and countries from attacking systems in the USA. Perhaps the NSA would / should stop spying on others before we initiate talks with a straight face.
The legal system in our country is broken. It seldom works the way it is supposed to. Politicians are easily and routinely bought (what do you think is the job of lobbyist) by special interest groups and companies to pass laws that favor them in order to amass larger revenues. The legal system will be completely useless in making the Internet a safer place to browse and shop.
In conclusion, the Naive American strongly recommends reading “Secrets & Lies” to all IT managers and software developers that wish to develop or maintain their products and networks secure. Remember that cryptography alone is not the panacea of security and that the weakest link appears to always be humans.
