Everything Is Insecure

Andrew Wulf

4 min read

In security the zeroth rule is "your security will fail eventually." What gets me angry is when people ignore this rule and claim otherwise.

Doing security right is very difficult. Yet even the most knowledgeable, paranoid, genius security expert knows that they only need to make one mistake, not know one tiny fact, or face a determined foe for long enough, and all their careful plans will fall apart.

The trick is to find make it as good as you can, as deep as you can, and anticipate as much as you can without making things so impossibly locked down you can't do anything. A joke I heard a long time ago was that "the only secure computer system is one with no I/O". Of course the joke is that it's useless if nothing can get in or out.

As long as a system provides a service of some kind, there will always be a way to get inside. The hope is that everything you do to secure it is enough to defeat the actual known or unknown enemies that might want to get in. If it's not a system you control then you have to hope that they too have enough defenses to keep your information from those who should not have it. We live our lives based on that hope; everything you do on the internet, phone, cable leaves you vulnerable. Of course you could live in a cave away from all electronic communication and human contact. Even there you could be eaten by a bear.

In all the places I've worked that had an actually security chief or someone who performed that role on the side I've never been impressed by any of them. Even to the programming staff, we could easily see huge holes in what passed for security but rarely did anyone in charge seem to care what we thought.

The list of hacks just in the past few years is so extensive that it hardly registers any more when you read a new one. I imagine the true number is much larger since companies are embarrassed when it happens and try to keep it hidden. Every single story shows a complete lack of understanding of the zeroth rule and its consequences. But I can understand how these things came to be, people are naturally optimists, security is overhead, and making customers happy enough to give us money is what matters. Everyone you do business with likely thinks the same thing.

The one thing building secure environments have going for them is that most of the bad guys are not as smart as you are. The problem is that you don't really know who will be attacking you and when; it only takes only attacker smarter than you are to undo everything you've set up.

The worst problem of course is governments also want into your systems, want your user's data, and will use any and all means to do it, including the power of law. When that doesn't work they will even go beyond the law. I think once Snowdon's revelations came out a lot of people where knocked out of their optimism. All of us were amazed at the effort that the US government would go through to get access to everything. Clearly all governments do this type of thing and even share sometimes.

Reading about a security researcher's investigation into various hidden functionality in iOS didn't surprise me at all. As an iOS engineer I know there are things in the OS that we aren't told about or can't see into, especially in the parts of the hardware that talk with the phone system, so it doesn't surprise me at all that such things exist. Android is much the same, though worse since each phone manufacturer and carrier (not only Google) have the opportunity to add things not documented. Doing business in the US has a lot of negatives since you are at the mercy of people who think nothing of threatening your life if you don't do what they want, even though our laws should make this type of thing difficult. Other governments have far easier hoops to go through to get you to do what they demand.

Democracy is supposed to not keep things hidden from the people so that they can make a well-informed call on being governed. History is full of governments that by-passed that in order to do something the people might not approve of. It's a nice theory that there should be few secrets but the reality has always been different.

So every system could be attacked by insiders, outsiders and governments, both your own and others. How do you keep your company and your customer's data safe? It's a nasty problem where you have to fight people who have no intention of helping you in any way, who can attack at any time in any way, and have time on their side. Anyone who claims they can secure things completely is a charlatan. Even the proverbial server with no I/O could be stolen and cracked open. I suppose you could drop it on a asteroid; eventually someone will build a rocket and go pick it up.

To do security you have to consider a pyramid scheme. Not the marketing one, though you could make a ton of money, move into a cave, and say the hell with your security job. Security isn't one thing it's really a layer of things, first you protect against the easy attacks, then you protect the known attack types, then you provide backup plans for when you are attacked by unknown agents to make it difficult to use what they steal, finally you think about how to make a government attacker at least spend way more effort than your data is worth. Security isn't a thin layer but a thick one.

In building castles and towns for thousands of years people made entrances deliberately hard to navigate. Attackers were forced into narrow areas, or turned such that weapons were oriented the wrong way to fight, or required to go up a steep hill. Of course most of these had a limited success. Even Masada, which was built on a steep hill 200+ feet high with only a single narrow path, eventually fell to the Romans 2000 years ago; they simply build an impossible ramp out of stone and pushed a huge siege engine up it. The only thing the stopped them from killing the defenders was mass suicide.

Today you can build all the walls you want but eventually someone somewhere will get around it. You must do everything you can to stop attacks as much as possible, and if you fail make sure the data itself is as unusable as possible. But never forget the zeroth rule and never be so satisfied with the state of security. I've been in many meetings where people made emphatic statements about how perfect their security is. Don't believe them.