Transmissions

It's the Geekiest Place on Earth, But We've Learned Nothing

by Dragorn

I've been feeling nostalgic of late.

Fourteen years ago (wow, I guess that makes me old?), I went to Disney as a trip just before leaving for college.  At Epcot, they had an exhibit of... the Internet!

A shocking and usual experience for most of the visitors, I'm sure.  But, being a savvy teenager with a modem, I was already used to the wonders of the mid-nineties web (horrible color schemes, "under construction" icons, and animated GIFs, as I recall).  Disney had a link that was a bit faster than my 2 kbps modem though, which was nice.

There had just been talk of someone making an emulator that actually let you play Super Nintendo games on a PC.  I doubt my 25 MHz system could have handled it, but it was a pretty mind-blowing idea.

Soon I'll be going back to Disney for my honeymoon.

This time I've got a Super Nintendo emulator on my phone, a technology which I suppose existed then, but wasn't even on my radar since no one I knew was important enough to have a suitcase phone in their convertible (in my mind, anyone with one of those automatically becomes Miami Vice).  I've got 600 times more storage than my combined hard drives at the time.

We've got a lot of flashy toys now, but it also makes me realize in a lot of important ways, we've solved almost nothing about one of the most important aspects of the user experience: how not to get owned.

Even worse, everyone is online now.  What haven't we solved?

Plaintext everywhere.  We've gone from "Telnet is fine" to "You should use SSH" but we're nowhere near the point where all of our communication lines are protected.  I'm not even sure we could confidently say the majority of our communication is protected.  Let's not even address questions about the stability of the SSL trust model or user behavior.  (Firefox trusts how many authorities, any of which could be colluding or simply have been hacked to issue certificates for any domain?)  Twitter is just beginning to roll out SSL-by-default.  Email clients still tend to default to plaintext.  Android has an option to blindly accept any SSL cert without asking, even if it's not valid.  Who knows how many software packages update in the background over plaintext?

Cellphone interception.  "Don't use your mobile near New York City - it'll get cloned."  Instead of protecting cell phones with properly strong encryption and authentication, we've protected them with... legislation.  GSM makes some attempts at protecting the device, but it's been defeated, and defeated for less than $2000 (USRP - look it up).  If you ever trusted the cell network, you probably can't anymore in a lot of cases.  The panic over a possible hostile cell network at the latest DEFCON should wake up anyone who still had any illusions over GSM security; even if the claims are bogus (and they strike me as highly questionable), there's enough truth to the risk to be really scary.

Redundancy.  The Slashdot effect used to take out any server hosting a project featured.  Now we wait for the cloud services to do that for us when they fall down and take out hundreds or thousands of sites across the net.  When the Amazon cloud stumbled this spring, thousands of sites stopped working properly, or entirely.  We've decentralized content to centralized providers.  What are we thinking?

User education.  Your parents probably didn't know what "untrusted certificate" meant in the 1990s, and they probably still don't know now.  Security is hard, but it seems like we haven't made a lot of progress towards making it any better.  People just want to get to content and tend to accept anything in the hopes the problem will go away.

More aggravatingly, we've actually gone backwards in security.  Increased complexity and tacked-on features make previously simple applications like email a hotbed of vulnerabilities.  Hoax emails in the 1990s claiming to infect you simply by reading an email became completely plausible thanks to bugs in Exchange and other clients

We're going in the wrong direction, and it seems like a responsibility for all of us to try to reverse this trend:

Error messages need to be concise.  The "correct" decision needs to be obvious to novice users.  Flooding the user UAP-style isn't going to help, and giving no control other than "access to do anything as root" or "no access" probably isn't the answer either.

Stop having buffer overflows.  Seriously.  Stop it.  It's not that hard to bounds check.  Stop writing Wi-Fi drivers which assume that because the spec says 32 characters, you'd never see a packet with more.  Just stop.

Use encryption.  Use it.  Use it for everything your application does.  Crypto is cheap on today's computers.

Don't homebrew encryption.  You'll almost definitely do it wrong.

Time to finish preparing for a week of child robot simulacrum performing slave labor.  I think I'll try to avoid even bringing a laptop.

I can play SNES on my phone just fine.