Quinn Norton has written a very entertaining – and also very scary – column describing why computer security isn’t, the extent to which our modern systems are broken by definition, and how we’re all vulnerable to hackers, the NSA, and everyone else with sufficient interest – criminal, political or whatever – in penetrating the laughably named ‘security’ systems we deploy. Here’s an excerpt.
It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.
Computers, and computing, are broken.
. . .
Written by people with either no time or no money, most software gets shipped the moment it works well enough to let someone go home and see their family. What we get is mostly terrible.
Software is so bad because it’s so complex, and because it’s trying to talk to other programs on the same computer, or over connections to other computers. Even your computer is kind of more than one computer, boxes within boxes, and each one of those computers is full of little programs trying to coordinate their actions and talk to each other. Computers have gotten incredibly complex, while people have remained the same gray mud with pretensions of godhood.
Your average piece-of-**** Windows desktop is so complex that no one person on Earth really knows what all of it is doing, or how.
Now imagine billions of little unknowable boxes within boxes constantly trying to talk and coordinate tasks at around the same time, sharing bits of data and passing commands around from the smallest little program to something huge, like a browser — that’s the internet. All of that has to happen nearly simultaneously and smoothly, or you throw a hissy fit because the shopping cart forgot about your movie tickets.
. . .
Because of all this, security is terrible … Because even okay software has to work with terrible software. The number of people whose job it is to make software secure can practically fit in a large bar, and I’ve watched them drink. It’s not comforting. It isn’t a matter of if you get owned, only a matter of when.
There’s much more at the link. It’s entertaining, but it also exposes the reality of modern computer (in)security with blinding clarity. Highly recommended reading.
As desktop security has improved over the last decade (and improved it has, despite being spotty at best), the Bad Guys have looked for easier targets. A home router is a natural target, for several reasons …
. . .
The Bad Guys love this – it’s a target rich environment that is institutionally resistant to security improvement.
So what do you do? Probably the only thing that you can do is to assume that the Internet router is already compromised. Get your own router and put it between your home network and the router your ISP sent you. Disable WiFi in the ISP router, and use your own. Run an Open Source OS on the router (these projects will almost always be more responsive to security issues than the manufacturers).
Oh, and read this post from way back.