ARRSE is supported by the advertisements on it, so if you use an adblocker please consider helping us by starting an Ad-Free subscription.

GCHQ's National Cyber Security Centre opens for business following delays

Discussion in 'Current Affairs, News and Analysis' started by Murphy_Slaw, Feb 14, 2017.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Wordsmith

    Wordsmith LE Book Reviewer

    Software companies vary enormously. Microsoft (for example) continue to support obsolete protocols like SSLv2. Why don't they put an end of life date on it (like they do with older version of their software)? I've lost count of the number of reports that I've seen where the company being assessed hasn't disabled support for it.

    Oracle are secure by default these days. (I'm an ex-inmate of that asylum). But they make it possible to significantly relax the security requirements. And guess what - companies that can't afford an Oracle DBA relax the requirements to make the systems easier to maintain.

    Another small IT company I worked for quite a few years ago developed their own reversible proprietary encryption method and for a number of builds thoughtfully shipped a small tool to reverse the password hashes because the support staff at our customers asked for it. (EM may have got involved on that one...)

    There are clearly IT companies that make secure software - it's the nature of the computer security industry that you learn more about the software houses that ship insecure software.

    • Informative Informative x 4
  2. Sarastro

    Sarastro LE Reviewer Book Reviewer

    I'm afraid that is the kind of terrible suggestion that comes from soldiers or civil servants or politicians or security specialists: people with a terrible track record of thinking about the wider consequences of such decisions. The obvious reason why is that the car industry, and the road system, are nothing like the software / hardware / network world, and are never going to be. The immediate result would almost certainly be a sustained worldwide recession in the tech, and quite probably therefore global, economy.

    Legal liability alone would immediately prompt huge class action lawsuits against software companies, because as you know ALL software has multiple flaws. Criminals would probably benefit as new front in cyber-blackmail would open up, where instead of building toolkits to target the wider ecosystem, black hats and their sponsors would simply blackmail software companies to keep vulnerabilities secret, also undermining the current security ecosystem which relies on vulnerabilities being shared with manufacturers. Open source software would disappear as all the groups that made it were sued or shut up shop at the risk. Production of new software would slow to a crawl. Since the basic problem is that there is a global shortage of developer talent, there simply isn't the manpower to fix this without huge changes in education system, so any advances would take a lot of time.

    The problem doesn't exist because centralised, proprietary style organisations do things badly, although often they do. Equally, treating this as a 20th century style problem where you can just sue the organisation will not fix it.

    The problem exists because the infrastructure, networks, and nature of the hardware are all designed to be insecure and highly interoperable. This is not the case with, for example, the car industry and road networks, which are designed with safety in mind first. You cannot just sue the software companies, because fundamentally they make products to someone else's standards. The PC / Android approach to hardware builds makes coherent security standards largely impossible, despite some effort, because it is impossible to understand or specify the impact of combinations used. Networks and network protocols were designed to be open, with security added as an afterthought. Even new standards aren't vastly more secure, blame ICANN for that, not Microsoft. But don't blame ICANN, because there are good reasons to keep things open, which mean by default they will be less secure. So even if you hit companies with punitive legal responsibilities for things they actually can't reasonably fix, and swallowed the resulting recession, you would simply alter the class of security flaws that criminals would exploit.

    There is a reason this hasn't been done.

    Again, sorry but you use two examples that actually wouldn't change anything, because they are the wrong or pointless advice.

    Risk registers don't do anything except make accountability easier when things do go wrong. The argument that they create an incentive for managers to be more cautious depends on some kind of consequence, which as you said to start, doesn't really exist in the software world. Without a legal or regulatory system to back them up, risk registers don't do anything (arguably they don't do much regardless, are just seen as negated paperwork, and are highly inaccurate or gamed).

    The password rules you cite are already outdated. It's at least 12 and the combination of other ASCII characters has a negligable effect on the time taken to guess the string, compared to simply another digit in length. In other words, make it 13 and that's it. The advice is also different for automated strings and human-useable strings, e.g. your Windows product key or your Windows login.

    But more importantly, that is the problem with hard-coding. One, it's no such thing as "hard", to change it attackers just have to aim for the firmware code or low-level language rather than just firmware access or the high level language. Two, it dates really rapidly. Very soon you will have a set of equipment which is out-of-date. So you have to update it, let's assume by a remote push update from the manufacturer (in this new IOT world with multibillions of devices). Congratulations! You have just created the access vector that your attackers from point One will use to compromise it. You have changed only the method of attack.

    All of this stuff does require: more incentives to do things right; better understanding among "specialists"; a holistic approach. But the answers are not as simple as supposed security specialists like to claim, because a lot of them are frankly not very competent, and are simply regurgitating partially understood advice somebody told them on a course once.

    Moreover, this is an open ecosystem. Changing that now would, quite literally, break the Internet and software ecosystem. Any solutions have to treat it as such, and quite probably make use of that characteristic. Simply telling big firms to do better will not work, because the core problems are beyond their control to fix.
    • Informative Informative x 3
    • Like Like x 1