Another security question

Steve D'Aprano steve+python at pearwood.info
Sun Dec 25 08:44:29 EST 2016


On Sat, 24 Dec 2016 06:38 pm, Chris Angelico wrote:

> weak passwords are ultimately the user's
> responsibility


I suppose that's true, in the same way that not getting sewerage into the
drinking water supply is also ultimately the user's responsibility.

You forget that weak passwords don't just hurt the user who choose the weak
passwords. If I break into your system, I get the opportunity to steal your
identity, which not only hurts you, but also those I steal from using your
identity. I can use your account to send spam, which hurts everyone. I can
use you as a springboard to attack others, to launch ransomware attacks or
shutdown the electricity grid[1] or DOS people I don't like.

Poor security eventually hurts everyone.

I think that, eventually, one of two things will happen:

- Our entire computing infrastructure (the web, email, the IOTs, banking
systems, etc) will collapse under the accumulated weight of zero day
attacks, malware, ransomware, cyber warfare and 24/7 surveillance by both
the state and corporations. The IOT is an especially bad idea:

http://www.geekculture.com/joyoftech/joyarchives/2340.html


- Or governments realise that computing security (including privacy) needs
to be treated as a public health measure.

We're already aware of the virus metaphor when it comes to malicious code.
(It's more than just a metaphor -- one can argue, correctly I think, that
self-replicating code is the same kind of thing whether it is interpreted
by a Word macro, compiled machine code, or DNA.) We also need to think of
personal data as toxic pollution: 

https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html

https://www.schneier.com/blog/archives/2008/01/data_as_polluti.html

We need to be thinking about security vulnerabilities as a health issue.
That includes the backdoors more and more governments will want us to
install, under the false claim of protecting us from terrorists/
paedophiles/whatever villain is being demonised this year. Exploitable
software needs to be treated the same as building a sewer system that
empties directly into the city's drinking water supply.

It's *everybody's* problem when somebody can hack into your vulnerable
system. That's the ultimate externality. 

But of course, unfortunately, we know what most governments and corporations
and even individuals think about pollution and toxic waste. "If it saves me
5 seconds, or earns me $1, I don't care how many billions in damages it
does to others."

Merry Christmas.





"My light switch is currently downloading a software update from the
Internet so I can't turn my lights off. What. A. Time. To. Be. Alive."
https://twitter.com/TweetsByTSD/status/655297659381661696




[1] If any country is foolish enough to put control of the electricity grid
on the Internet. Of course nobody would do that. Right?



-- 
Steve



More information about the Python-list mailing list