History Lessons

As this tweet illustrates, I've been reading a couple of books recently. I'm currently making my way through The Cuckoo's Egg. This is a fantastic book written by Cliffard Stoll. The book was published in 1990 (well the edition that I'm reading at least). That makes this book 33 years old! Without giving too much away, it's the story how Cliff tracked down at attacker (hacker) on his system in the Lawrence Berkeley National Laboratory. This is around the dawn of the Internet. The story itself is absolutely fascinating, and I highly recommend that you give this book a read.

Now as you can see by the tweet above, this blog post is not about the book per se. What I found incredibly fascinating but also frustrating is that we are tackling some of the same issues that existed 33 years ago! With all the advances in technology, we still face the same primitive challenges that many faced all those years ago. As you can see from my tweet above, one of the issues was people not taking the security of their own data seriously. Sound familiar? How many times have we heard something along the lines of "oh my data doesn't matter" or "I don't care about it"?

Next up is passwords. Without giving too much of the story away, one challenge many of the system administrators faced were poor practices around passwords. One interesting thing was that passwords were dynamically generated. In that users could not generate their own passwords. This then led to users having poor password management practices. Again, sound familiar? Users would simply store their password in a plaintext file in their own home directories. Or in some cases passwords were easily guessable or the default (when they weren't automatically generated).

Now these two items are human related issues. And this is incredibly difficult to solve. How much progress have we made on this though? I don't think all that much. Look to how people freely and willing post things on social media. Look to the current top ten password lists. Truly little appears to have changed over the last 33 years! That's incredibly when you think about it, especially given how quickly the technology changes. And this shows the monumental challenge we face when it comes to the human side of cybersecurity. Changing people's habits and thinking, while possible, is going to have to involve some innovative approach. We can't keep repeating the same things repeatedly, and then expect different results. There is the famous quote "Insanity is doing the same thing over and over again and expecting different results" (which incidently is not a quote thought up by Albert Einstein, as many would believe it to be).

But one aspect of the book which we should be able to solve is the whole notion of "secure by default". This was being talked about 33 years ago! There's little excuse why we haven't solved this to the extent that this should have been solved. We are thankfully moving in the right direction and have come a long way. But still, we should be in a better place regarding this. Take AWS S3 buckets for example, when they first came out, the default was public access! The result open buckets all over the Internet. Thankfully, this is no longer the case (they default too private now). But as we start including technology increasingly in our lives and homes, the whole notion of "secure by default" becomes even more important. Many of those buying and using these devices don't have the technical know-how and knowledge to know what changes to make and how to make them. The result, these devices become a gaping hole, that allows attackers to do things such as intrude in their privacy or carry out financial scams.

Before I started reading The Cuckoo's Egg, another book I read was The Cult of The Dead Cow. This was another fascinating read. This book covered the rise of the group Cult of The Dead Cow. This group also started off in the beginnings of the Internet and has grown since. Many of their members have been influencial in shaping how security has played out today. One of the things that I came across was how difficult they found it to get organisations to fix their products. Again, sound familiar? One member, Mudge, even took this to the government. I found this incredibly fascinating since this is the very thing that recent came out of the US government's National Cybersecurity Strategy. On of the outcomes of this strategy called for:

Shifting liability for software products and services to promote secure development practices

This was what Mudge, and many others in the CDC (Cult of The Dead Cow) where calling for all those years ago!

So, what I found so incredibly that decades later, we are still facing many of the same issues that others faced. My first question is why? These aren't monumental technical problems to solve. Sure, some of them are challenging to solve (the human ones). But why haven't we managed to make headway that would have expected to after all these years?