2347: Dependency |
Imagine you’re buying a car from a reputable manufacturer. That manufacturer doesn’t build all the components itself. It partners with other reputable manufacturing specialists and works with them to tight tolerances so that all the bits fit together and work properly.
In a tightly controlled supply chain like that you end up with complex systems that can take you hundreds of thousands of kilometers through extreme environments with only regularly maintenance. When engineering is taken seriously like this, amazing, resilient machines are the result.
If your car was built like the cloud infrastructure your business/school/government depends on to operate every day, your ‘manufacturer’ scours the internet looking for free bits and pieces of code that will do a job that they can’t be bothered to code themselves. This freeware, often taken without consent and seldom supported, becomes part of a stack of under engineered software that makes your magical, money saving cloud infrastructure work. Any time someone decides they want additional functionality, another piece is patched into this mess.
Imagine if your car was built like this. Every tire would come from a different manufacturer with different specs but they all got chucked onto the car because they filled a need at that particular moment. Some of the tires come from tire manufacturers, some came from a guy who thought he could build a better tire in his shed, and they’re all different makes and sizes. Some are tested for safety, some aren’t even legally tires. The other parts of your franken-car would also be sourced like that, with simplistic needs met but with little thought for integration or upkeep. Some parts of your rolling nightmare are updated regularly, others never have nor will be, meaning what fit together this week might not next.
One day your engine bolts might update themselves and suddenly the motor won’t start because nothing fits. The horn that got installed might not actually be a horn but a fire hazard waiting to burn your new car to the ground when you press the button. You might be running a 1990s transmission with a 2023 chassis that only superficially work with each other but will fly apart the first time you take a corner.
If there were any consistency in how open source software is integrated into business systems, this might work, but in most cases complex cloud based information management systems are cobbled together collections of corporate systems and under-resourced open source freeware. Why would this chaos suit some companies? |
“Tech” companies seldom make the technology you’re purchasing from them. In most cases that fancy new operating system you’re buying was lifted from freeware and modified to fit the money-making paradigm – in many cases while ignoring the original intent of the freeware developer to provide functionality to those who need it while not supporting a profit mandate.
The stack of hardware and software your data passes through to use the internet is staggering. On your computer (laptop, smartphone, whatever, they’re all computers) you’re using a browser likely made by one company on an operating system made by another. The drivers that run the hardware that connects you online are a third company and in all three cases they may well have ‘grabbed’ some open source software to make their piece of the puzzle work. Once your data actually leaves your device it hits your router that is running another bunch of hardware and software before getting fired out to your internet service provider (ISP), who is running goodness knows what (but probably with ample amounts of ‘free’ open source software). From your ISP your data bounces from server to server on its way to its destination. If you’re reading this through social media connections you’ve now picked up all their bad habits (Twitter, Meta, Google, though notice that they all make monetizing free software like a community service). In many cases they throw trackers on your network traffic so they can sell to you.
This mad hack-fest is how the internet works and it’s how the cloud based programs everyone finds so convenient are built and maintained. Your ‘mission critical’ new cloud based accounting software depends on the slap dash engineering to work… all day, everyday. This approach almost begs to be abused, and it is.
How can we possibly secure this mess? Well, it’s nearly impossible, which is why you see so many criminals taking to this new frontier. The people using this technology are now decades into a digital skill crisis that shows no signs of ending, so the people who drive these terrible cars don’t have the skills to know just how bad they are. Our information and communication technology illiteracy also affects management who make ill informed decisions about how to integrate technology with resilience and best engineering practices first.
The vast majority of online systems depend on open source software that introduce all sorts of chaos into what should be a coherent and carefully engineered system. When you pile on missing user and management digital fluency, it’s amazing that the lights are on and your ATM is giving you cash at all.
Imagine that you are the under-resourced mechanic for that franken-car. When something breaks you may find that it doesn’t fit into what the car has changed into as other parts got upgraded. You might find that the intention of the part you need to replace was misunderstood and it wasn’t the right thing to use in the first place. Whenever you open the hood you’re not expecting to see branded parts that were designed to be engineered together, you’re seeing a hodgepodge of bits slapped together to work in a given moment. Your maintenance of this car becomes a panicky grab at anything that might make it work, which only makes things worse.
That under-resourced mechanic has a lot to do with cybersecurity specialists. When I read an article like this scattered piece in the Globe and Mail I get a sense of just how panicky and clueless management is. What’s particularly galling in that article is the insinuation that many cybersecurity experts are somehow untrustworthy criminals because they’re able to recognize the under resourced mess we’re sitting with. Incredible.
Cybersecurity is an uphill struggle. You can expect the systems you work on to be cobbled together messes, your operators don’t know what they’re doing and the people working against you (many with organized crime or foreign government support) only have to get it right once while you have to get it right (on a nightmare software stack) everyday. It’s no wonder we’re in a decades long shortage of cyber-talent and seeing burnout becoming a major factor.
The decision to start taking online security from software development up seriously is going to take a revolution in thinking. Perhaps the coming quantum disruption to encryption in cybersecurity will prompt this change. The hacked together mess we’re working with today is begging to be burned down and redone properly.
from Blogger https://ift.tt/AL4mdX3
via IFTTT