printer friendly version

Compromise is not a secure option

The past couple of months have been interesting for those in the security industry, especially cybersecurity. With thousands of computers hit by ransomware across the globe, we’ve all had a glimpse of the future: nothing and no-one is safe, and more importantly, you can’t trust those you think you should be able to trust.

The guilty parties in most of these cases were not the criminals themselves, although attacking hospitals is the kind of thing one only expects from the lowest of the low, but the government agencies who kept the software vulnerabilities that were exploited to themselves. It seems like a good idea if your goal is to make everyone in the world subject to your hacking proclivities, but it also shows an extremely immature approach to security.

That may seem like a bold statement, but I don’t think anyone with a real security mindset could believe that they would be the only ones to discover a way in, whether it’s into an operating system or a secure building. There is always some smart person somewhere who can do whatever it is you can do. So hiding vulnerabilities, in my opinion, is stupid.

It’s also very 18th century to take a huge risk in the belief that everyone will keep a secret, especially in a world where names like Assange, Manning and Snowden are held in high respect for exposing abuses of authority, even to their personal risk. As changes in the world show a diversion from the ideals of democracy and liberty that were once held aloft as the ultimate goals for every nation, more people are going to become disillusioned, look for a way to work against ‘the man’, which will result in more leaks and people doing things they think are right, even if they are against the rules.

Keeping vulnerabilities secret in this environment is unconscionable. That’s not to say they should be publicised as soon as they are discovered, but they need to be brought to the attention of those they put at risk and solutions need to be put in place as quickly as possible.

This applies to physical security as well as the virtual world where we already see companies forcing more secure practices from users (except the cheap-and-nasty brands which exist because they cut corners). Whether it is simply forcing users to change default passwords, securing backdoors and hard-coded access routes, or whatever the latest security issue is, each step towards hardening your setup is the right one to take for the vendor, customer, end user and integrator.

End users can no longer afford the luxury of waiting until it’s convenient to ensure their security is up to date, vendors can no longer take the risk of ‘saving’ security upgrades in the hope of selling it as a feature in a new version, and authorities can simply not play childish games and put everyone at risk by hoarding vulnerabilities.

As we have found out and will yet more painfully learn over the next year or two, compromising and kowtowing to criminal and anti-democratic agendas only benefits the criminals.

Andrew Seldon

Editor

Share this article:

Further reading: