Engineers, not users, to blame for security shortfalls: Cheswick

Systems developers need to stop blaming users for security shortcomings and focus on improving security by rebuilding their systems in a more secure and user-friendly manner, a security expert has argued.

The fundamental problem with today's approaches to security and computing is that too many business leaders and consumers are still in the “oh my God it works, isn't this great” phase of technology and hadn't taken the time to step back and consider whether they were on the right technological path, erstwhile Bell Labs researcher Bill Cheswick told CSO Australia in the wake of a keynote presentation at this week's CSO Perspectives Roadshow conference.

This had led to an unproductive situation where security had become the responsibility of users who had to deal with developers' poor design, rather than being the responsibility of developers who had to think better about the needs of users.

Responding to oft-cited claims that people are the most vulnerable part of the security chain – simple phishing attacks were, for example, cited in the recent $1b-plus Carbanak bank attacks – Cheswick was clear on where the blame lies.

“The problem is that we're relying on humans for security,” he said. “We expect people to make and remember strong passwords that computers can't crack. We've known this doesn't work for 40 years not, but we're still working on it.”

“It's engineering that have gotten it wrong; it's not the user's fault. We have to do much better and stop assuming that grandmas can manage security on devices. I want the dumb-ass users to be safe.”

A systems programmer in the 1970s, Cheswick joined Bell Labs in 1987 and was involved in the development of the network firewall – a technology that has become an intrinsic part of computing security in the ever-connected Internet world. Later work with automated mapping of the Internet led Cheswick to co-found spinoff network-visibility developer Lumeta.

Having watched the security environment develop in the intervening decades, Cheswick was scathing in his assessment of current security, which was based on vendors trying to keep up with hackers as they systematically plundered their applications for security vulnerabilities.

“We've been trying to build reliable systems out of unreliable parts,” he said.

With so many patches constantly being developed and applied to existing systems, Cheswick said it was important that operating-systems vendors were willing to take risks to reconsider their overall security postures.

This might include stepping back enough to fund skunkworks projects in which a small team of technical experts was tasked with rebuilding an operating system from the ground up to consider security and usability lessons learned to date.

“If you consider what really is the problem and what we can do to make it better, it wouldn't take that long to put some simple, academically created operating system in there,” Cheswick explained.

“You don't need a team of 200 people to do it,” he continued. “There were only five people working on Plan 9. Sure, these were exceptional programmers – but all you need is one Einstein who can crank out code that is tight and clean. Give three of them a budget of $1 billion, put them in separate buildings, and send them to invent the future.”

Just what that future might contain has become clear as vendors work hard to contain an ever-growing panoply of security vulnerabilities as they emerge. A “mathematically proven” sandboxing environment, for example, would allow the separation of applications to ensure that even malicious software couldn't affect the operating system or other applications.

Apple, Cheswick said, had succeeded well in building a sandbox based architecture in its iOS operating system, which stored data local to each application and prevented applications from communicating with each other.

The evolving Blackphone – set to ship in June for $US629 ahead of a companion tablet running the same software – was a new mobile architecture designed from the ground up for security and represented “exactly the right kind of response”, he said.

Extrapolating a similar approach to a theoretical desktop operating system would allow the delivery of more-robust computing models based around productivity functions and tied with an operating system that never needed to be upgraded – or could be easily updated by using low-cost Raspberry Pi computers that could be swapped in for functionality in the future.

Maintaining and upgrading computers has been hard in the past “because PCs are $500 and you have to do all the configuration and management,” Cheswick explained.

“But what if the computer were a $50 Raspberry Pi encased in plastic? Plugging in a computer should be like plugging in a Roku: you should have no particular need to update this thing, ever. It could be done in hardware that's cheap enough that you could throw it away” when it's time to upgrade.

Emerging cloud environments had magnified the vulnerabilities caused by current approaches, Cheswick warned: “I understand the economic need for cloud,” he said. “Clearly we need these huge server farms. But it takes our current security problems, amplifies them and puts them on someone else's machine.”

That had left cloud security in a defensive posture: “there are lots of different potential ways to get in the way of this,” he explained. “I think it's just a swamp.”

Cheswick was equally ambivalent about the increasing intrusions of government bodies into personal communications, which was a key concern of fellow keynote speaker journalist Kim Zeller – whose presentation highlighted the growing role of nation-states in accelerating the IT security arms race.

While he is a self-professed “fan of law enforcement” and wouldn't philosophically mind if the NSA were reading emails – on the assumption that the government was “not evil” and wouldn't share them with anyone else – Cheswick said he had issues with the broader implications of interference of government bodies with daily communications.

“I've come to the conclusion that these holes add weaknesses that are just weakening [security] too much,” he said. “Security is all about trust, and I don't want it to be about trust. I am with Apple on these things: there should be uncrackable phones that are perfect for security, and it's too bad if they can't read the drug dealers' messages.”

“There a lot of gaps in security and I don't want there to be gaps,” he added. “I want there to be a wall that I open holes in, not a giant space where I'm putting big blocks in and hoping the wall holds. That's why you have to start by saying that there are no holes at all.”

Read more: Companies failing to maintain payment-card protections after PCI DSS certification

This article is brought to you by Enex TestLab, content directors for CSO Australia.


Upcoming IT Security Events

Read more: Why Webroot Secure anywhere over Symantec, Sophos and Trend Micro?

Last chance March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

#CSOPR2015 #CSOPerspectives

Join the CSO newsletter!

Error: Please check your email address.

Tags eventsCheswick#csoperspectivessandboxingBill CheswickSecurity expertsvendorsLumetaengineers2015 IT SecuritysecurityblackphoneCarbanak bank attacksnetwork-visibility

More about AppleBell LabsBillCSOEnex TestLabIT SecurityLumetaNSARoku

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts