Engineers, not users, to blame for security shortfalls: Cheswick

Systems developers need to stop blaming users for security shortcomings and focus on improving security by rebuilding their systems in a more secure and user-friendly manner, a security expert has argued.

The fundamental problem with today's approaches to security and computing is that too many business leaders and consumers are still in the “oh my God it works, isn't this great” phase of technology and hadn't taken the time to step back and consider whether they were on the right technological path, erstwhile Bell Labs researcher Bill Cheswick told CSO Australia in the wake of a keynote presentation at this week's CSO Perspectives Roadshow conference.

This had led to an unproductive situation where security had become the responsibility of users who had to deal with developers' poor design, rather than being the responsibility of developers who had to think better about the needs of users.

Responding to oft-cited claims that people are the most vulnerable part of the security chain – simple phishing attacks were, for example, cited in the recent $1b-plus Carbanak bank attacks – Cheswick was clear on where the blame lies.

“The problem is that we're relying on humans for security,” he said. “We expect people to make and remember strong passwords that computers can't crack. We've known this doesn't work for 40 years not, but we're still working on it.”

“It's engineering that have gotten it wrong; it's not the user's fault. We have to do much better and stop assuming that grandmas can manage security on devices. I want the dumb-ass users to be safe.”

A systems programmer in the 1970s, Cheswick joined Bell Labs in 1987 and was involved in the development of the network firewall – a technology that has become an intrinsic part of computing security in the ever-connected Internet world. Later work with automated mapping of the Internet led Cheswick to co-found spinoff network-visibility developer Lumeta.

Having watched the security environment develop in the intervening decades, Cheswick was scathing in his assessment of current security, which was based on vendors trying to keep up with hackers as they systematically plundered their applications for security vulnerabilities.

“We've been trying to build reliable systems out of unreliable parts,” he said.

With so many patches constantly being developed and applied to existing systems, Cheswick said it was important that operating-systems vendors were willing to take risks to reconsider their overall security postures.

This might include stepping back enough to fund skunkworks projects in which a small team of technical experts was tasked with rebuilding an operating system from the ground up to consider security and usability lessons learned to date.

“If you consider what really is the problem and what we can do to make it better, it wouldn't take that long to put some simple, academically created operating system in there,” Cheswick explained.

“You don't need a team of 200 people to do it,” he continued. “There were only five people working on Plan 9. Sure, these were exceptional programmers – but all you need is one Einstein who can crank out code that is tight and clean. Give three of them a budget of $1 billion, put them in separate buildings, and send them to invent the future.”

Just what that future might contain has become clear as vendors work hard to contain an ever-growing panoply of security vulnerabilities as they emerge. A “mathematically proven” sandboxing environment, for example, would allow the separation of applications to ensure that even malicious software couldn't affect the operating system or other applications.

Apple, Cheswick said, had succeeded well in building a sandbox based architecture in its iOS operating system, which stored data local to each application and prevented applications from communicating with each other.

The evolving Blackphone – set to ship in June for $US629 ahead of a companion tablet running the same software – was a new mobile architecture designed from the ground up for security and represented “exactly the right kind of response”, he said.

Extrapolating a similar approach to a theoretical desktop operating system would allow the delivery of more-robust computing models based around productivity functions and tied with an operating system that never needed to be upgraded – or could be easily updated by using low-cost Raspberry Pi computers that could be swapped in for functionality in the future.

Maintaining and upgrading computers has been hard in the past “because PCs are $500 and you have to do all the configuration and management,” Cheswick explained.

“But what if the computer were a $50 Raspberry Pi encased in plastic? Plugging in a computer should be like plugging in a Roku: you should have no particular need to update this thing, ever. It could be done in hardware that's cheap enough that you could throw it away” when it's time to upgrade.

Emerging cloud environments had magnified the vulnerabilities caused by current approaches, Cheswick warned: “I understand the economic need for cloud,” he said. “Clearly we need these huge server farms. But it takes our current security problems, amplifies them and puts them on someone else's machine.”

That had left cloud security in a defensive posture: “there are lots of different potential ways to get in the way of this,” he explained. “I think it's just a swamp.”

Cheswick was equally ambivalent about the increasing intrusions of government bodies into personal communications, which was a key concern of fellow keynote speaker journalist Kim Zeller – whose presentation highlighted the growing role of nation-states in accelerating the IT security arms race.

While he is a self-professed “fan of law enforcement” and wouldn't philosophically mind if the NSA were reading emails – on the assumption that the government was “not evil” and wouldn't share them with anyone else – Cheswick said he had issues with the broader implications of interference of government bodies with daily communications.

“I've come to the conclusion that these holes add weaknesses that are just weakening [security] too much,” he said. “Security is all about trust, and I don't want it to be about trust. I am with Apple on these things: there should be uncrackable phones that are perfect for security, and it's too bad if they can't read the drug dealers' messages.”

“There a lot of gaps in security and I don't want there to be gaps,” he added. “I want there to be a wall that I open holes in, not a giant space where I'm putting big blocks in and hoping the wall holds. That's why you have to start by saying that there are no holes at all.”

Read more: Companies failing to maintain payment-card protections after PCI DSS certification

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Read more: Why Webroot Secure anywhere over Symantec, Sophos and Trend Micro?

Last chance March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

#CSOPR2015 #CSOPerspectives

Join the CSO newsletter!

Error: Please check your email address.

Tags eventsCheswick#csoperspectivessandboxingBill CheswickSecurity expertsvendorsLumetaengineers2015 IT SecuritysecurityblackphoneCarbanak bank attacksnetwork-visibility

More about AppleBell LabsBillCSOEnex TestLabIT SecurityLumetaNSARoku

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place