The Insecurity of Secret IT Systems

I know that NSA&#x2F;Snowden continues to be at the top of the news, but it&#x27;s still worth pointing out again that NSA&#x27;s internal system is probably one of the most secret of internal IT systems and through Snowden&#x27;s work, we&#x27;ve found out: 1) NSA employees are easily phished and 2) They probably don&#x27;t have the same level of deterministic dev ops deployments that modern tech companies depend on, given that it was Snowden&#x27;s job to install an &quot;anti-leak&quot; system and apparently no one double-checked to make sure he had installed it. Hell, who knows if even that secret anti-leak system would actually do anything besides add more cruft to their internal operations? <a href="http://arstechnica.com/tech-policy/2013/10/snowdens-nsa-post-in-hawaii-failed-to-install-anti-leak-software/" rel="nofollow">http:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2013&#x2F;10&#x2F;snowdens-nsa-post...</a>

Regarding voting systems, all we ever needed was open source software.<p>Voters were incorrectly recording their paper ballots. A PC with a punch card machine attached and running open source software could have correctly punched these cards.<p>And we also could have had another system that read the cards right there in the polling place that the voter could use to confirm their ballot was correctly encoded. Or an phone app that could read a photo of it.<p>We could have gotten that software for free. It could have run on ancient PCs. It could have solved the actual problem that we had.<p>But the lobbyists got there first, influencing politicians into buying unneeded and overpriced solutions, just like they do in every other area of government.

His point applies equally to general software quality. Even in the workplace, I always see the bad programmers try to sling shitty code with private repos or direct pushes with no peer review. The good ones always operate in the open and appreciate peer reviews.

How is a an airport xray scanner maker supposed to participate in that iterative process for improving security if they aren&#x27;t in a mass market? No security researchers took interest for a long time till Rios purchased a scanner. &quot;It runs an outdated windows 98 operating system&quot; just shows how little anyone cares, even if Rios would like it to show how awesome he is as a researcher or how awful windows 98 is as an OS.<p>Also unrelated, how to factor a large prime to break RSA 1024 quickly is a secret too.

The fact is that sometimes security through obscurity works. Take Skype for example, it was well known that the US government had for a long time wanted access and, depending on who you ask, failed. After being bought by MS and reconfigured, it could be argued that there are now fewer access problems.<p>Where obscurity fails is where the product has been poorly designed in the first place - perhaps due to lack of time or manufacture costs - or there is a failure to update when the scenario or environment for which it was built changes.<p>Obscurity is really a term about confidence and PR of a system (eg. ISO standards compliant?) or company (RSA anyone?). How does the company convince you that it is using best practices without compromising its competitive advantage?<p>The grumbles about running Windows98 are pointless if the system meets the requirements.

&quot;Smart security engineers open their systems to public scrutiny, because that’s how they improve. The truly awful engineers will not only hide their bad designs behind secrecy, but try to belittle any negative security results.&quot;<p>Or restated:<p>All bad engineers try to hide their work from the public, therefore all good engineers try to show their work to the public. I&#x27;m sure there is a logical fallacy in there somewhere.

Windows 98, Really?<p>wow. I&#x27;m just, wow.<p>Like I can understand an ancient version of Solaris, or Windows NT4 - but Windows 98?<p>just wow.

security in any application has to start from the beginning and nurtured by all developing this application. security can not be a bolt-on after the fact patch works. when at least these two are not applied all applications will fail miserably. security by obscurity only a make believe.

Is there a video of this talk anywhere?