Software Security Philosophy
What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?
I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.
This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.
I know that this is a very broad definition and it encompasses many areas traditionally thought to be Read more…
State of security – still miserable
Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.
Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.
Talking about security does not help. Keeping it quiet does not help either. Only doing does.
The Future of NFC Payments
Someone asked me to provide feedback on an article regarding The Future of NFC Payments (yes, capitalized, like in “Big Future”). I do not cherish the idea of giving up my contact details for a brochure download, so I did not read the actual paper. I cannot imagine why people would not want their ideas to be widespread. I think it is silly to force people to register when you want them to read your articles, for they will simply read it elsewhere.
Anyhow, back to the subject of mobile payments with NFC – that’s what the paper claims to be about. I do not really know what they said inside but seeing “NFC was hailed as one of the biggest trends for mobile operators for 2011″ in the blurb is enough to get an idea of what might be on the inside.
Now, let’s be clear that mobile payments are a fighting ground for two large forces: the banking industry and the mobile service industry. Both of them deal with a lot of customers and a lot of cash. And none of them would willingly give up the payment transactions stream to another. One, the banking industry, owns the terminals and the networks, the payment infrastructure. The other, the mobile industry, owns the handset and the SIM card, the means of payment.
So, until I hear that those two – mobile operators and banking associations – came into some sort of an agreement between themselves on some terms regarding the mobile payments, I am not going to lose my sleep over any imagined mobile payments trends, with or without NFC, this year.
Mind you, there is always a chance for a small handset manufacturer like Apple to come up with a painfully obvious scheme that Nokia simply cannot afford…. But that is another story.
Near Field Communication (NFC)
I stumbled upon an article in PopSci (Popular Science?) on-line publication titled Everything You Need to Know About Near Field Communication. My opinion is that many of the things described there reflect a lot of wishful thinking on the part of the smart card industry players. Especially where they go on about “everything has just started to come together”, which is exactly the same thing they were saying for the last five years or so. I was on the inside, I should know.
I think that for the more inclined to actually understand the technology in easy words, I would suggest simply reading the original NFC White Paper written by myself years ago and published by Ecma International. Trust me, nothing much has changed in the meantime, all concepts still apply today as they applied then.
Corporate responsibility
One of the buzzwords I dislike is “Corporate Responsibility”. It is overused, abused and never means what it is supposed to when you hear it from the top managers. However, it is important. Rather, the concept that it used to mean is important.
I spent a few months in Russia now and I am shocked and disgusted at how business is done there. That is the place where you go if you want to learn what the consequences of irresponsibility on a grand scale are.
Nobody feels responsible for anything there. The only king of this newly capitalistic country is money. Everybody dreams of making money quick. Some people make the money quick. Some don’t. But for everyone the main theme remains – just make money, no matter how, no matter what the consequences are, never mind the “after”.
What is the result? Well, most, or, perhaps, all of the business is based on making or buying something dirt cheap and selling it high. Most products are made in China or are counterfeit. Everything is made of the cheapest materials and with the cheapest technologies.
Can you imagine the life in a disposable world? Disposable furniture, disposable cars, disposable roads, disposable buildings, clothes, everything. Food is mostly dangerous for health, as is water and air. Every service you get is done as if you are a really annoying beggar, not a paying customer. All products you buy start falling apart as soon as unwrapped.
And it really matters nothing if you have a little or a lot of money. What you buy with a lot of money is still counterfeit and the same horrifying quality. There is no way to buy for yourself a higher life level, unless you ship everything you need from abroad, like some rich people there do – they just fly all their food and necessities from Germany.
And this is the result of one thing – corporate irresponsibility. Yes, they make money, a lot of it. But, when everyone provides shit to everyone else, what help is all that money?
Service: cheap, cheapest… cheaper!
I find it disturbing how even the most normal appearing people are falling for the cheap-cheap-cheap mantra of the day. Take the telephone services. My friend, who would always check the quality of everything he buys and make sure that it is of at least fairly acceptable level, falls for the “we have it cheaper than everyone else” internet and telephony package. Result is very predictable: half a year of wasted time, miserable service, lost money.
Why does this happen? It seems easier to accept the “everything is equal anyway” lie when you cannot assess the quality expertly in advance. It is probably difficult to assess the quality of a used car for a non-specialist, but at least you can see the rust. When you only see the colorful brochures, it becomes near impossible to judge the quality of a future service. And it is, oh, so easy to judge the amount of money you pay.
When you select the services next time, remember, it is not only the money you pay. The service you receive should also be taken into account. You are not just paying money, you are paying money for the service. Make sure the service is worth your money.
Chinese can!
Reuters is amazing me today. Another short article gives a quick update on the Chinese affairs in Africa. Chinese were copying small stuff from everywhere until now: products, technologies, machines, tools. Now they are copying the big politics and economic strategies. US has used this strategy successfully for a long time in South America, Europe, Asia and Middle East, enslaving multiple countries with horrendous amounts of debt. Now China is copying their approach in Africa. There is a lot of agricultural land in Africa and securing access to this land in the long term is a very wise decision. Not that it is going to do any good for the others but for China it is definitely a very good move.
