![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
silveradeptTo build a better mousetrap, one must first invent the universe....no, wait, that's not it.
"As technology advances, the technology to fool it advances as well."
Unsurprisingly, this is a truism first taught in nature, as the many attempts of children to capture small insects, reptiles, and amphibians demonstrates handily. Eons of evolution along the twin tracks of evasion and capture produce all sorts of ways of hiding in plain sight and adaptations to penetrate defenses. Then come the humans, who think they're special, and the cycles begin anew, just in different theaters.
We like these kinds of exercises. We have lots of war-analogue games, where a vital part of the strategy element is misdirection, laying traps, hiding moves, and knowing when to change from attack to defense and back again. We often start with "simple games", which these days means "computers can play them perfectly." After things like chess and checkers, some move on to "team sports", where they play squadron-based tactics against other squadrons, while others advance on to playing command simulations. Sometimes both.
Technology plays a crucial role in both. The rules have to be rewritten and revised here and there to take advantage of that - video replay, better pads, composite-fiber sticks, scientifically-engineered balls, and perpetually more-powerful and well-trained athletes. Faster computers, better intelligence, and more ability to analyze everything at minute amounts tries to reduce the amount of incomplete information available for any conflict, mock or real. For tactics to succeed, they have to be able to reintroduce uncertainty and ambiguity into the calculations. (Thankfully, Global Thermonuclear War is a solved game with zero uncertainty as to how it will come out.) For every Radar Dome and GPS satellite, there will eventually be a Gap Generator. Every infrared camera produces thermoptic camoflauge.
The greatest game of Janken going on, though, is on the Internet and other networks, where programs are looking for known vulnerabilities and people are looking for more and new vulnerabilities. A disclosed vulnerability gets patched, eventually. The spot in between, from when the issue is discovered to when its patched, is where the advantage is gained. Whether for crime, whether to gather intelligence, or to sabotage, those exploits are all the difference.
Which is why all of the information released showing how much of our equipment and connections are already compromised by government agencies and fiats is profoundly disturbing. Any vulnerability in a system is an exploitable one, and ones that are baked in are just waiting to be found and exploited by someone other than the intended audience. Really, the only way to have something potentially secure is for everything about it to be known and to be publicly examinable to find any weaknesses. It won't protect you against a new creative force being able to put two and two together to make five (like Heartbleed), but it will at least prevent entities from using secret knowledge to exploit your highly popular software program or operating system to do horrible, awful things to other people.
We should make our government hackers that don't officially exist work damn hard for their salaries and illegally-obtained intelligence. Just saying.
Of course, after a certain point, for many things, it goes completely out of the range of the hobbyist, out of the range of the amateur, and completely into the range of someone who devotes their life and and remaining free time to doing that single thing. If it takes 10,000 hours of practice to become an expert at something, then only those who devote themselves to it wholeheartedly achieve that expertise. Which often means making it your professional life and finding a way to make money at it.
The funny thing is, most of the financial incentives available to help develop expertise are intended for those that show aptitude for the thing, often at a very early age. Competitive exercises, scholarships, schools, programs, and equipment are geared toward those that already show skill, not those that already show interest. If someone has enough privilege and resources, they can continue to pursue interests and build their skills, but if they don't, it's going to take assistance, which means showing aptitude early. And even then, for each step of the way, there are the heavily competitive elements that basically whittle down the talented and interested into the lucky few. And the social attitudes that encourage or discourage certain groups to participate. It's a pretty inefficient way of helping everyone achieve the expertise they want and allowing them to be happy with their lives.
Surely, we can do better.
"As technology advances, the technology to fool it advances as well."
Unsurprisingly, this is a truism first taught in nature, as the many attempts of children to capture small insects, reptiles, and amphibians demonstrates handily. Eons of evolution along the twin tracks of evasion and capture produce all sorts of ways of hiding in plain sight and adaptations to penetrate defenses. Then come the humans, who think they're special, and the cycles begin anew, just in different theaters.
We like these kinds of exercises. We have lots of war-analogue games, where a vital part of the strategy element is misdirection, laying traps, hiding moves, and knowing when to change from attack to defense and back again. We often start with "simple games", which these days means "computers can play them perfectly." After things like chess and checkers, some move on to "team sports", where they play squadron-based tactics against other squadrons, while others advance on to playing command simulations. Sometimes both.
Technology plays a crucial role in both. The rules have to be rewritten and revised here and there to take advantage of that - video replay, better pads, composite-fiber sticks, scientifically-engineered balls, and perpetually more-powerful and well-trained athletes. Faster computers, better intelligence, and more ability to analyze everything at minute amounts tries to reduce the amount of incomplete information available for any conflict, mock or real. For tactics to succeed, they have to be able to reintroduce uncertainty and ambiguity into the calculations. (Thankfully, Global Thermonuclear War is a solved game with zero uncertainty as to how it will come out.) For every Radar Dome and GPS satellite, there will eventually be a Gap Generator. Every infrared camera produces thermoptic camoflauge.
The greatest game of Janken going on, though, is on the Internet and other networks, where programs are looking for known vulnerabilities and people are looking for more and new vulnerabilities. A disclosed vulnerability gets patched, eventually. The spot in between, from when the issue is discovered to when its patched, is where the advantage is gained. Whether for crime, whether to gather intelligence, or to sabotage, those exploits are all the difference.
Which is why all of the information released showing how much of our equipment and connections are already compromised by government agencies and fiats is profoundly disturbing. Any vulnerability in a system is an exploitable one, and ones that are baked in are just waiting to be found and exploited by someone other than the intended audience. Really, the only way to have something potentially secure is for everything about it to be known and to be publicly examinable to find any weaknesses. It won't protect you against a new creative force being able to put two and two together to make five (like Heartbleed), but it will at least prevent entities from using secret knowledge to exploit your highly popular software program or operating system to do horrible, awful things to other people.
We should make our government hackers that don't officially exist work damn hard for their salaries and illegally-obtained intelligence. Just saying.
Of course, after a certain point, for many things, it goes completely out of the range of the hobbyist, out of the range of the amateur, and completely into the range of someone who devotes their life and and remaining free time to doing that single thing. If it takes 10,000 hours of practice to become an expert at something, then only those who devote themselves to it wholeheartedly achieve that expertise. Which often means making it your professional life and finding a way to make money at it.
The funny thing is, most of the financial incentives available to help develop expertise are intended for those that show aptitude for the thing, often at a very early age. Competitive exercises, scholarships, schools, programs, and equipment are geared toward those that already show skill, not those that already show interest. If someone has enough privilege and resources, they can continue to pursue interests and build their skills, but if they don't, it's going to take assistance, which means showing aptitude early. And even then, for each step of the way, there are the heavily competitive elements that basically whittle down the talented and interested into the lucky few. And the social attitudes that encourage or discourage certain groups to participate. It's a pretty inefficient way of helping everyone achieve the expertise they want and allowing them to be happy with their lives.
Surely, we can do better.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2014-04-19 07:51 am (UTC)But the Heartbleed bug passes both tests. Everything about it was known - if only the person who wrote the code had bothered to double-check it before shipping it off for production - and the code itself - in the event that its author was shortsighted enough to not check his own work (bingo!) - was in fact publicly examinable to find any weakness.
Also, the weakness was so obvious anyone looking who knew the language it was written in should've caught it right away.
Which tells me that a) incredibly enough, no one, including the author himself, was looking before or after the code was put "out there", or that b) plenty of people who knew the language were in fact looking - and looking, and looking at it - and IMing each other with stuff like, "Hey, check this bug out - payday has arrived, forever!" - and testing, and poking, and prodding, and succeeding at what should not have been possible - but those who knew kept their silence, because, uh, that one little, tiny error? Broke SSL as we once knew it for all time. If you're someone with nefarious intentions why would you ever talk about that?
It won't protect you against a new creative force being able to put two and two together to make five (like Heartbleed), but it will at least prevent entities from using secret knowledge to exploit your highly popular software program or operating system to do horrible, awful things to other people.
The way I see it, if you put the code out there but nobody reads it, or you put the code out there but no one who knows what's wrong with it will talk about it in order to keep their own (bad) interests protected, then what have you gained by putting it out there? It's like the saying, "If a tree falls in the forest but nobody hears it..." it's all secret knowledge until everyone at large - or at least everyone with non-nefarious intentions at large - starts going public with what they know. Two years in between the original coder's "whoopsie" and people with non-nefarious intentions talking about it is way too long a passage of time to be believable. The code might as well have been locked up tight and dustfree in Microsoft's own Highly Seekret Vaultz for all the damn difference it made to make it available to the public from Day One.
Which is not to knock open source; it's to knock people in general for a) not looking, b) not caring, and c) most likely keeping it to themselves for fun and profit. It makes me just want to...ugh..totally headdesk forever (and yeah, I know, I'm already headdesking a lot tonight).
no subject
Date: 2014-04-19 02:01 pm (UTC)As for people being jerks and maliciously exploiting bugs they find instead of just reporting them, well, we're still waiting on the patch for that. Evolution, though, is a really iterative system, so we probably won't see it in our lifetimes.
no subject
Date: 2014-04-19 11:52 pm (UTC)"potentially secure" would be more factual. I'm not trying to split hairs or be overly semantic, though, just pointing out a real-life scenario in which the main idea of your sentence was certainly not realized. :(
no subject
Date: 2014-04-20 02:19 am (UTC)no subject
Date: 2014-04-20 03:23 am (UTC)no subject
Date: 2014-04-20 07:19 am (UTC)And the Linux desktop experience is much, much better these days.
no subject
Date: 2014-04-20 08:14 am (UTC)no subject
Date: 2014-04-20 01:55 pm (UTC)And Ubuntu is not the only variety of Linux out there, certainly. Maybe CrunchBang (#!), since I think it ships with a lightweight Desktop Manager.
no subject
Date: 2014-04-21 02:07 am (UTC)no subject
Date: 2014-04-21 03:25 am (UTC)So, hopefully, it was just an edge case issue and some other flavor will be able to solve it smoothly.
no subject
Date: 2014-04-21 07:41 pm (UTC)Q F effin T.
Now if the general public would accept this as a maxim. *sigh*
no subject
Date: 2014-04-21 09:18 pm (UTC)no subject
Date: 2014-04-22 02:26 pm (UTC)no subject
Date: 2014-04-22 03:05 pm (UTC)no subject
Date: 2014-04-19 03:15 pm (UTC)Speaking of library courses, I need to send you an email. Do you still monitor your UMich email or is there somewhere else I should send it?
no subject
Date: 2014-04-19 04:08 pm (UTC)Tech doesn't necessarily change paradigms, but it does change how the game is played, so to stay current, you have to learn the new things.