Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think it's erroneous to blame the security industry wholesale, tempting as it may be.

Let's set blame aside for now. What caused this botnet?

  - The tendency of IoT/smart-device vendors to eschew engineering discipline
  - The tendency of _all_ companies to eschew security as an optional extra
    rather than the cost of admittance to the marketplace
    - The historical tendency of big companies /not/ being burned to the
      ground after a massive hack makes security a lower priority to
      many businesses
  - The lack of a secure automatic update infrastructure (which also led to a
    recall), for which the vendor could have mitigated the vulnerabilities used
  - General ignorance about the risks associated with default/weak/hard-coded
    security credentials (e.g. passwords)
Now let's look at each line item and discuss possible solutions:

  + Regulation could help here. Require third party security assessments on
    IoT/smart devices to be sold? It's not the most elegant solution, but it
    would be a vast improvement over the current state of affairs.
  + This is a cultural problem that makes application security painful in
    every business vertical. It takes a lot of one-on-one communication to
    resolve. Seeing large companies lose their shirts over security negligence
    might change the conversation.
  + This is a huge problem for all software. (See link below.)
  + Education.
Regarding secure automatic updates: https://paragonie.com/blog/2016/10/guide-automatic-security-...

Now let's circle back to blame. What is the security industry responsible for? In my view:

  - Failure to communicate with other industries and professions,
    such as electrical engineering.
  - Failure to communicate with developers in general.
  - Failure to educate people outside the industry of our own
    conventional wisdom.
  - Failure to learn the challenges that others are trying to overcome
    so security can be on the same team rather than yet another obstacle.
Through the blog posts on my company's website and a concerted effort to clean up Stack Overflow, I've been trying to educate PHP developers about better security practices for the past couple of years. It pays forward in spades. The rest of the security industry could do a lot of good if they did the same for their own respective communities.

The only problem with doing that is: There's no effective and ethical way to monetize it. I make more money from helping e-commerce sites recover from being hacked by easily preventable mistakes than I ever have from making the software that powers 30% of the Internet more secure. https://paragonie.com/blog/2015/12/year-2015-in-review

Solving the core problems is good for society, but society doesn't reward this behavior.

The security industry is broken because society is broken.



> Solving the core problems is good for society, but society doesn't reward this behavior.

I'd like to think that we can solve collective action problems like this as a society and be rewarded for it.

We have to figure out how to fight this problem the way we fought smallpox and polio.


Large international state-funded scientific collaboration?


Sure, I'd like to see CERT get more funding...


Though I agree with you, and really admire what you're trying to do. I find most security researchers admire too much their "rock star" status to care about the rest of the industry.

Maybe a good starting point would be an attitude change?


I probably know too many folks who don't have that "rock star" attitude to see it as an immediate problem, and therefore am not qualified to provide an informed suggestion here.

But I would agree that, where the attitude does exist, it needs to be changed.

Less rock stars, more janitors/mechanics.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: