Sony got hacked. Patreon got hacked. The federal freaking government got hacked. It has gotten to the point where it seems that the only reason a website or company hasn’t been hacked yet is just because hackers haven’t gotten around to it. As if they could. They just haven’t. Which would mean that the world’s leading security infrastructure is time.
Long-time hacker and cybersecurity pro Jeff Moss (also known as Dark Tangent) told the Observer that he “80 percent agrees” with that worldview, during a recent phone call ahead of his appearances this weekend at the Tribeca Film Festival, where he’ll take part in programming co-sponsored by the conference he founded, DEF CON and the USA Network television show, Mr. Robot.
Observer is a co-sponsor of the festival’s TFI Interactive programming.
“What people think is, ‘We’re smart enough to make things secure,’” Mr. Moss said. “I wish that were true. What we really do is make things more insecure faster.”
He constructed two major themes shaping his current thinking about the river of security breaches yet to come to us all: first, vulnerability born of increased complexity and, second, society’s failure to give big software companies the incentive to ship safe code. No one buys software products because they are known for being safe. “Volvo made a lot of money on safety,” he said. For software, it’s not really a selling point. He does see reasons why it might be before long.
It’s not completely true, in Mr. Moss’s mind, that nothing is secure. “Large enterprises are the only ones who can afford the top security talent,” he said. Which may not necessarily mean that they all effectively execute a culture of security, but the big companies have a fighting chance.
But medium to small firms’ and consumers’ only hope is to move their data into the cloud. “There’s so many dependencies right now. It’s so hard for companies to figure out where your data is, because so much of it is outsourced,” he said, meaning that when you put your data into someone’s cloud, that company is probably, in turn, copying it into several other companies’ clouds. He said, “We’re in a situation where things will only get more complicated, but that sounds like an opportunity for more problems.”
In hacking, there’s this notion of an “attack surface.” Every point at which a person can enter a bit of data, log in or even just see the underlying data structure is a place where a black hat might be able to get in. Hackers are clever. One security researcher revealed this week how URL shortening services like Bit.ly expose thousands of private files to anyone with a bit of computing power.
The more companies rely on new services, new vendors and new systems, the more soft spots they create in a network infrastructure. Target got hacked because of an HVAC contractor.
With hyper-complexity comes hyperspecialization, Mr. Moss explained. “You can’t get ten people in the room and understand the problem anymore,” he said. “I’m just curious, where does this all end up? It just doesn’t seem sustainable?”
Surprisingly, it’s not more engineering that Mr. Moss sees as the solution to the problem. He sees hope in tougher laws.
Software makers should have liability for the failures of their products, he argued. “It’s the only industry without liability. Is that rational? Can that last forever?” he asked. Adobe, for example, rolled out an emergency update to Flash on April 8, in order to better protect users from ransomware. If anyone did get hit by ransomware because of the vulnerability, though, Adobe isn’t going to be hit with any of that cost.
Billions of dollars have been lost because companies like Adobe aren’t held accountable for the vulnerabilities that poorly built software that comes pre-loaded on people’s computers introduce, he argued.
However, he sees a chance for society to finally move on this point with the coming of the Internet of Things. Software powered devices fail left, right and center, as the Observer has previously reported. Yet soon entire buildings will run on cloud based software, as the Observer previously reported.
“Now it’s the toaster that burns down the kitchen,” Mr. Moss predicted. “I think as soon as we see things burning things down, we’ll see real liability.”
Then when Elon Musk gets told that his Tesla cars are held liable for the performance of the software that runs them, he’s going to make sure the same rules apply to the Adobes, Sun Microsystems and Microsofts of the world, too. “These smart cars are basically data centers on wheels,” he said, so why should they be treated differently than data centers on shelves, when both are responsible for people’s money and even their lives.
He’s not sure the public sees that when it’s data, but he thinks they will when hacks from bad software start causing damage or even deaths in their real lives.
When that happens, though, it will be billionaire against billionaire. “Why would Tesla want to compete against a company like an Oracle that doesn’t have those liability costs?” Mr. Moss asked. It won’t, and it will push for rules on it to apply to everyone building software.
It doesn’t have to get insane, Mr. Moss argued. Liability could have a ceiling, but it needs to be enough to move makers of closed software to quit patching and build right the first time.
“I can’t imagine 50 years from now having no liability on any of these things,” he said.
If he’s right, your data will be safe one day, right after your toaster burns your house down.
For more on the TriBeCa Film Festival and TFI Interactive, click here.
UPDATE: A previous version of this story reported Mr. Robot as a FX Network show. April 22, 2016 11:06 AM.