The great unsecure
17 January 2018 | 0
I was discussing the subject of Meltdown and Spectre with someone in the channel last week and he sent me over a comment from LinkedIn by Tim Holman, CEO and founder at 2-sec, which made some excellent points.
Holman is described as “one of the industry’s leading experts on cyber security, holding the Microsoft MVP for 3 years and directing ISSA, the association for cyber security professionals.
Meltdown and Spectre: “I’ll eat my hat if there’s a global data theft pandemic using this vector,” Tim Hollman
Firstly, Holman suggested that it might not be a good idea to give these bugs and faults exciting, often sexy, names. They should not be “glamourised for what they’re not,” he wrote, and given “Hollywood names”.
Which is fair enough. After all, it is hard to keep a sense of perspective when you are confronted with something that has a name suggestive of a disastrous collapse or which shares its moniker with a shadowy global organisation intent on overthrowing the world order in many of the James Bond films.
Holman described the furore over Meltdown and Spectre as “almost fake news”, adding “I’ll eat my hat if there’s a global data theft pandemic using this vector”. The picture of him accompanying the post does not include a hat, so we are left to speculate whether he actually owns a hat. If he does, what kind of hat is it and, most importantly, we do not know whether that hat is one of the more edible versions. Anyway, the hat is probably going to remain uneaten for quite some time.
The more important point, aside from following common sense security practices, such as not installing applications you do not trust or visiting dodgy web sites, is that Holman expects the processor flaws to create a market demand for vendors “to make secure processors”. The fact they have not until now is not really to do with how difficult it might be to make them – Holman argues it “has never been difficult” – but with the reality that, like those Hollywood names, the focus of the industry has been on other, more sexy things. In this instance, we are talking about performance and features, such as speed and power.
Holman quite rightly says this is not a sensible way to approach things. “There should be a law against that,” he states. “Much in the same way there’s a law against selling cars that don’t have brakes.”
When put it like that, it is hard to dispute his argument except to say that, unlike with cars, people have been perfectly willing to buy “unsecure” processors for a long time and no one has tried to legislate to stop them.
There is a lesson there for the industry. It is one that is currently being ignored, for a large part, when it comes to issues such as self-autonomous vehicles where the wonders of the technology’s capabilities are over-shadowing the security and safety implications that would probably be much more to the fore if the innovation was being driven by the car manufacturers rather than the technology vendors.
Which leads us to a related question: will there be a law against selling self-driving cars that are not adequately protected from being hacked and hijacked?
Oh, and while we are here, given the tendency of sceptical people to say they will “eat their hat” when or if a specified prediction becomes reality, should there be a law that specifies all hats ought to be edible?