Computer security is a political struggle

sisyphus.jpg

Figure 1: "One day, in retrospect, the years of struggle will strike you as the most beautiful." – Sigmund Freud

Cold cyberwar

We are in a new cold war. That sounds like it's not news. However, it is not the bordered cyber-war between nation states involving armies of hackers, but more akin to a quiet civil conflict between ordinary people - who use and depend on technology - and the… well to quote Bill Hicks "demons that run amok amongst us".

It's a political and psychological battle for culture and is the old battle for the dividends of technology. Who gets to use the fruits of science and to what end? As technologists it behoves us to take stock of this landscape, if not to pick a side then to plan our own way between the falling shells.

Recent events demonstrate clearly that our technology is unsafe. We're in an accelerating situation of acute failures that shut down businesses, sometimes for days or weeks. Large one-off losses from fraud, such as ransomware or AI assisted social engineering, keep growing. At a deeper level there are systemic failures because the goods and services we rely on are not fit for purpose, and those responsible for supplying and maintaining services are unable to discharge their duty. And at the highest level there is a political failure to confront the real causes. The UK Horizon Post-Office scandal laid bare the complicity of authority in burying inconvenient truths, making scape-goats and disseminating official lies to cover up problems with civic technology.

We find that our major concerns in cybersecurity are not really technical at all. They are political. But they are largely beyond tha capacity of our current political thinkers to solve. Instead, politicians bat the problem back into the technical court. We add or remove a layer of encryption, change a key protocol, deploy "intrusion detection" or "malware filtering"… and within a week the same problem is back, metamorphosed into something new. This will continue ad nauseum until there is political change.

The digital version is more subtle and damaging than kinetic wars in a civil space. We can't look to history for guidance. Conjure up mental images of ruined cities, food shortages, civil unrest, exploding power plants, disabled hospitals and broken transport systems. Worst case cyber-war is what Hollywood disaster movies have equipped us to anticipate. In the drama of a post-apocalyptic Mad Max fantasy world we can see ourselves playing unlikely solar-punk survivors living off-grid.

But that's just a story, at least so far. How do we recognise the effects of the different kind of war? What does a "worst case" look like if limited to infowars in cyberspace?

In Hollywood movies, the {terrorists, evil maniacs, rogue states} take over cyberspace and then use it to {hijack planes, melt down reactors, assassinate presidents}, or whatever. They are doing one thing, which is taking power.

Power, or "control" is one of the primary functions of digital systems - the others are computation, storage and communication. Control systems, which permit action at a distance, almost always involve communication along with telemetry as feedback. They close a loop. If you can mess with that loop you can exercise control.

That's why the integrity of communications systems is important. If the bad guys get control of the communications they win, and Hollywood events ensue. In reality, power seekers can act to manipulate events. That's the hard way. In cyberspace, you don't have to leave your seat to just manipulate the capture, transformation and transmission of signals that represent events. The media have done this for decades. Going further, if you can manipulate the perception and discussion of ideas that's even more powerful, especially if you already more or less own the means of communication.

That's why the Great Maker created the Internet first, as a little patch of level playing-field (or garden if you like) to see what we'd make of it. Not much, it turned out. We preferred to let developers pave it over and build us a residential amusement park. And of course, amusement parks always turn spooky and fill up with murderous robots and killer clowns.

An Internet is a jolly useful and powerful thing, if you can keep it, and the trick is to ensure that power remains spread out and not let one group of people suddenly have it all, like terrorists in the films.

But as Bruce Schniere puts it best, Terrorists Don't Do Movie Plots. In number theory there's an idea for that, it's called Cantor's Diagonal or otherwise Russell's paradox if you prefer to think of sets, but either way the insight is that "there's always one more…", one more bug, one more escape sequence, and so on, which entreats us to abandon the folly of totalitarianism and chasing "perfect systems". Concern with risk then is really about emerging threats rather than known ones against which we can pit our security.

For any system there are a couple of places from which threats can come. From the outside or from the inside. Inside threats may come from defective people, but more likely from failures of the system itself. Poor maintenance is a rather mundane and preventable cause. Through the distracted happy apathy of our amusement park days we forgot to oil the works and kick the tyres.

Our Internet has slowly rusted. The repair bill is high and the effects already showing are not good. We've undergone a slow descent into digital serfdom, meaningless pseudo-employment, apathy, anomie, a permanent state of endemic economic, spiritual depression and frustration. Like all realities it emerges day by day without fanfare.

We don't feel it creeping up on us. We don't notice the walls of social media echo-chambers closing in on us… our horizons narrowing, hope evaporating. We don't feel the steady increase of pressure and anxiety from constant hostile surveillance, being tricked, gaslighted, lied to and manipulated. Yet the present, evident cultural effects are on everybody's lips. Every day we read and talk about the negative effects of news and communication technology.

The technology itself seems so "successful". Is it? We've always celebrated technology that's good for us, whether it's steam engines or rockets, and even the stuff that we didn't know was so bad for us, like our cars.

But the idea of tech which is just bad for everyone and we all know it is something new. It hadn't taken hold until this century. At least here in the West beyond a context of warfare far away, our weapons were always aimed "at them". But remember that the Internet started in an "Advanced Research Projects" defence laboratory. It's a weapon. We were so excited to unbox it nobody read the manual and the warning about the "sharp end" and which way to point it.

Like bad food or environmental pollutants, the effects of bad technologies take time to come on, and then get us talking about "what to do?" Surely we are prepared, because there are so many amazing books and films about dystopias and failed social experiments, served as cautionary signposts for what not to do (again, elsewhere or just…ever!). Orwell, Solzhenitsyn, Kafka Huxley and Gibson all described states we do not want to build.

But for some people these warnings became blueprints. They set us off on a slow death-march; a slow maddening of humanity. These are our times. Soviet style conditions of hostile, intrusive and abusive corporate plutocracy… the various ideologies of consumer communism, surveillance capitalism, advertising madmen, blood-thirsty tech visionaries with shark-lasers… meanwhile most of our stuff, like the trains and planes and banks just don't work the way we want.

It is this sad carnival of clowns that we are at war against. It is a war on cheap, greedy incompetence, on reckless engineering, on sleazy opportunists, on crony contractors and corrupt IT back-room deals. It is a war against those who have their hands on the levers of technology, but are a dangerous lot who do not deserve to. It is a war for functional civic technology that the people own and control.

As defenders we are called to arms because real cybersecurity has to consider not just where technology fails, but where it succeeds - for some strange paperclip-maximised value of "success".

Technology is not neutral. It carries values. Often, bad technology is just ordinary, but designed and deployed by those with wicked agendas. Where technology grows too thickly or in the wrong place it is a weed and a poison. Like any garden or ecosystem the Internet can decline, as it has, into a form of wholly inadequate but irreversible social control. For example, "social media" is the obliteration of the social.

But what do you call a struggle like this? Fifty years ago radical Marxists might have called it a "class war", if you substitute ownership of means of production for control of the means to social life. Yet it seems an entirely different sort of conflict that transcends class, wealth, pedigree and political belief.

In all conflicts people use mental defences to say "it can't happen here", until it does. Digital war is a great leveller. Whatever walk of life you come from it affects you. You are no less at risk from an enemy of sorts that does not recognise power or privilege, laws, station or legitimacy.

If we split the world of digital threats up into a few broad kinds we might call them advanced persistent threats (APT), which are specific and even localised, transient situational threats like Y2K or solar storms which came and went, and ambient or nebulous effects, which are already inside our system or all around us. Here let's consider the last of these. What are we to do about ambient threats that are within the very systems we use to naviagate life?

Self devouring

Most of Western society now depends on digital technology. Yet we have a technology industry that is at war with its own customers. Much of our technology is broken, and it is broken by design. because this is profitable and brings power to its creators. Technologically, our civilisation is suffering from a lack of self-care. We are struggling with a broken model of "security" and the emergence of a global insecurity industry. This self-devouring and abandonment of our own values is what Solzhenitsyn warned us against in his Warning to the West.

We are now taking an unprecedented direction in political history having slept-walked into a territory where the monopoly companies we allowed quasi-governmental status through delegation (dereliction) of power in the late 20th century cannot be coerced, regulated, fined or even taken over and "nationalised" as a remedy. So far politicians have underestimated and misunderstood the power struggle with technology that is afoot.

Money, money, money

Let's take a simple, modest example from your everyday life; If you have an Android type phone spend a moment researching how to stop Google from spying on your location. Simple enough, no?

Google are a 'legitimate company', are they not? But despite all the protections your laws afford you, despite still more tough-talk from Europe about our privacy rights, the realpolitik is quite different. In fact it's more or less impossible to get Google to stop spying on you.

First let's acknowledge the motives: US American BigTech companies primarily make money by selling your private data to co-parasitical advertising and security industries. Commercially they discriminate to distribute digital goods preferentially by location, social strata or even as personally targeted campaigns.

Increasingly for political reasons, service access is only available in certain countries or by certain groups. The Internet has become the The Splinternet, a tool for division. Conflict makes clicks.

Of course this disadvantages anyone who moves between spheres, is travelling or relocated for work, or has family in other countries. It "locks things down", and simply goes against the basic principles of "The Internet" as a global, universal system (which it hasn't been for almost 10 years now). But, "so what?" you may say. These are "first world problems", surely? Minor inconvenience at most?

Look again. Tech corporations have insinuated themselves into almost all aspects of life. For too many people companies like Microsoft act as their identity. Companies like Amazon control everything they buy, sell, read, own or even think about. Google know every thought they've had since 1998.

Governments and bodies for trade, development and intellectual property (WIPO, WEF, WTO), have been derelict and allowed BigTech to carve up the global economy into new digital fiefdoms. Through negligence, through weakness, through our own deliberate fault, we've enabled the rise of digital colonialism, new forms of slavery and neo-feudalism. We've failed "consumers" as people, and all of us as citizens.

Of course it is still possible to live, and live well, without invasive low-life-quality technology. Millions of us do. Smart kids don't have smart phones. For the adults, Microsoft's operating system is now an advert-infested disaster-area teetering on unusable, with droves abandoning it. As is Google's derelict search engine. Social media is a misery pit of teen anxiety, disinformation and hate-spreading.

But the aim was never to live without technology, just to have good, simple, humane, flexible, durable tools that make life a little easier and bring some fun. We long ago surpassed that need. People are turning away from tech, or at least pinning their anger and fear upon it, because of the effects of how it's used now, not what it essentially is.

With pomp, bluster and glory the big technology companies bask in the glow of "freedom". They supply us all with the mind-numbing cargo-cult of games, media and applications we can give our attention to.

They present themselves as "progressive" and there is always the breathless cry… "Follow us follow us! Don't be left behind" But surely we must start to see them for what they really are. The Pied Piper is fundamentally anti-progressive because he leads in a circle. Other writers have described it as the problem of the modern East India Tea Company, as throwbacks to the unfettered laissez-faire capitalism of the era before the Great War, and consequent global crash of the 30s and World War 2. We've already learned these lessons from history, so why are we going for a replay?

As a British person I can really relate to companies like Google, Microsoft and Meta… dinosaurs, still trading on the myths of their once glorious past empires, standing uncomfortably too long on the stage, missing all the cues for a graceful exit and having to be hauled off with a shepherds crook. They have been holding back technology for decades.

They are first and foremost companies who cannot allow actual progress to come before profit. Sure they came out of the garages of suburbia, as the cool new rockers. But if Bigtech were bands they'd be the kind on 12 inch vinyl in your mum's record box, who now wear gold watches, own organic fish-farms and were at least accused of touching their groupies inappropriately in the 1970s.

Dig into the reality behind Google and you'll discover a company that, apart from having a defunct "search engine" on which it built its initial reputation, also abandoned almost every other product it ever touched. It adds up to a gargantuan bonfire of wealth and lost opportunity imposed on the rest of Western society. Likewise, Microsoft's death-grip of insecurity on computing by acquisitions, smothering or outspending competition, has done for the progress of computer security what Julius Caesar did at Library of Alexandria in 48 BC.

Is anyone still fooled?

Apparently, at long last, the U.S. government is losing trust in Microsoft. In recent years it has stood up against powerful foreign technology actors like Huawei and TikTok. Even in Britain we had to acknowledge the security catastophe of Hikvision cameras and our government finally banned them. But these are the tip of the iceberg of toxic tech. It is easy to pick on Chinese or Russian companies precisely because we don't trust their regimes. But most dangerous of all are the companies we suppose we can trust, like Meta, Google, Amazon, and Apple.

Trust is the ability to do harm.

The political fault-lines lie in this misplaced trust, "special relations" and trade agreements that place U.S. technology suppliers beyond question.

Yet we continue to lionise these lumbering monsters. Their bright coloured logos, sit behind the strutting stars of TED talks in their brown leather brogues, turtle-necks and jeans. Their hipster language still dazzles us. In our minds they are youthful, vibrant and privy to secrets about the future.

Reality check; They are already the next iteration of tired old power, replete with red mid-life-crisis-mobiles on the drive. Our "tech leaders" are now the generation of fossilised cranky and emotionally challenged old men. Same as the ones that ran Exxon Mobil while the planet was heating up in the 1950s.

The limits of industry

In academic writing and political talk we often see "Industry" used as a notional symbol, It stands, not in a harmony but alongside "Government" and "Academia", as a timeless imaginary power grouping. It requests a deflationary logic that "industry" is synonymous with "the economy" which is in turn synonymous with "happiness and quality of life".

It is a peculiarly post-Thatcher/Reagan take, a neo-liberalist ideal of "private industry" taking the place of government. But if Thatcher was ever to be taken seriously on a single word she said, what we have today is an abomination of her values. "Private enterprise" was another way of talking about the ordinary people, but through an economic lens. If you cut someones hair or carried your own groceries to the car today you're involved in "industry". We have a music industry a culture industry, an education industry… what has not been industrialised? So what does that leave that isn't an "industry"? Of course what politicians really mean by "industry" today is the one percent of rich and powerful owners.

Perhaps we misunderstand industry as "engines of progress" because of the persistent mythology of our own bygone industrial revolution; greats like Brunel, Stephenson and Telford. We still see ourselves on the frontier, paving roads to infinity. But industry has other forms, especially in mature civilisations. It is sustaining, home-building, frugal, refining.

The old mythology is still recycled in the stories and pseudo-philosophies of Ayn Rand, and now Elon Musk, Peter Thiel and company. Modern heroes? Noble strugglers against "Old power"? Or perhaps, misogynistic, grandiose, psychopathic Silicon Valley "bros" who are not ashamed to hide their naked contempt for the poor, for education, mobility, for women, blacks or anyone else who refuses to "get with their programme" of social immobility. Silicon Valley increasingly has the stench of some alt-right faction, throwbacks to violence - so long as it is cowardly, technologically mediated violence.

In it's disdain for women it's starting to look more like a backward religious sect. The irony is that tech is an industry that doesn't really produce anything. Software is mostly like music, in that you sell the same thing again and again.

It recycles old ideas and repackages software sponged from a global network of volunteer "free software" writers, sticks that on some chips imported from China, and uses that as bait to attract victims for data harvesting. It's a tasty racket if ever there was.

Of course real industry is very important, and it is part of human progress. Steel and concrete must come from somewhere. But we've long passed time to put the tech industry alongside the old oil and pharmaceuticals. It is no "disruptive" challenger to the status quo. What it perpetuates is more of itself, more control. It might not be a paperclip-maximiser yet, for now it's just a tech-industry maximiser.

It is the status-quo.

So it needs disrupting. Real progress is complex. It's not just this or that breakthrough… Penicillin. Electric lights. Steam engines. It isn't just spotting opportunities to monetise this or that idea. It's a balance of the intellectual, social, political, artistic, as well as industrial faculties. Yet we have bowed down before just a few industrial totems. This one-sided cult-like obsession with technology must be overcome and balance restored to the political and humanistic classes if we are to survive.

The Cost

AI is consuming electricity equal to the supply for Netherlands. Crypto block-chains twice as much again. Every new phone manufactured uses the daily water supply of 10,000 people. Survival of the planet was simply not on the profit road-map for the oil companies, and likewise neither will human survival be a priority for tech. Stubborn refusal to pause AI despite low value-yields and skyrocketing risk is the giveaway.

Your security and privacy means nothing for the technology companies. Until we internalise a new reality; that our quest for technology run by people, that our quest for a sustainable, reliable, private, and secure world is not a technical problem but a political struggle, we will make no progress toward it.

Look out of your window at the floods, wildfires, hurricanes, and streets lined with stationary automobiles, then do some research on the systematic suppression of electric vehicle technology. We could have begun a serious counter to climate change over 60 years ago when it would have made a difference. The computer security problem today is eerily similar. It is stuck in political stasis, but presented as a technical problem.

Taking back tech

Technology has one purpose; to serve humanity.

Here, today… on every smartphone there should be a single, reliable button to switch off spying once and for all. But there isn't. Why not? Because it's not profitable for you to have privacy. That's all there is to it. There's no technical challenge.

But, you say, those with political power can simply order these mischievous tech companies to behave. Sadly, no. Foremost our politicians lack the courage, knowledge and fluency. But behind that is a Faustian bargain by which they hope to benefit from a surveillance pact. They imagine themselves "sharing" power with the tech oligarchs. They will not. Like Yeltsin, post-1991 Minsk Agreement they will become puppets and vassals to those who control their means of communication. There will be nothing left but for a "strong man" to come to the rescue of the people. And nothing good will come of that.

Who dares?

It seems that, to get the things we want and need from technology today we must all become active. We must become hackers and combatants in a theatre of digital political warfare - fighting for security. For civic cybersecurity.

Security, privacy and self-determination in tech is what you take, not what is given to you out of kind-heartedness. What we need will not be obtained because corporations adhere to the rule of law. Nor by market forces. There is certainly nothing you can buy from people who want to rob you of it.

Big tech companies scoff at the law. They think it old-fashioned. Enormous fines are simply factored into their budgets. They have more money and influence than the political blocs that hope to regulate them. Neither can we rely on our political representatives to put up resistance, because they are poorly educated in technical matters and easily bought or misinformed.

No escape?

Now, suppose you are active and skilled enough to do things like root a phone, disable, spoof or jam GPS, remove the SIM, connect by wifi via a VPN endpoint hosted in another country, and use a payment service located in that country… then you may briefly be able to trick companies like Google or Meta to give you what you need. But no matter what apps you install on an Android smartphone, the operating system itself is written by Google, and is therefore untrustworthy.

In all such software, privacy settings default to unsafe or revert to unsafe settings following a forced update. Some location-tracking even works when your phone is supposedly "switched off". Although their Play Store contains hundreds of apps for masking or spoofing location, few of these really work because the company is locked in an endless cat and mouse game to defeat suppliers of those products. They kill products that meet a manifestly enormous market-demand. They pretend this is motivated by "business", not ideology.

Like the British Tory party who sabotaged hospitals so that they could deem them "failing" and ripe for privatisation, BigTech firms vandalise the privacy landscape in order to declare that "there is no demand for privacy". This disinformation trick can be seen on social media forums and Internet discussion boards everywhere tech industry shills operate.

The big players dislike any independent suppliers of security products, because they conflict with their thirst for profit and power. By empowering users, small companies become the enemies of BigTech, tolerated briefly in their "App Stores" before being arbitrarily ejected. Hacker forums are filled with stories of upstart developers trying to build a company, but being turfed off BigTech land by capricious diktats. Github, a common developer platform run by Microsoft is notorious for political beheadings of dissident projects.

False security

Maybe more damaging is that BigTech misuses people's desire for security, and misuses the language of security, to misdirect users into less beneficial or safe situations. For example, printer companies sabotage third party ink refils with malicious updates pitched as "necessary for security". This undermines any real project of cybersecurity. Users begin to mistrust updates of any kind when companies use them as vehicles for malware and undocumented suprises.

Companies muddy the waters around "security" by conflating "your security" with "our security". They then use the word "securty" as an abstract noun to imply users are getting something that benefits them but in reality benefits the vendor. They get security from the user. Even the word itself has become a kind of token, a false "moral high ground" from which wannabe tyrants can denounce their enemies. This is a sort of cyber-washing, to use fake cybersecurity for virtue signalling and concern trolling.

Once we see that this sort of security is a fixed-sum game then it's clear that anything that improves the end-user's security actually subtracts from that of the platform suppliers who benefit from a user's vulnerability. So the main vendors smear the sellers of things that compete with their "insecurity model". They attack Libre Open Source software written by regular citizens as "insecure" and "risky" - while secretly it's the same software they take for their own products, without paying for it.

Rebuilding public trust

Thankfully the political systems of Europe have started to wise-up and stand-up to US BigTech hostility and have mandated that all software used for public services, government and state apparatus must be Libre open source code that is auditable, verifiable and under control of the people. We want to see the same for schools, hospitals, railways and every other facet of public life and governance in the UK. Digital sovereignty is a big issue today.

Meanwhile practically, all of the "official" methods given by BigTech for obtaining privacy are no good. Play with your "preferences or choices" but regardless the platforms are still quite able to extract personal information from wifi networks and Bluetooth points in range of your devices, metadata in photos you share online, financial transactions, IP addresses of anything that touches a computer run by AWS, Meta, Azure or Google Cloud (even just to download a font or style-sheet). Any information passing through Gmail, Hotmail or Google Drive is subject to their prying if you are still unaware not to use such things.

Remarkably, some government offices still use these systems, and everything from doctors to parts of the British defence industry are entangled with Gmail, Amazon cloud, and even Whatsapp, despite warnings from the intelligence services that this isn't a good idea. Hypocritically, even GCHQ buy-in services from Amazon. If organisations that absolutely should avoid these security risks cannot resist the economic lure, who can?

There is a clear conflict of interests that companies that supply the systems for private and secure communication also profit from violating privacy and security. Surveillance is Google and Facebook's core business model. The only reliable way to defeat them and their type is not to use their products, or at least to fully root an "Android" smartphone and replace the operating system with something safer like F-Droid and with alternative social media platforms.

A boot stamping…

But ubiquitous location spying is just one random example of the spectacular mess of consumer computing. Let's now talk about "Secure Boot", which is in the news this week as the latest massive tech SNAFU.

"Secure boot" is a ploy by (mainly) Microsoft to ensure that every computer on Earth must run exploitable software. You'll hear other explanations for "secure boot" - such as the ability to stop malware writing to the BIOS. That's handy, In reality though, that problem is solved by a "jumper", a small wire or component costing fractions of a penny. Instead the "industry" invested billions of dollars in an arcane, elaborate scheme of "trusted computing" based on suspect cryptography, to replace a wire that costs a penny. Why would they do that?

Well, it's also a way for "anti-cheat" and digital restrictions code to run on your computer, whether you want it to or not. And to stop you copying what you see on your computer screen. These don't sound like features you requested, am I right? That's because they're feature requests from tech's neighboring trillion dollar industry - arts and entertainments.

Anyone in physical possession of computer hardware can subvert it. End of. Secure boot is a fine idea in some very limited use cases, but as a general principle to replicate into all consumer technologies it's an industry con, what we call a "Fritz Chip" that cedes power to the commercial OS vendors and software-as-service industry.

It puts your computer completely under the control of a remote and hostile company. It provides "trusted computing" for them and does not, unless you have a side business deploying remote servers in hostile locations, serve you (as a regular dude/dudette), and importantly the ostensible owner of the computer.

Last week Bruce Schneier reported on research from a group called Binerly that "secure boot" is completely compromised on almost all systems. In response, the comments were mostly "Good! We own our own computers!". Go away secure boot!

Secure-boot is a solutionist reaction to fixing a security problem that should never be there in the first place. It caters to conditions of extreme mistrust and therefore cultivates mistrust where deployed. This is a perfect example of the "insecurity industry". It is an undesirable computing concept because it brings more security to the powerful while removing security for the less powerful.

Besides, another problem is that computer main-boards even still have BIOS/EFI, now a silly and unnecessary mistake prolonged by industry inertia. People who've built and maintained computers for decades know that the more minimal the loader and the less the BIOS needs to do the better.

Computer scientists and electronics engineers get to build some quite challenging things as rites of passage. In my youth I wired together my own microprocessor (4 bit ALU with three registers and 12 bit address using TTL logic) and a full microprocessor system or "computer" (68000 based board roughly equal to an Apple Lisa - along with a simple operating system and loader for it). Having built, and in the process properly understood such technology, it's my humble opinion that since it worked in the past without any opaque magic, it can work in the future without opaque magic. The inconvenient theory that, anything that has happened can happen, leaves little space for a logical comeback.

Board-level OS is one of those ritual grooves that we are stuck doing because we always have. The root of it is disorder in the hardware industry and betrayal of standards. Egged on by the likes of Microsoft to add "trusted computing" hardware, the PC "mainboard" industry lacks a creative escape plan. In practice many simpler but very powerful "single board computers" (SBCs) completely do without this nonsense and there are hundreds of brands of main-boards that don't have encumbering and trecherous technologies embedded. Nonetheless we are attempting to normalise dangerous ideas, wandering into territory that's hostile to user security in the name of making big business more secure against them.

Perhaps the spectacular failure of Microsoft as a company is the best thing that has happened to cyberscurity for years.

Why are we stuck?

So why do we accept this dynamic? As regular citizens, mostly because we don't know much about it. As engineers, because we get confused about whose control we are supposed to be protecting. As governments, probably because the power seems seductive but there's a lack of education in the political science of why that would be a bad thing.

In part it's also down to a dearth of technical education and the power of dishonest marketing. Technnology is always a market where people will buy things they have no need or use for, no understanding of, but hope might bring empowering magic. That is the push-power of an industry that does not answer to demand. It is also a failure of our legal and political systems to challenge predatory business, dishonest advertising and monopoly.

However, in the name of innovation, we have always taken a hands-off approach to tech, with minimal regulation. That's led to a slowly growing abusive culture. There's a toxic relationship that's grown through habit of non-challenging and taking-for-granted. We now have an industry that feels itself above and beyond the law. We have "consumers" who dwell in learned-helplessness without the courage, knowledge or political voice to fight back.

But the horror show is getting a lot more light shone on it and cracks are now visible due to a slew, indeed an inexorable tide, of spectacular technology failures that now threaten individual lives, small and medium sized businesses and government too.

Digital lemons

It's also because the quality and provenance of software is hard to evaluate. Experts are as pressed as an average person to tell whether software is genius or junk. We don't know what value it will really bring. We don't know where the bugs are. Software quality metrics are as much a black-art as 40 years ago. We are kept on the path of cavalier engineering, to "move fast and break stuff" by the ever-present promise of medical and other scientific breakthroughs that can help humanity.

But have we factored political turmoil and social disintegration into our risk equations as a likely price to pay? Technology is risky ground and you need to look whare you are going. I think we are rather lost in fact. We seem at the mercy of tech hype cycles - blockchains, AI, virtual reality, consuming trillions of dollars and thousands of terawatt hours of energy. Where is the practical upshot? We get unemployment, pornography, and scorching the planet, so that going outside is unbearable; which may all at least cancel each other out if we can build enough homes for people to hide in and masturbate.

In truth, nobody is really sure what they are doing, and so we avoid long term discussion and decisions by deferring everything and moving agency to a future "long-tail" or maintenance phase of hardware and software. The core idea at the heart of so much bad cybersecurity is:

"Someone else will sort that out later"

The trick is to push the security onus and cost onto the end consumer in the form of so-called "updates". Like with climate, it pushes the risks and costs on to future generations… those that will have to clear up the mess caused by short-term profit. Unfortunately there's no "update" for a ruined planet in civil turmoil.

Digital technology is an industry that gets away with a fundamental violation of basic expectations of quality and fitness for purpose more than any other. We call this "software exceptionalism". The technology industry is run by people who think what they do is special - in an almost religiously sincere way. But most are not special. They are ordinary irresponsible people/ hoping to make a buck quick and get out before the fall.

With so many con-artists around, this means tech is a market for lemons in which the base price of all products is basically zero. Because that's the real level of confidence people have in gratuitous tech, despite all they might say. Therefore all profit made is by grift, encumbrances, rents, liens and deceptions laid on top of ostensibly "free" software services. It is not even really a "market" at all.

For about 30 years that didn't matter. People and businesses did not rely on computer software as we do today. In the 70s, 80' and 90s consumer tech products were seen as toys, fads, passing fun and frivolity. Now we put the same quality of software into Boeing airliners that fall out of the sky when it fails.

The tragedy is that we've plenty of smart people around who've devoted their lives to software engineering, quality, formal methods, and digital security. But their professionalism is made a mockery of by greedy corporations, our lack of investment in smaller, local tech, and missing political will to redistribute power on the Internet.

Anyone who looks at the emerging failures in digital tech is bewildered. Not just journalists and politicians, but the experts and programmers as well. The failures behind events like "Solar Winds", "Crowdstrike" and the latest "Secure Boot" issues are beyond belief - in their fundamental stupidity. They prove that we can assemble thousands of the worlds smartest people, but if we give them perverse motives - like putting money ahead of human life - they will fare worse than as many halfwits.

This avoidance of real thinking and engagement can be seen in events like the sham Bletchley Declaration, signed by 28 nations to agree to… "think carefully and have more talks"… about a threat considered by many leading scientists to be more serious than nuclear war.

I am in agreement with Carissa Véliz of Oxford who thinks the summit was an ethical dodge. It sullied the name of Bletchley Park (now within the grubby paws of Facebook after a £1 million "donation") by assembling political opportunists alongside carefully selected experts to give an appearance that governments are in control of the tech industry and not the other way around.

What we saw with Crowdstrike was a fundamental misunderstanding of the concept of ownership. The US National Security Agency have described anti-virus software as indistinguishable from a "rootkit" (the very worst kind of malware). Indeed that's what it is. It's just very dangerous software you allow someone else - who you believe you trust - to install on your computer. Anti-virus and "managed endpoint security" are medicines far worse than the diseases they claim to cure. Sadly we have silently slipped into an age where nobody questions this any longer, but we must challenge and remedy this dangerous mindset.

Solutionism is where we start with a small mistake and build bigger ones in response to it. In drama, that's called farce. The cascade effects in commercial tech have become a kind of farcical "Where's my trousers?" British sitcom. With secure boot what we see is mistakes bolted on top of mistakes in an orgy of solutionism. Layer upon layer of cryptographic staging and signing, and every new link in the chain is a weakness. Most of the motives are unclear. Whose computer is it? Whose property is being "protected"?

It has every hallmark of how security goes bad - because it is unclear - and I believe deliberately so - who the security is for, what it is security from, and what end it serves! A general consensus in the technology world is that it primarily serves the interests of publishers - the movie and recording industry, Sony, Disney, the RIAA and MPAA in the US who represent these powers and dictate to other tech companies.

Calling it out

As I've witnessed it unfold over 50 years this whole sorry saga reminds me of some cautionary tale about a tangled web woven by the boy who first told a little white lie, but then had to tell another to support it, and a bigger lie, and then a bigger one still, until he and everyone else had forgotten what was true and what was false.

That's computing today. Our industry is dominated by greedy and dishonest motives, so;

  • we're not getting the technology we really need to face the existential and economic challenges of our age
  • we are facing a catastrophic complexity collapse
  • we endure nebulous societal harms like damaged mental health, ruined education, widespread depression and disaffection with politics
  • we risk a major takeover/power-shift away from democacy

If human political pride is stopping us from preventing a much worse outcome that's no failure of science, technology and engineering, but a long overdue moral reckoning. The answers here are not technical but moral, and therefore political.

Whatever names we know each weekly tech disaster by… Crowdstrike, Meltdown, Solarwinds, Horizon… as we name hurricanes… they'll still keep coming and keep getting worse.

As with climate, to fix things we must look for the root causes. The sooner we stop pretending these are technical problems and start speaking the truth about the fundamental political problems in cybersecurity, and the issues we have with our consumer computing industry in general, the sooner we can have security for all computer users again, not just the already rich and powerful ones.


Date: 3 August 2024

Author: Dr. Andy Farnell

Created: 2024-08-05 Mon 14:28

Validate