LAS VEGAS–The past couple of decades have seen a tremendous wave of technical innovation that has made powerful computing resources and devices available virtually everywhere on the planet. But underneath all of the shiny exteriors lies an ever more complex pile of software that is increasingly difficult to understand, let alone secure.
This has rarely been more evident than in the last couple of weeks, as cloud outages and cascading failures have demonstrated just how interconnected and fragile the global ecosystem is. Stack upon stack upon stack of software has made it difficult for even the smartest folks in the technology community to understand exactly how a given system or service actually works and what all of the dependencies and potential weaknesses might be.
Moxie Marlinspike, the creator of Signal and a renowned security researcher and cryptographer, said in his keynote speech at the Black Hat conference here Thursday that one of the downsides of the massive software boom is that quality has decreased over time.
“We see a lot more stuff over time but a lot of it is mediocre or schlock. In complex ecosystems like computing there seems to be some ongoing relationship between the quality of the tools we use and the quality of the output we create. The better we understand stuff, the cooler stuff we can make with that stuff,” he said.
“Engineering organizations have ballooned in size but even with all of those people sitting in front of computers eight hours a day, every day, forever, these organizations don’t exactly have a reputation for high velocity output. Vision and engineering are entwined and both of them need to inform one another.”
"Without knowing it, the people in this room have inherited the earth."
One line of thinking in the early days of the web and the tech boom was that some of the new tools companies were building would bridge the gap between people who understood computers and those who didn’t. Things didn’t quite work that way.
“We imagined that we were going to develop these powerful tools and then teach everyone to be like us. That didn’t happen,” Marlinspike said.
While the ever-increasing complexity of software and systems over time isn’t necessarily great for reliability or usability, it presents an opportunity for people in the security community who have spent their lives working to understand how those systems work on the deepest levels and looking for ways in which they might break. Understanding those potential failure modes and anticipating how they may affect users and other systems is a special skill set that can only be acquired through long experience. And it’s one that is needed more than ever.
“Understanding is at the foundation of all security research. Security research is almost the inverse of what I’ve been talking about. It’s the process of looking through abstractions and trying to understand them even better than the people who built them,” Marlinspike said.
“We look for ways those systems can yield unexpected outcomes. Without knowing it, the people in this room have inherited the earth. You all are the ones who have been sitting in the library learning the spells to understand how the world works. Look at the things you understand really deeply and the world around you and see how they can be applied to that world.”