Safety in Insecurity

avatar

Yesterday, there was a little bit of a global "event" as an update from a cybersecurity company caused windows systems throughout the world to crash into the dreaded bluescreen of death. This third-party installation caused chaos as all manner of companies had to shutdown their systems, with banks, airlines and hospitals, and just about every other type of industry unable to operate.

Many are saying that it is like a test-run of a global hack.

image.png

While this might be true, I tend to think that what it actually does is highlight the dangers of centralization, monopolization, and widespread reliance on single-source systems, like Microsoft, to cater to all of our needs. One of the problems with being too successful in business, is similar to the problems of inbreeding amongst humans, where the more homogenous the parental DNA is, the more risks, or more weaknesses in the offspring.

We might not think about this too much, but of course it should be pretty obvious that when a business is going to be profit driven, savings will be made through sharing assets. Not only this, because we are seeking increasing convenience and ease of use, these corporations are going to of course share code across their networks, and the larger ones will demand the smaller providers follow suit. This means that all of the pathways are linked and similar, which means that if the right kind of vector is found, it will affect all environments.

The other day, the friend we stayed with was saying how convenient it is that everyone in his family is on Apple products, because it means that everything syncs up easily. This means that the apps are generally better, because they are designed for a far narrower ecosystem of technology, so they are smoother, more stable and less buggy across devices, as the infrastructure they are built for is standardized to the Apple tech, meaning far less coding conflicts. This also makes it cheaper to design and test new software for the providers.

Looking at this from a risk point though, it also means that if there is one bug, it is likely that all devices in the household will be similarly affected, which could leave the entire household almost literally, in the dark. And, while not as acute, this is kind of what happens at the global level, as there is continual homogenization of tech to follow a narrowing line of code. Even a lot of the new AI companies are leveraging a small (but growing) group of AI models, which means that they are all prone to the deficiencies. All most are really doing is pointing the same tool at a different problem.

And the problem with decreasing the source we draw from, is that increases the risks of calamity and the impact it makes when it inevitably happens. As I was saying to my friends who visited last night in regards to the Crowdstrike outage, is that what it highlights is that there is no such thing as real security. Eventually, everything that is safe, becomes unsafe in some way. The most secure way to approach security is of course, to recognize that it doesn't exist, so it is all about risk mitigation. Centralization stores resources in the same spot, so a potential fire wipes it all out - decentralization stores it like a squirrel, where there might be a lot of wastage through lost nuts, but there are always nuts spread out in many locations to draw upon in need.

One of the friends brought up that we are due a large "Carrington Event" with the last being in 1859. It is a large geomagnetic storm and over a hundred and fifty years ago, it set telegraph stations alight. Obviously at that time in history, there wasn't a lot of electronics about, but if it were to happen again, what happens to all that we rely on when those transformers fry in the radiation? Supposedly, Finland is one of the most prepared for it in terms of the tech in the EU, as a lot of the transformers have extra shielding, but it matters little if most of the world burns.

This is one of the problems with globalization, because what it ends up doing is homogenizing pretty much everything we find important. Because information is now so available and shareable, news and trends sweep across the globe in moments with very low cost in distribution or uptake, and it affects our individual thinking and our localized and regional cultures, bringing them more in line with others. Social media doesn't connect people, it conditions us to be more alike to others in the groups of our choice, creating increasingly large buckets to target with advertising and messaging.

It is far more convenient and profitable for corporations that we think the same, because it allows them to reduce their offerings and slowly consolidate and squeeze out competition, which allows them to consolidate their own business more, creating increased risks of these kinds of events, and the impacts of hacks. For instance, there was a hack in Australia this year where 13 million people's personal data was exposed, which is half of the entire population of the country.

Centralization creates a big and valuable target to attack.

Whatever it is, at some point we are going to learn a very costly lesson in risk management as we will discover that large parts of our existence are very vulnerable. It might be a poorly executed update to a piece of software or a cyberattack. Or it could be a hack of some government agency. But, it could also be something like the corona virus, where out of fear, billions of people were given the same set of drugs without knowing the long-term affects of them. We have no idea if the next virus will leverage something in Pfizer, or Moderna or the handful of others and target those who were vaccinated specifically. And, we won't know any of this until it happens, whether that be next week or in a decade from now.

It is impossible to tell.

Diversity is the way mother nature copes with risk, by creating a large range of organisms with the goal to survive, without caring which ones survive, or for how long. Nothing can kill nature, because nature is eternally patient and absolutely resilient, because it has "unknowingly" accepted that change is the only thing guaranteed, so everything will change.

The more we homogenize, the more we identify with what we are and what we have created, and the more we will fight for it to stay the same, because it is convenient for us to do so.

It is also more profitable.

Until it isn't.

Taraz
[ Gen1: Hive ]



0
0
0.000
34 comments
avatar

Centralizing tech makes things easier but also increases the risk of big problems when things go wrong. Well said brother, hoping for decentration to take over one day

0
0
0.000
avatar

It was interesting yet scary to see what all was crashing. The party is mostly used as company security and boommmm...airports hospitals and other big stuff...i thought was the hack of haaks initially.

But indeed...most of all it was the eye opener to see how dependent we have made ourselves in everything. Worrying at least to say...

0
0
0.000
avatar

According info I heard, if the geomagnetic storm were to happen the world will go back to the ages before we had electricity. That's somehow similar to what can happen when we rely heavily on centralized tech, few or no alternatives to fall back on when trouble hits. I hope that changes soon.

0
0
0.000
avatar

I think it was a pre-message to humanity about how it would be during a disaster or war. We are too dependant on them...

0
0
0.000
avatar

Multiply it by about a thousand times and it might get a bit closer to the future reality.

0
0
0.000
avatar
(Edited)

The fact that most companies are using AWS or Azure cloud is highly horrifying from a risk standpoint. Even something as amazingly decentralized like Hive was still subjected to the CloudFlare outage a couple of years ago (the Hive blockchain wasn't affected but all the frontends were).

Again, this comes back to my constant commentary about the dangers of public companies pushing for ever increasing profit every quarter. Shareholders don't care about risk generally.

0
0
0.000
avatar

Shareholders don't care about risk, but they want their losses protected by taxpayers, and the banks want bailouts.

0
0
0.000
avatar
(Edited)

It usually becomes a problem when we become too reliant on a particular source.
I feel we rely on them too much
If things go wrong, we may be in trouble cos there may no be other means or it may be too late

0
0
0.000
avatar

I guess this also highlights the value of competition. Crowdstrike is supposedly one of the best security providers in the industry, and the large number of companies worldwide affected by this attests to it. If there are more competitive companies that offer these services, we might have seen less affected.

Seeing the workaround and how it can only be done manually is a nightmare for a lot of IT support.

0
0
0.000
avatar

Competition for sure is an issue. But, the way business works these days tends to reduce competition through consolidation. The big eat the small.

0
0
0.000
avatar

Yeah, and we saw one of the risks of that.

0
0
0.000
avatar

I would like to clarify that the problem did not only occur with computers (servers) whose operating system is Windows, but also with servers running Linux platforms.

The source of the flaw was not Microsoft, it is a company that sells its cybersecurity services (CrowdStrike), a mistake made in an update, as happened in 2010 with MCafee in the hands of George Kurtz. It was not a Microsoft bug and did not affect all Windows computers.

A critical system “should never have automatic updates…” Delmonting. More than a human error, it is a software process error. The quality process failed and in the next few days we will know who literally had their heads cut off, because of the million dollar loss the company suffered on Friday in the stock market.

0
0
0.000
avatar

The source of the flaw was not Microsoft,

I didn't say it was a microsoft flaw.

0
0
0.000
avatar

From what I hear, it was a pretty easy fix to get things back up and running. My servers shouldn't have been impacted because I declined to install crowdstrike when I had the chance. Many people are pointing to this opening the door to new attack vectors for potential nefarious actors.

0
0
0.000
avatar

Yep, it could have been a lot worse. There are always many attack vectors, but the more who have it open, the bigger the impact of a single attack.

0
0
0.000
avatar

It is a large geomagnetic storm and over a hundred and fifty years ago, it set telegraph stations alight. Obviously at that time in history, there wasn't a lot of electronics about, but if it were to happen again, what happens to all that we rely on when those transformers fry in the radiation?

Probably then I will get the old battery-powered radio out of the attic and live for a while like my grandfathers did in the first half of the 20th century.

0
0
0.000
avatar

I am not sure that would even work :D

0
0
0.000
avatar

Good afternoon my brother. Greetings to you today.

0
0
0.000
avatar

Added a lot of value to the topic with this comment.

0
0
0.000
avatar

Nicely written. I totally agree with you a lot of problems centralization brings out weighs the cost of operating a decentralized system, no doubt a virus to one is a virus to all which is creepy as it is, decentralization is difficult is handle as more hands are involved and is a lot harder to control but still the benefits is uniqueness beyond our very expectations.

I do understand the other people's argument to an extent, because not being in control sucks really, not everyone got good training to improve their EQ, which should be the focus of this generation as well as growth all round because try to not unlearn and learn new things is the core cause of Centralization. Thanks for this fine read.

0
0
0.000
avatar

Decentralization is far less optimized in organization of resources, but also carries less risk in other ways. It is a trade-off. What we do know is that centralization of power corrupts, and that in itself is a massive risk we should be looking to avoid.

0
0
0.000
avatar

what it actually does is highlight the dangers of centralization, monopolization, and widespread reliance on single-source systems

J's work was affected and when he told me about it this was pretty much exactly what I thought. First thing I said when he was describing the scenario was "single point of failure" (stating the obvious because he thought the same too).

And by the same token can't deny the convenience either, as with your friend with the Apple products, I had all the kids on iPads/iPhones at one stage because it was stupidly, mind numbingly easy for me to do parental controls and location sharing and all of that and especially at the time of having multiple young children I just needed some things to be easy.

we're now in the process of trying to switch everyone to linux and to think more about this sort of thing, but it's HARD when all everyone wants is the easy thing that just works because there's an infinite amount of infinitely better things to think about/do and no one wants to think about the inconvenience of how catastrophic a single point of failure is because "that's not likely to happen"

0
0
0.000
avatar

I didn't mention it in the post, but I have a dual-sim phone which has my private number, and my work number. It was good, because in the very rare occasions the internet stopped working on my number, I could switch to the other sim as it was on a different operator. Unfortunately, they recently changed the company one and now they are the same operator.

I have never got comfortable enough with linux to use it for anything real :D

0
0
0.000
avatar

It can do most things that most people would want to do these days, think the hardest part is always going to be the desire for familiarity/specific type of workflow/apps.

0
0
0.000
avatar

It is very odd because we got through the entire day without seeing any impact from the outage. No banking issues, no challenges at the stores, nothing.

Things seem to be in a vicious circle between our demanding convenience and business looking to make profit providing it.

0
0
0.000
avatar

Finland saw nothing as well, as it seems crowdstrike has next to know penetration in the market here.

0
0
0.000
avatar

I guess our country saw a lot of disruption, but I personally didn't experience any.

0
0
0.000
avatar

Centralization is never good. It's a huge point of failure and I don't exactly like it. It's better to have multiple different companies as not everything will go down. It reminds me of how people talk about Youtube. It's the largest place for videos by far. However, the smaller alternatives are good because the option exists. People just don't cater to the smaller stuff because it's hard for people to recognize it and they don't use it as much.

0
0
0.000
avatar

And, the more power one platform gets, the more controlling and the less freedom users and creators receive. Some creators will of course make huge gains, the majority will get nothing.

0
0
0.000
avatar

It's so incredible that so many companies are linked back to the same root vendor. I guess it was a good test of most companies' business continuity plans and I am just glad I didn't have a flight to catch on that day.

0
0
0.000
avatar

It's so daunting when you realise just how many platforms were affected by this. I had a doctors appointment that day, and the whole thing ran old school - pen and paper for the notes, etc. It was bizarre. And scary. People were saying it was really a Cyber Attack, and it makes you wonder...

Thanks @tarazkp - hope you and yours are keeping well!

Annabelle 😊

0
0
0.000
avatar

This is now making it feel like we’re going back in the days where there was no internet connection and all sorts of things
Well, that didn’t affect us here in Nigeria

0
0
0.000
avatar

Well that was quite a huge rabbit hole of a conversation, but something we definately need to consider and address.

The entire reason robbers rob banks is because everybodies money is there. It is an attractive Honey Pot, where the prize is lots of money. Banks are clearly a societal weakness, which has bred security solutions, but these solutions don't prevent bank robberies.

The same goes for centralization of software, it creates an attractive honey pot, where the reward is not money, but fame and chaos. Which is seeming are more valuable to certain segments of society.

We create security solutions, but they don't stop the hacks. This again is a recognizable societal weakness, which we are doing nothing about.

I think that we could easily convince society that diversification is needed for security, and if we could somehow promise interoperability, without an interdependence creating a Honey Pot, society would go along with it.

But as you mention, centralization, like monopolization, makes people rich and powerful. And they are not afraid to use their wealth and power to destroy those who threaten their monopoly.

I am afraid that unless we figure out how to decentralize MicroSoft highly distributed products, the world is doomed.

This CrowdStrike was just a warning tremor, the real earth quake is coming.

0
0
0.000
avatar

a test-run of a global hack.

I wouldn't bet against it, but gosh did it cause some problems. I was away in the woods camping most of the weekend, so I barely noticed and my Sunday flight left no problem!

we are due a large "Carrington Event"

Tell your buddy not to put that kind of energy out into the world. Not in my lifetime please!

0
0
0.000