undefined | Better HN

0 pointsnostrademons8y ago0 comments

The security aspect was an interesting part of this piece, because one of the main reasons webapps took over from Windows apps is because they were perceived as more secure. I could disable ActiveX and Java and be reasonably confident that visiting a webpage would not pwn my computer, which I certainly couldn't do when downloading software from the Internet. And then a major reason mobile apps took over from webapps is because they were perceived as more secure, because they were immune to the type of XSRF and XSS vulnerabilities that webapps were vulnerable to.

Consumers don't think about security the way an IT professional does. A programmer thinks of all the ways that a program could fuck up your computer; it's a large part of our job description. The average person is terrible at envisioning things that don't exist or contemplating the consequences of hypotheticals that haven't happened. Their litmus test for whether a platform is secure is "Have I been burned by software on this platform in the past?" If they have been burned enough times by the current incumbent, they start looking around for alternatives that haven't screwed them over yet. If they find anything that does what they need it to do and whose authors promise that it's more secure, they'll switch. Extra bonus points if it has added functionality like fitting in your pocket or letting you instantly talk with anyone on earth.

The depressing corollary of this is that security is not selected for by the market. The key attribute that customers select for is "has it screwed me yet?", which all new systems without obvious vulnerabilities can claim because the bad guys don't have time or incentive to write exploits for them yet. Somebody who actually builds a secure system will be spending resources securing it that they won't be spending evangelizing it; they'll lose out to systems that promise security (and usually address a few specific attacks on the previous incumbent) . And so the tech industry will naturally oscillate on a ~20-year cycle with new platforms replacing old ones, gaining adoption on better convenience & security, attracting bad actors who take advantage of their vulnerabilities, becoming unusable because of the bad actors, and then eventually being replaced by fresh new platforms.

On the plus side, this is a full-employment theorem for tech entrepreneurs.

0 comments

naasking8y ago

> A programmer thinks of all the ways that a program could fuck up your computer; it's a large part of our job description. The average person is terrible at envisioning things that don't exist or contemplating the consequences of hypotheticals that haven't happened.

I'm not sure programmers are much better. There's a long history of security vulnerabilities being reinvented over and over. Like CSRF is simply an instance of an attack first named in the mid 80s ("confused deputies"). And why are buffer overflows still a thing? It's not like there's insufficient knowledge about how to mitigate them.

And blaming this on the market is a cheap attempt to dodge responsibility. If programmers paid more than lip service to responsibility, they'd push for safer languages.

TeMPOraL8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility. If programmers paid more than lip service to responsibility, they'd push for safer languages.

If programmers paid more than lip service to responsibility, the whole dumb paradigm of "worse is better" would not exist in the first place. As it is, we let the market decide, and we even indoctrinate young engineers into thinking that business needs is what always matters the most, and everything else is a waste of time (er, "premature optimization").

sah2ed8y ago

> If programmers paid more than lip service to responsibility, the whole dumb paradigm of "worse is better" would not exist in the first place.

I used to think like this but I've come to realize that there are two underlying tensions at play:

- How you think the world should work; - How the world really works.

It turns out that good technical people tend to dwell a lot on the first line of thinking.

Good sales/marketing types on the other hand (are trained to) dwell on the second line of thinking and they exploit this understanding to sell stuff. Their contributions in a company, in general, are easier to measure relative an engineer since revenue can be directly attributed to specific sales effort.

"Worse is better" is really just a pithy quote on how the world works and it's acceptance is crucial to building a viable business. Make of that what you will.

1 more reply

jimmaswell8y ago

The prime directive of code made for a company really is to increase profits or decrease costs, though. Most of the time just getting the job done is all that matters. Critical services and spacecraft code are exceptions.

1 more reply

uncletammy8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility.

How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

Also, any programmer will tell you that just because an issue is tagged "security" doesn't mean it will make it into the sprint. Programmers rarely get to set priorities.

btschaegg8y ago

> How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

There's a quote by Douglas Adams pops up in my mind whenever the subject comes up:

> Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.

This is the only explanation there can be for this. Every time there's a breach somewhere (of which there obviously are plenty), there's a big outrage. But those who should go "oh, could that happen to us, too?" choose to ignore it, usually with hand-waving explications of how the other guys were obvious idiots and why the whole thing doesn't apply to them.

This obviously goes for consumers and producers.

collyw8y ago

Exactly this. The last company I was in had a freelance sysadmin and a couple of full time devs. The sysadmin had been banging on for ages that we needed a proper firewall set up. It was only after we thought we had been hacked (it ended up being a valid ssh key on a machine that we didn't recognize), we checked and found at least half of the windows machines were infected with crap. Only then did they get the firewall. We decided not to admit our mistake about the ssh key, as it seemed like it was the only way to get things done.

candiodari8y ago

> How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

https://en.wikipedia.org/wiki/Say%27s_law

In other words, it takes a better alternative to exist. Better can mean cheaper or faster or easier, a lot of things. That can be accelerated by the economic concept of "war" (ie. any situation that makes alternatives a necessity).

nikdaheratik8y ago

I don't think it's about "dodging responsibility" but just an examination of the tradeoffs involved in development. The code we're developing is becoming more transitory, not less over time. How secure does a system that is going to be replaced by the Next Cool Thing in 4-5 years need to be? It really depends on what you are protecting as much as anything.

The incentives for someone to break into a major retailer, credit card company, or credit bureau are much different from Widget Cos. internal customer service web database. What I think the article is missing, even though it makes alot of good points, is that if there's a huge paycheck at the end of it, there will always be someone trying to exploit your system no matter how well designed it is. And if they can't hack the code quickly, they'll learn to "hack" the people operating the code.

pdimitar8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility.

You are oversimplifying. Dunno in what programming area you work (or if it's software at all) but "we work with languages X and Y" is something you'll find in 100% of all job adverts.

Tech decisions are pushed as political decisions from people who can't discern a Lumia phone from an average Android. That's the real problem in many cases.

That there exist a lot of irresponsible programmers is a fact as well.

rtpg8y ago

buffer overflows used to be a thing in all software. Nowadays it's relegated to stuff written in C (essentially).

It used to be that RandomBusinessApp would hit this stuff, now most of it ends up in Java so it might still crash but usually it's mitigated better.

jackcviers38y ago

> If programmers paid more than lip service to responsibility, they'd push for safer languages.

Most programmers want to dio their job quickly and easily, and go home.

youdontknowtho8y ago

i disagree with one premise...web apps werent ever seen as a more secure alternative to windows apps. they were seen as easier to deploy. that was netscapes big threat to MS. You could deploy an app to a large audience easily. its hard to get across how hard things were back in the day. citrix came out as an option as well...same deal. easier to deploy.

people really thought activex was brilliant...until security became an issue. i can remember when the tide changed.

anyway, fair points otherwise. cheers.

pmontra8y ago

Agreed. They are easier to deploy, even multiple times per day. This is one of their selling points even today compared to native mobile applications, which have other advantages.

Another advantage is that they are inherently available across OSes, usually across different browsers (but we know what it takes.)

Finally, they used to be much more easy to develop.

Tldr: larger audience, less costs.

j458y ago

I agree. Web apps were easier to deploy, centrally manage and deliver over desktop, assuming you had a stable connection. In fact it was often hard to get people to run apps on the web because internet was wither slow or ADSL was unstable. SaaS was considered risky.

The true definition of a full stack developer in those days would make today's definition of full stack faint.

You had to know how to setup hardware with an os with your software and databases, often having to run your gear in a datacentre yourself that you had to figure out your own redundancy for, all for the opportunity to code something to try out. Being equally competent in hardware, networking, administration, scaling and developing a web app was kind of fun. Now those jobs are cut into many jobs.

Activex was what flash tried to be.. The promise of Java of using one codebase everywhere.

Seeing webassembly is exciting.

jacquesm8y ago

> they'll lose out to systems that promise security (and usually address a few specific attacks on the previous incumbent

This happens in other areas besides applications as well. Programming languages, operating systems. This leads to an eternal re-invention of the wheel in different forms without ever really moving on.

nostrademonsOP8y ago

Yep. Databases, web frameworks, GUI frameworks, editors, concurrency models, social networks, photo-sharing sites, and consumer reviews as well. Outside of computers, it applies to traffic, airlines, politics, publicly-traded companies, education & testing, and any industry related to "coolness" (fashion, entertainment, and all the niche fads that hipsters love).

I refer to these as "unstable industries" - they all exhibit the dynamics that the consequences of success undermines the reasons for that success in the first place. So for example, the key factor that makes an editor or new devtool popular is that it lets you accomplish your task and then gets out of the way, but when you've developed a successful editor or devtool, lots of programmers want to help work on it, they all want to make their mark, and suddenly it gets in your way instead of out of your way. For a social network, the primary driver of success is that all the cool kids who you want to be like are on it, which makes everyone want to get on it, and suddenly the majority of people on it aren't cool. For a review site, the primary driver of success is that people are honest and sharing their experiences out of the goodness of their heart, which brings in readers, which makes the products being reviewed really want to game the reviews, which destroys the trustworthiness of the reviews.

All of these industries are cyclical, and you can make a lot of money - tens of billions of dollars - if you time your entry & exit at the right parts of the cycle. The problem is that actually figuring out that timing is non-trivial (and left as an exercise for the reader), and then you have to contend with a large amount of work and similarly hungry competitors.

tormeh8y ago

>concurrency models

We started out with OS threads (I guess processes came first but whatever) and now we're trying to figure out what the next paradigm should be. It looks to me like it's Hoare (channels, etc) for systems programming and actors for distributed systems, both really really old ideas. To be fair there are other ideas (STM, futures, etc) that fill their own niches, but they either specialize on a smaller problem (futures) or they're still not quite ready for popular adoption (STM). If this is cyclical then I think we're pretty early in the first cycle.

Sure, the spotlight moves from one model to the other and back, but that's because the hype train cannot focus on many things at the same time, not because the ideas go out of style.

Santosh838y ago

> So for example, the key factor that makes an editor or new devtool popular is that it lets you accomplish your task and then gets out of the way, but when you've developed a successful editor or devtool, lots of programmers want to help work on it, they all want to make their mark, and suddenly it gets in your way instead of out of your way.

Only if it is open source. Seems like Sublime Text (just an example) has avoided this effect... perhaps evidence that open source is not the best model for every kind of software?

mwcampbell8y ago

How do we fix this?

3 more replies

e12e8y ago

> The security aspect was an interesting part of this piece, because one of the main reasons webapps took over from Windows apps is because they were perceived as more secure. I could disable ActiveX and Java and be reasonably confident that visiting a webpage would not pwn my computer, which I certainly couldn't do when downloading software from the Internet.

Indeed. And then we made sure all interesting data (email, business data, code (github/gerrit etc)) was made available to the Web browser - so pwning the computer became irrelevant.

It's indeed like the 90s - from object oriented office formats, via macros to executable documents - to macro viri - and total security failure. Now we have networked executable documents with no uniform address-level acl/auth/authz framework (as one in theory could have on an intranet wide filsystem).

So, yeah, I kind of agree with the author - we're in a bad place. I used to worry about this 10 years ago, by now I've sort of gotten used to the idea, that we run the world on duct tape and hand-written signs that says: "Keep out - private property. Beware of the leopard.".

smsm428y ago

> I could disable ActiveX and Java and be reasonably confident that visiting a webpage would not pwn my computer

Unfortunately, this is not entirely true. There were bugs in image processing, PDF processing (some browsers would load it without user prompting), Flash, video decoders, etc. IIRC even in JS engines, though those are more rare. Of course, you could go text-only, but then you couldn't properly access about 99% of modern websites.

rtpg8y ago

When there would be a bug in PDF processing, you end up with a RCE, right?

But downloading an EXE is basically allowing arbitrary code execution on your machine no matter what. So _even with the security bugs_, webapps are basically safer than installing a native app on desktop, at least in its current state.

I see your point though. There are still a lot of entry points we need to be careful about

pjmlp8y ago

It doesn't help that curl | sh has become trendy.

tinus_hn8y ago

The Javascript security model breaks down in the case of file:///, no overflows are required. The security you get today is more flimsy than you probably think. And it used to be far worse.

j / k navigate · click thread line to collapse

0 comments

naasking8y ago

And blaming this on the market is a cheap attempt to dodge responsibility. If programmers paid more than lip service to responsibility, they'd push for safer languages.

TeMPOraL8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility. If programmers paid more than lip service to responsibility, they'd push for safer languages.

sah2ed8y ago

> If programmers paid more than lip service to responsibility, the whole dumb paradigm of "worse is better" would not exist in the first place.

I used to think like this but I've come to realize that there are two underlying tensions at play:

- How you think the world should work; - How the world really works.

It turns out that good technical people tend to dwell a lot on the first line of thinking.

"Worse is better" is really just a pithy quote on how the world works and it's acceptance is crucial to building a viable business. Make of that what you will.

1 more reply

jimmaswell8y ago

1 more reply

uncletammy8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility.

How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

Also, any programmer will tell you that just because an issue is tagged "security" doesn't mean it will make it into the sprint. Programmers rarely get to set priorities.

btschaegg8y ago

> How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

There's a quote by Douglas Adams pops up in my mind whenever the subject comes up:

> Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.

This obviously goes for consumers and producers.

collyw8y ago

candiodari8y ago

> How many hacks, data breaches, and privacy violations does it take for consumers to start giving a shit?

https://en.wikipedia.org/wiki/Say%27s_law

nikdaheratik8y ago

pdimitar8y ago

> And blaming this on the market is a cheap attempt to dodge responsibility.

You are oversimplifying. Dunno in what programming area you work (or if it's software at all) but "we work with languages X and Y" is something you'll find in 100% of all job adverts.

Tech decisions are pushed as political decisions from people who can't discern a Lumia phone from an average Android. That's the real problem in many cases.

That there exist a lot of irresponsible programmers is a fact as well.

rtpg8y ago

buffer overflows used to be a thing in all software. Nowadays it's relegated to stuff written in C (essentially).

It used to be that RandomBusinessApp would hit this stuff, now most of it ends up in Java so it might still crash but usually it's mitigated better.

jackcviers38y ago

> If programmers paid more than lip service to responsibility, they'd push for safer languages.

Most programmers want to dio their job quickly and easily, and go home.

youdontknowtho8y ago

people really thought activex was brilliant...until security became an issue. i can remember when the tide changed.

anyway, fair points otherwise. cheers.

pmontra8y ago

Agreed. They are easier to deploy, even multiple times per day. This is one of their selling points even today compared to native mobile applications, which have other advantages.

Another advantage is that they are inherently available across OSes, usually across different browsers (but we know what it takes.)

Finally, they used to be much more easy to develop.

Tldr: larger audience, less costs.

j458y ago

The true definition of a full stack developer in those days would make today's definition of full stack faint.

Activex was what flash tried to be.. The promise of Java of using one codebase everywhere.

Seeing webassembly is exciting.

jacquesm8y ago

> they'll lose out to systems that promise security (and usually address a few specific attacks on the previous incumbent

nostrademonsOP8y ago

tormeh8y ago

>concurrency models

Sure, the spotlight moves from one model to the other and back, but that's because the hype train cannot focus on many things at the same time, not because the ideas go out of style.

Santosh838y ago

Only if it is open source. Seems like Sublime Text (just an example) has avoided this effect... perhaps evidence that open source is not the best model for every kind of software?

mwcampbell8y ago

How do we fix this?

3 more replies

e12e8y ago

Indeed. And then we made sure all interesting data (email, business data, code (github/gerrit etc)) was made available to the Web browser - so pwning the computer became irrelevant.

smsm428y ago

> I could disable ActiveX and Java and be reasonably confident that visiting a webpage would not pwn my computer

rtpg8y ago

When there would be a bug in PDF processing, you end up with a RCE, right?

I see your point though. There are still a lot of entry points we need to be careful about

pjmlp8y ago

It doesn't help that curl | sh has become trendy.

tinus_hn8y ago

The Javascript security model breaks down in the case of file:///, no overflows are required. The security you get today is more flimsy than you probably think. And it used to be far worse.

j / k navigate · click thread line to collapse