Friday: Safety and Paradox of the Survivor

From the beginning of 2018, I collect reports on hacking in crypto projects. During this time, information about thefts of nearly a billion dollars has been received. The coincheck exchange alone has sponsored ~ 500 million. However, on some exchanges there is still no two-factor authorization. Sites of financial companies use third-party scripts without authentication. MetaMask browser wallet shines the address of your wallet to all sites indiscriminately. And the most popular method is security through obscurity. But perhaps it’s still worse and security imitation is widespread today, and the NIST summer report confirms this in part.

Today's approach to security does not take into account human features, which is actually stated in the NIST report ( article on the subject). Here are the main problems that are observed today:

• No responsibility for the result.
• Excessive rigor of the rules.

Both reasons demonstrate logic inversion. Let's look at them in more detail.

Lack of responsibility

The manufacturer of the product is not responsible for the consequences of hacking, the maximum undesirable consequences for it - the payment of compensation or bankruptcy. The company's management is not interested in increasing security requirements. At the same time, any user who discovers a hole and informs about it risks to fall into the dock. Now the question is what prevents the employees of such a company from robbing themselves?

An example of DuPont.

Founded in 1802 in Wilmington, Delaware, USA, Du Pont began its operations with gunpowder manufacturing. Several explosions that occurred at the dawn of its activity made the company management aware of the importance of safety technology for the success of the company. The company's management has developed a new security philosophy: on the one hand, the top management of the company was given special responsibility for accidents, and on the other, all employees were obliged to reside in the production area. Thus, occupational safety has become a personal concern for everyone.

From an article from the INES website

Excessive rigor

The NIST report states that people are not inclined to memorize complex and frequently changing passwords. And the rules for using complex password phrases from numbers, letters, special characters, mathematical formulas and calculating the number of Pi in mind leads to the appearance of stickers with passwords on monitors. The paradox of the survivor suggests that the cause of survival in dangerous situations, does not report the cause of death, and therefore does not help prevent this death. In other words, cracking strong passwords is not a way to build a reliable system.

Developers approach the task too formally and shift the task of ensuring security to a not very reliable element - a person. As a result, introducing stronger methods of protection, we weaken security as a whole.

Recently, I was faced with the fact that the site loaded via HTTPS cannot interact with the HTTP protocol, and the browser does not ask my permission to perform such an action, but simply refuses to fulfill the request. As a result, I switched to the HTTP protocol, after which two resources are already loaded in an insecure mode.

Conclusion

When I build a security system in my head, I unconditionally lose to an attacker - the number of elements requiring adjustment, shutdown or additional development is too high. I don’t have a clue about the operation of some components of the operating system and I don’t know how to determine whether they are working correctly, who made them, whether they were replaced, etc. Because of this, sometimes I have an impostor syndrome. Have I really set everything right !?

I downloaded the CIS Distribution Independent Linux. This is a compilation of linux configuration guidelines. It has 317 pages, over a hundred potential vulnerabilities. In the process of reading, I had a question: how many developers know about this document at all?

Hub Information Security in second place on Habré (twice as popular as Programming!). Is this a consequence of security concerns or the option of a talisman? Do you feel confident in the field of information security?