Security sucks! Part 1: The lightning.
Security sucks! I know. All this authentication, authorization, audit are so damn boring. I hate it myself. I would rather leave in the world where all people are respecting each other, no envy, no hate, no stealing, no crimes.
But we only have our crazy world where we wasting the enormous amount of resources on doing nothing useful except keep the safe locked. For example, the encryption of HDD costs twice more than the HDD itself. But it is nothing comparing to time and effort humanity spending on security systems and at the opposite side, trying to crack it in the useless unbreakable loop. “We would rather implement a bunch of new features that actually make peoples life better instead” that what I thought to but somehow security theme haunts me my whole career ... and that how my story begins.
In the beginning, there was nothing
I’m so old that I was working with the real telegraphs. My first real job was a technician in meteorological department of the Kharkiv airport. I was working with two closed international networks AFTN and WMO GTS.
In the airport there was a bored security guard on entry but inside you could do anything getting and receiving any messages. Physical channels were also not encrypted, “a man in a middle” could do anything. Any cleaner could send any orders, delay a plane, close an airport, reroute flight to the middle of the storm. Looking back, I’m surprised that the worst thing happened was people sending each other fart jokes and birthday cards.
And then the plane crashed near Donetsk.
Everyone was shocked, especially because the reason was the storm and lightning strike. Clearly, my meteorological department was at the center of the investigation. It was stressful, painful and deadly serious. No jokes anymore. We couldn’t find exactly, is there was storm warning, who wrote it, who sent it, when. It turns out in the end meteorology department issued and delivered to the pilot a correct storm warning in time, it was a pilot’s decision to risk and save some fuel and get a bonus.
But this made me a bit paranoid about authentication. You just cannot stop people from doing dumb and destructible things. You never know how hard the lack of security will strike you.
Then I joined the private company with the mission to rebuild the entire Meteo-network of Ukraine, make it modern and secure. We were pretty successful in this area, we’ve deployed 26 regional servers and more than 200 workstations across Ukraine.
But there was the problem, our main customer was a government agency, so they were so regulated by the local and WMO laws that it was practically impossible to change anything there except the hardware. Instead of telegraphs, we were just using computers with modems but without any authentication whatsoever. We were trying hard to convince people to use at least individual accounts and passwords, but the old telegraph-time workflow and regulations were still unchanged. Local system administrators were mostly young students, inexperienced and with no authority or influence and not always cooperative. Everyone was using the same shared password literally written on the stickers, sending open text passwords in emails, etc.
Of course, we were hacked many many times. Fortunately, only by robots, worms, and bored students but few times some fired angry sysadmin destroyed the whole regional data-center. Fun times!
I learned a lot there, the hard way. We made every mistake possible before settling down most security aspects. But the main learning was.
Changing existing security model is extremely difficult and very political, you need very strong political support from the very top. But everybody will hate you anyway, so Do it right the first time!
To be continued…
