Security is overrated

Charlie Stross has made a little list of where computer science went wrong:

I’m compiling a little list, of architectural sins of the founders (between 1945 and 1990, more or less) that have bequeathed us the current mess. They’re fundamental design errors in our computing architectures; their emergent side-effects have permitted the current wave of computer crime to happen …

Let’s not quibble about the examples Charlie gives, but assume that he is right to say that these are what makes computer crimes of all sort possible. But does it matter? Or should we just look at computer crime as an unfortunate cost of actually being able to do something useful with computers? Of the six specific “sins” Charlie mentions (von Neumann architecture, String handling in C, TCP/IP lacking encryption, The World Wide Web, User education and Microsoft) at least three are the way they are because that’s what made them useful in the first place. Von Neumann architecture, where data and code are stored in the same memory and can be freely mixed made it much easier to program computers, hack them to do all kinds of tricks and squeeze the most out of limited means — not so important now perhaps, but very important even a few decades ago. TCP/IP being simple and largely unsecure makes it easy to setup and use; it’s a “good enough” solution to the problem of coupling disparate computers and networks together. The World Wide Web is again something that worked from the start and could evolve itself towards ever increasing complexity, as the hackability that does make it vulnerable to attack also meant it could be extended quite easily to scale up and deal with new demands.

Even Microsoft, evil as it is and crappy as much of its software still remains, is the way it is because it has consistently tried to give people useful hacks rather than properly designed vapourware. Ironic as it is, I’ve always had the sneaking suspicion MS DOS and Windows did as well as they did because they were so open and easy to hack around in compared to their competitors.

As Charlie admits, the most secure mainstream computer today is perhaps the IPad, in which basically you can only do what Steve Jobs allows you to do: a consumer device like your television more than a real computer. Any fule knows that security comes at the expense of usability: the more secure a computer the less you can do with it, certainly the less you can use it in unexpected ways. The other side of the medal is that with increased freedom comes greater vulnerability.

On the other hand, even if the right choices had been made way back when, does anybody doubt that with our reliance on computers and the internet in our daily lives and businesses, computer crime would be any less? You use something, it will be abused.