Date line: 20 July 2024… (da-da-di-da… <teletype noises in the background>)
Yesterday’s dramatic “failure” of the Internet was because of a faulty update. Not because of a terrorist attack, or because of a junior wanna-be hacker… but because of a “legitimate” update.
The Super-Duper-Supreme irony here is that it was an update for a cyber-security software package, used by more than half of the [so-called] fortunte 500 companies. I find that deliciously ironic.
I’ve been saying for years — decades, really, that cyber-security is smoke and mirrors, 90% illusion(1), and I have often pointed out the fallacy of constant updates, frequently and almost frivolously handed out willy-nilly with only minimal testing and little regard to consequences.
It’s long past time for the computer industry to grow up. Long and long past time. The entire Human Race is now so utterly dependent on these computer thingies… software is very serious stuff. No longer just a quick and easy way to make a few mega-bucks.
Hosptals, Airports, Postal Services, FedEx… shutdown?
Billboards in Times Square went dark because of this? I find that very hard to explain. Why would a billboard need cyber security? Surely they did not hook those up to the Internet… that would just be inviting hacking of them. Also needlessly complicated. Silliness. Irresponsible silliness.
Disney guests locked out of their rooms? That must have been really chaotic for the hotel staff. But again, the rooms are on the Internet? What stupidity is this?
Krispy Kreme gave away free donuts. Well… I guess that fixes everything. 🙂 But good on them! A rational response, that.
It’s time for the computer industry to STOP frivolous updates. Any package that updates more than four times a year is not thinking things through correctly. Save your improvements and bug fixes for one larger update. TEST IT THOROUGHLY, over and over, and then put it out to only a selected few customers for a minimum of two weeks before general deployment. Test, test, test and then still know that you haven’t found everything. (That’s how software is — it is impossible to write even a single line of code that can be proven bug-free. That’s a fact, dang it.)
Consider that yesterday was a trial-run for what might yet happen in a Big Way(2). Further, yesterday was not a big failure, believe it or not. It was a simple, one-day thing. There are scenarios around software updates that are far, far scarier.
Ask yourself, why the blazes are hotel doors hooked up to the Internet? No reason, none at all (I happen to know a bit about Hotel security… though nothing about how Disney does things. I can think of no possible justication for a security update to have locked guests out of their rooms.)
The ONLY WAY to keep an electronic system safe is to not
hook it up to the Internet or to remote operation of any sort.Â
Want to keep it safe? It’s simple — pretend it’s still 1980.
Many of yesterday’s consquences are the result — not of a bad update — but of a failure to plan for such an event by all those organizations. If you have systems that are so utterly dependent on a vulnerable automation layer(3), then you must plan for whan it fails. It will fail — impossible for it not to. What do you do then? You must have backup systems and alternate procedures and practice with them from time to time.
Anything else is unethical and a failure to do your jobs.
Consider How many grocery stores can’t function during a simple power failure? Irresponsible, that is. Bad business, even.
Read some Michale Crichton, for Pete’s Sake — the inevitability of
complex Human systems failing was a major theme in his work.
West World, Jurassic Park and Andromeda Strain in particular.
Don’t any of you read?
So there…
[30]
(1) Actually, all security is smoke and mirrors, based mainly on the putting in place systems that are difficult to get around only because other people don’t know how to get around them, not because there isn’t a way to get around them. Security systems are based on ignorance, then, and that’s all. Secrets, unpublished procedures and such. Go figure… Also, get used to it, and just relax. Give up the security frenzy / addiction: you’ll live longer.
(2) Like the Co-Vid lock down had been said by some to have been no more than a trial run, an exercise, for when “the real thing” finally does come along. Hopefully that doesn’t happen, the real thing, that is, but frankly simple biology and simple sociol psychology both suggest its inevitibility. Just as a moderate dose of logic predicts massive automation failures are similarly inevitable. Yesterday’s event was not it, not yet.
(3) “Vulnerable automation layer” is practically a redundant phrase. Given the state of the art of the technology, if it’s on the Internet in any way at all, then it’s vulnerable. Period. No matter how much security you put on it. In fact, the more security you put on it, the more things that might go wrong. B*A*L*A*N*C*E is the key, in this and in many things. (So there.) But you must plan for the failure of these things. You must maintain alternate methods of continuing to do your job. (Again, so there.)