So, tell me about the interwebs

[0nelove]

So now its Spectre and Meltdown (https://www.technologyreview.com/s/6...security-hole/).

But this just seems to be the latest in a never-ending security flaw fix-it quick ingrained in the internet and digital information exchange as a whole.

Some years ago I decided managing my own server for business was a good idea to save money. I quickly realized that 1) bad idea, but also that 2) a large part of the internet seems to be held together by eBubble-gum and eDuct-tape. Its just one fix laid on top of the other, with few real changes to the original system aside from adding something on. Sure it will work, but at the cost of an ever more complex (and ever weakening?) structure.

My question is: For you IT professionals or IT theorists or whatever, do you think we will get to a point where the overall complexity of the internet in its current iteration will lead to a total breakdown or bottleneck?

[Matthew Strongin]

Engineers build hardware or software, a-holes find ways to exploit it, and engineers build patches or fixes. It's just the way the internet works. Always has and always will. Software isn't like physical structures though. When you apply eDuct tape, you're not just layering on a fix, like tape to hold a bumper on a car. In most cases, you're closing the hole or preventing the exploit so the software behaves as if it was never there. The internet is such a massive collection of servers, different specs, different owners, different locations, that it would take something unfathomable (IMO) to create a total breakdown. Now a huge bottleneck is possible, particularly as large chunks of the internet get consolidated with the top-tier cloud vendors. Last year Amazon AWS had a big outage and it brought down a relatively massive collection of sites (but not really that many globally). Once they figured out the issue, things came back online quickly.

I'd also so that the rate of technology development, both hardware and software, is so quick that servers or software that had a collection of patches will likely find their way to the trash heap in a few years, so it's not like the cumulative effect builds too long. In most cases, at least.

I'll caveat this with the fact that I'm a software guy, not a hardware guy. Hardware guys may actually use real duct tape to fix servers.

[Tom]

This isn't an Internet thing, it is actually a pretty slick exploitation of advanced processor design for speed in terms of branch prediction and out of order execution. If for further speed you don't clear the results of bad prediction or speculative execution somebody that trained the predictions can inject their own stuff and can have fun. Pain in the ass but you have to admire the skill.

[spopepro]

^^yep. And *everything* depends on speculative execution for any kind of speed, and those branches need access to kernel memory for any kind of speed, so I don't think anyone will be free from similar exploits in the long run, even if this particular method is intel only.

Security is always about how much speed and convenience people are willing to give up. If user space must never touch the kernel (or even the hypervisor) then instantly everything is half as fast as it is now. If we want to implement a true decentralized encryption system (because the current ssl cert system is total swiss cheese) it's going to be an incredible pain in the ass.

The final straw though was when Torvalds' young daughter "Daniela calls me from school, because she can't add the school printer without the admin password."

Yeah, but printer drivers get really low level access. Would be an easy attack vector, so requiring root isn't totally stupid, it just kind of makes the computer useless.

So things will always sit at an equilibrium, where things are just hard enough, and the amount of data too large, for anything major to happen. (Note: major data breaches recently have been about stupid people, not technical exploits) but things will always be just a little insecure. Think of it like locking your bike. Don't leave it unlocked. A cable is probably ok if you're just getting coffee (and can't really carry a 3lbs u-lock), and nothing will survive someone with an angle grinder and an hour free.

At least until quantum computing can successfully factor huge primes. Then everything is fucked.

[Too Tall]

Not really. I believe it will get infinitely more simple. Think about some broad strokes which are our current state of affairs. If you wish to protect your little corner of the interwebs than congratulations you now have a full staff of internet security engineers, IT techs. and overtime pay to manage....even if that "staff of honch techs. is just yourself) Stovepipe instances do not make any sense however it's what we like to do, appeals to our need for control / ownership. I'm guilty of that in spades.

You are on point WRT how difficult it is for any one person to manage a internet connected instance (server, storage, app...whatever) without dumping massive amounts of time and resources into it. The result is a never ending chase for uptime. Good luck with that.

For the time being my personal answer to this is to farm it all out to someone who also has near "just in time" data restore capabilities and extremely paranoid access points. What I'm describing is nothing unique infact VSalon runs on such a setup. It's the best I can do for now.

The next move for you and me will be, I think, yet another even more paranoid and well run provider who is able to do our bidding at the right price because so many of us are in the same boat.

Welcome to crypto-cyber computing brother.

[davids]

The Internet has, in many respects, an awful lot of redundancy built in. The fundamental transportation protocol is one example.

But there are definitely some vulnerable single points of failure too. So parts can fail. That can take down domains or simply slow major parts of the network.

[Tom]

I think this sums it up well.

https://xkcd.com/1938/

[sk_tle]

The internet is actually quite a simple thing.

And this is probably the main issue. We rely on decades old protocols which were created at a time where all interconnected parties were friend and security wasn't really taken into consideration for good reasons and we added layers after layers of additionnal protocols to make it safer.

Now those meltdown and spectre flaws are another thing. The main issue is in the hardware and the software won't be enough to fix it. All patches released are only mitigation workarounds.

There is still a relatively simple , reliable and secure way to have an online presence : hosting static content. Sure you can't run a web forum or online shop with static contents but a personal space, blog or new site can be updated at home then synced to a web server. Backup is actually quite simple as the whole thing is made of flat files. You need to be a wee bit more tech savy to use them than say a wordpress website, but you are not forced to write your html files manually. There are myriads of frameworks made to simplify the task using markdown languages. Jekyll is probably the most popular one.

[nate2351]

I think this sums it up well.

https://xkcd.com/1938/

Along the same lines; Programming Sucks