Portal 2 is an awesome game; still short, and some of the puzzles less than satisfying, but it’s a really worthy successor to the original. And it’s really cool that even though I bought a copy for the PlayStation 3, it came with a code I could use so I could also play the game on my Mac, via Steam.
Oh, wait. Well that was presumably the idea, if I could, you know, log in to the PlayStation Network and connect it to my Steam account and what-not, so I could then activate my copy. But nope; PSN has been offline for nearly a week now, after a huge breach of security that likely let someone download all ~60 million PSN users’ account information, including sensitive things like credit card numbers.
So, it occurs to me that this is not a big, public-yet-isolated incident, but rather that this is one of the first in a coming wave of very large and damaging security breaches. Attackers are becoming more sophisticated, at a pace that far outstrips how we’re making progress at making systems better, and becoming better programmers.
In fact, I think the industry is making very little progress in making more secure systems, and programmers are not getting any better at writing code. Attacks, on the other hand, keep getting better, since the incentive to do so is so much stronger — the incentive to prevent these attacks is simply a decent salary; the incentive to clean up after the fact is stronger yet, but then it’s more legal mitigation than engineering.
What I’m anticipating, then, is that over the next few years attacks of this scale will become more numerous, as will quiet attacks that you’ll never hear about, unless it’s your bank account or credit card that gets attacked. The thing is, banks and credit cards have relied on small, easy-to-leak numbers for years; now it’s easier to transmit information, especially if efforts to prevent these leaks are few, and are working against the market’s established momentum.
My bank accounts are linked to a number of services I use, so I can pay my bills over direct deposit and not have to worry. Dozens of sites on the web have my credit card number. Dozens have various overlapping bits of personal information. I don’t care about personal information about me getting online generally, I only care if there’s a practical downside for me if it does; if someone sees a photo of me drunk at a bar, well, not a big deal. If someone can gain access to my bank account because some green college graduate only learned how to copy and paste code, that’s something else.
This isn’t even about our best hope for privacy on the Internet — PKI, which backs the extremely important protocol TLS — being broken, but that’s part of the problem too. Most programmers are either lazy, or not smart enough to handle these issues, or both. The brightest hackers are getting better and will have better tools. None of this will change anytime soon. Barriers are hard to erect; they are easier, and funner, to take down.
I don’t think the shitstorm has even begun; Sony and the PSN incident were the first splat.
