Secrets from "Liars and Outliers for Better Data Security"

Is DIY security worth the risk? Tony Lavinio offers a solution to save programmers from poorly documented open source software and non-existent test suites.

Locking the Door

In the early days of networking, security was at best an afterthought. Passwords were to stop the casual nosy coworker, or to challenge a fellow student’s resourcefulness. It didn’t take long, however, before we realized that real data needed to be protected against those who would steal, reveal or destroy.

Bruce Schneier is an influential computer security expert who began to address this topic decades ago, and he’ll long be remembered for his definitive work on the subject, Applied Cryptography (ISBN: 978-1-119-09672-6). This book taught programmers like me the basics of encryption and protection. From it ​we learned guiding principles and explanations of security technology. Actual examples in code let us see how things were supposed to be used and how they could work together.

Who is That Masked Man?

It’s not always “the bad guy” who is after the data anymore. Foreign government agencies, oppressed citizens, competitors—these all have reasons for wanting either to protect information or to bypass protection altogether. Some reasons are good, some not so much. Often one side’s traitor is the other side’s hero. This is made abundantly clear in Schneier’s recent book, Liars and Outliers (ISBN: 978-1-118-14330-8). Society works because most of us follow the rules most of the time. There are all sorts of contracts that enforce this, ranging from the written legal document to the informal agreements of daily civilized life.

Do the Right Thing

Doing the right thing is a delicate balance, and as individuals we may wander back-and-forth across that line. When is a speed limit a good idea? When your child is learning to drive. When is the law inconvenient? When you’re running late for work. Several sections of the book deal with the delicate balance for individuals between following group norms (thus increasing our reputation) and maximizing self-interest by breaking the rules just ever so slightly (thus losing credibility and damaging future relationships).

The issues scale up and out from there. Someone may be offended by a company’s business practices. Is it ethical therefore to dox their employees or their customers?

While most users will never give any trouble, there are those individuals who live at both ends of the bell curve. This book is an excellent and useful resource for understanding their behavior and their motivations. And large social organizations like governments and corporations have similar behavioral profiles. It’s useful to know where we sit, both in our company and in our culture.

I Volunteer You

So as a developer, you are charged with protecting your systems. Where do you begin? Just as the developer coding the user interface needs the help of interaction designers who themselves model users, in protecting your systems you too need to know what threats to expect. Fake orders? Denial-of-service? Hacking by competitors? Vandalism? Your own ISP inserting ads into your in-flight HTML?

And how will you know if it’s good enough?

There are some risks you can mitigate. Writing your own software from scratch is always an option, but for many jobs it’s just prohibitive. You can use well-tested libraries with source available, or purchase them from companies with good reputations.

You Can't Pay Me Enough

I once heard that to a mathematician, the word “trivial” meant “I think this is easy to see and I don't want to waste my time in proving it.”

It’s similar with programmers, in that once we get something working, the thrill is gone and we want to go on to the next thing. This is one of the reasons there is so much excellent open-source software, but much of it has relatively poor documentation, or nearly nonexistent test suites.

​Lean On Us

At DataDirect Technologies we focus on database drivers. It’s true that for many of these you can find free alternatives. ​However, the costs of using them can include a lack of support, complete documentation or rigorous testing—not to mention that they won't have our world-class performance numbers. We continually look for the things that your particular definition of “bad guy” will want to exploit. We worry about having the right version of OpenSSL. We worry about buffer overflows. We worry about handshakes and encryption. We worry so you can worry about something else, like your business.

Find Out for Yourself

You can find free trials of all of our drivers on our website. For more information or further questions, contact us or leave a comment below.