back to article IT security staff have a job for life – possibly a grim, frustrating life

Speaking at the opening of the 18th Black Hat security conference, its founder Jeff Moss warned the assembled throng that while they might have job security, they weren't going to have fun in the next decade. "We are all employed for life," Moss said. "It's interesting, I see problems and challenges and on one hand am really …

  1. Salts

    Must be late

    "software piracy was legal, as was tinkering with hardware. Both are now illegal"

    I assume we mean tinkering with someone else hardware is Illegal otherwise Arduino, RPi & the IoT are all f***ed, or is it just late and I missed the point.

    1. Dan 55 Silver badge

      Re: Must be late

      I think he refers to closed platforms, like stores ending up in court for chipping consoles, people publicising hacks which open cars, and every so often someone who was going to give a talk in a security conference and inexplicably pulls out.

      1. Salts

        Re: Must be late

        @Dan 55

        Must be, but I did not think that hacking hardware in the UK was illegal, if you own said hardware of course, I know the USA makes it illegal to circumvent encryption at the hardware level.

        1. diodesign (Written by Reg staff) Silver badge

          Re: Re: Must be late

          The point it was trying to make is that the software and hardware industries have clamped down over the years on curious-minded people reverse-engineering proprietary products and exchanging information on what they've found.

          Obviously 'open' things like the RPi are there to be tinkered with. And if you crack open your no-name ethernet-to-USB printer server you bought for 10 bucks from eBay, and reverse-engineer the firmware, no one is going to know.

          But, as the person who leaked the Impero encryption key found, vendors will throw lawyers at you if you go public with proprietary information. It's a tricky subject that can't be summed up in one sentence, so I've killed the line from the article.

          C.

  2. nilfs2
    Facepalm

    Only with software

    Software is the only product that you buy broken and then have to pay a periodic fee to get it fixed gradually, once it is stable, a new version comes out and force you to drop the one you have working properly to buy one that is broken again, and the cycle repeats.

    1. Anonymous Coward
      Joke

      Re: Only with software

      Are we talking about windows 10 here ?

      1. ckdizz

        Re: Only with software

        I think most people got Windows 10 free.

        Actually, they got it free only if they don't have to reinstall it after July 2016. Then you have to buy a new key.

      2. Doctor Syntax Silver badge

        Re: Only with software

        " malle-herbert"

        No we're talking about software in general. Some things are more important than Windows.

    2. Destroy All Monsters Silver badge
      Holmes

      Re: Only with software

      Software is the only product that you buy broken and then have to pay a periodic fee to get it fixed gradually

      It depends.

      I know a few vendors who will sell you software that has a fat chance of being "not broken", for some collaboratively agreed-on values of "not broken". The downside is that is rather simplistic and won't fullfill desires for glitz and swag. And unless you are a Known Name, your VISA card is not going to take the price tag either.

  3. elDog

    The most important point is - companies must guarantee their products

    "Software liability need not be punitive, but there must be some way to get companies to take responsibility for their flaws, Moss argued. Without that, nothing in the industry will change."

    If the fault is that their software was not sufficiently hardened then the vendor should be sued to the extent of the damages.

    If this is applied broad-spectrum, it would mean that an application that didn't properly vet buffers for overruns and subsequent code execution could be sued.

    Same for containers, VMs, commercial libraries/DLLs.

    Same for OS vendors and hardware donglers. Same for routers and other peripheral products.

    If there is an open disclosure in the T&A (not tits-and-ass) that the vendor is not responsible for any faults in its products than that's fine. But let's watch them go out of business (maybe except Oracle, MS, etc.)

    If the product is completely open source and the user agrees that they are responsible for the use of said product, no fault.

    1. Synonymous Howard

      Re: The most important point is - companies must guarantee their products

      I make it a matter of principle and pride to personally guarantee to fix/update any code I write for either the lifetime of the code or mine (whichever is shorter). Been doing that for 25+ years now.

    2. P. Lee

      Re: The most important point is - companies must guarantee their products

      >If the fault is that their software was not sufficiently hardened then the vendor should be sued to the extent of the damages.

      For some value of "sufficient." What you'll find is that the software is sufficient for whatever the vendor says it is sufficient for... nothing. If you use it for something else, then you're on your own.

      The problem is the scope of the problem. There are lots of consumer-level router manufacturers who absolutely should be slugged for providing substandard software. On the other hand, OS vendors are writing massive pieces of software with *lots* of different execution paths. There's no way you can test all that. Certainly some errors are stupid, but others are very obscure. All that adding insurance does is hike the price due to premiums - the cost of the breach + a slice of profit for another company. It doesn't actually fix the problem - it may make it worse, witness subprime. Vendors selling dodgy goods but they didn't care because it was insured by people who didn't know better - that's all of us.

      Then you have the issue of FLOSS. Well, Tovalds, I had a Linux-based IoT safe which got hacked and all my wife's jewellery was stolen. Here's my bill for the loss. I don't think that's going to work.

  4. Medixstiff

    You can bet

    Any software vendors will just stick a clause in the EULA similar to a get out of jail free card, so unless big customers up and leave causing monetary loss, most won't care and will just leave it to the lawyers, like they have always done.

    Unfortunately software bugs and zero days have been a fact of life for so long, changing the mindset of developers is near impossible, although we haven't got around to using violence yet.

  5. Michael Habel

    Sounds to me

    Like, this isn't quite the change MicroSoft has in mind for us... That said those of us who frequent this (and, or other Tech Websites), have a small responsibility to warn or Families, and dear Friends, on why that free Windows 10 upgrade... Isn't quite the bargain they'd had hoped for.

    This again may not be what Mr. Moss had in mind with being held accountable... Presumably in a Court of Law. But, I think the Court of Public Opinion will be just as damming once the word hits the streets that it'll use ever dirty trick in the book to get its pound of flesh off your back. Then I'd expect to see Windows 10 go down faster then Windows 8.x ....

    Then again (at the risk of hedging ones bets), this could take a bit longer. as MicroSoft finally woke up and realized that TIFKAM probably really was preventing sales of their latests offering(s). My only prayers are that at least on this One front. My privacy concerns are shared. I suspect the Sheeoples' (and, Shrills), out there to be like well Google do it! Apple do it.. And, your not complaining, so why now?

  6. Tony S

    Job for life?

    Security is not like Sales or Marketing. Those departments can easily demonstrate what they bring to the table, Security is not so easy; and there will always be senior managers looking to "cut costs", "trim the fat" etc. that will be more than happy to wield that axe in an area that they don't understand or believe adds any value to the business.

    Having said that, anyone that has the key skills within security and is reasonably competent *should* be able to find work, as there are still relatively few people that are sufficiently well enough trained to fill available gaps.

    Perhaps not a "Job for Life", but more likely a "Career for Life"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like