Bug Bounties, Public Betas and Risk Management

I love Paul Jorgensen’s blog and his unique take on cyber security issues. It is his chosen profession and he was one of the very few to notice and take interest in the August 2017 Google BGP leak that brought down Apple Pay Suica services and major parts of the Japanese internet. He was also one of the few to blog about China Telecom spoofing the BGP protocol to poison internet routes to suck up massive amounts of American and Canadian internet traffic for intelligence analysis.

In his post today Paul quotes Katie Moussouris on bug bounties and risk management. Specifically, relying on public bug bounty programs that just create the “appearance of diligence”:

“This is not appropriate risk management. This is not getting better when it comes to security vulnerability management..

A lot of the patterns [have] not actually shifted that much from where we were when I started out professionally 20 years ago as a penetration tester…

We’ve created a $170 billion industry, which, we’re really good at a few things, security not exactly being one of them. Marketing, definitely.”

As Paul points out, “bug bounties are a tool, but only one tool. And it’s a game, so people will look to take advantage.”

To draw a close analogy I would also say that the public beta approach that Apple now uses for iOS and macOS development is similar in that it just conjures the appearance of diligence, not diligence itself. It creates an atmosphere of reduced expectations, both on the engineering side and the user side: “it’s just a beta, we can still work out the bugs.” I wonder if we would be better off without a public beta, a better developer beta program with robust bug reporting tools might set a higher bar.

As others such as John Gruber have noted, iOS 13 has been one of the buggiest beta development cycles in recent memory. Perhaps I am being nostalgic, but I think when Steve Jobs still walked the halls in Cupertino, his drive to deliver an excellent shipping product, and fear of his wrath when things didn’t measure up, was due diligence that instilled the Apple development culture of that time.

People perceive quality even if they cannot put it into words, the old look and feel thing. As Moussouris points out, marketing is a poor substitute for diligence and quality. The risk of the current environment is that Apple ships software products that have lower expectations which no amount of marketing can make up for.

Thoughts On the Big Google BGP Leak

I had lunch with a talented Japanese web programmer recently. After tying up loose ends on a long-term web site makeover we talked about the web and the constant march of tech, but something was bothering him.

“I don’t trust things anymore,” he said. “Not after that BGP leak last August. It’s not right that one company (Google) can just shut down the internet in Japan and walk away. It’s not right they have that much power over us.”

He was talking about the big BGP leak  (Border Gateway Protocol) that shut down major parts of the Japanese internet including Apple Pay Suica iCloud services and online trading services. Japanese customers were locked out of their day trades with no explanation.

NHK and other Japanese media reported that Google apologized for the leak but I never found trace of it on any Google site. People criticize Apple for not communicating things but Google makes Apple a paragon of clear and responsible communication by comparison.

Since then nothing has been discussed by Google who initiated the leak, or Verizon and NTT Communications who propagated it. Web programmers in Japan are naturally worried because they want to prevent the same disaster from happening again, or catching blame for something they are not responsible for.

To put it bluntly, if big American traders had been affected by the BGP leak the world would have heard all about it and Google would be jumping through hoops. Japanese are expendable in a way that big American traders are not.

It goes much deeper than that. Nick Heer is one of the few people writing about this issue.  He warns of too much internet power being consolidated in the hands of a few American companies:

 Of the many serious flaws in the infrastructure of the internet is that most of it is powered by private corporations, many of which are based in the United States. Due to network effects, we have consolidated much of the web around just a handful of them…

There is a lot at stake here. People should be concerned.

UPDATE: China Telecom spoofing the BGP protocol to poison internet routes to suck up massive amounts of American and Canadian internet traffic for intelligence analysis is, yet another, huge security story that nobody talks about.