Authentication Breakdown

heedless

heedless

10 min read
Share
Authentication Breakdown

One of the pressures on us cattle is security. Particularly, computer security. We need to be secure. Knowledge is everything and we can't be letting all our secrets hang out.

In the last couple of years, companies have ramped up investment in securing their cloud infrastructures, their on-premise and other compute resources. The advent of generative AI has given a massive boost to the urge to slap logins on all sorts of corporate resources. Recently, we learned that Claude was used to abscond with personal information of millions of Mexican taxpayers. How? Hackers asked Claude and, being ever helpful, it patiently worked through the problem, offering a solution for each step.

Back in the good old days, like 2019, I could login to my stuff once, maybe twice in the morning and for the rest of the day for several days thereafter, never have to deal with a login box again. Now, I spend a big chunk logging into stuff. Federated security apparently took a big hit, with login session lifetimes lasting a few hours during the working day. Each morning and throughout the day, it's logging in. And using MFA. Because everything has MFA now, whether for business or pleasure.

Our smartphones long ago became vital to our physical survival under capitalism. They began as a convenience for doing online banking, or ordering trash bags from Amazon that we could've picked up at the grocery store on Sunday, but didn't.

One company I know of sends out fake emails for the purpose of getting their employees to click bogus phishing links. The careless, the thoughtless, the practitioner of mindfulness who drops his guard, or the purely heedless one, who thinks the email is from a reputable source, soon finds himself with a warning from HR/Security/Whatever. If they fall for the bait again, they are forced into a mandatory security training class. It is a source of shame. "Bro, you clicked that link from microsoft.org? n00b!"

Computer security groups inside of corporations are way more intense than HR. They are like the HR's HR.

Of course, mandatory security training classes are required annually now at most corporate jobs. Sometimes, even more frequently. The topic of security is always presented to us, leading to a low-grade fatigue. The smartphone not being trustworthy enough, many of us now have to keep a physical device to handle MFA. Because you can never be too secure, you need multiple devices. Your phone, this fob, this app.

The grind of the security state (so to speak) is a source of irritation in my life. All irritation looks irrational and probably is, but the repetitive actions foisted on one by a faceless bureaucracy for no good end means the weak – I include myself in this group – will be ground into dust by our outbursts of helpless rage at the pointlessness of most corporate security measures.

In my day-to-day professional life, I now spend hours every week dealing with security reports. Explaining why this open source software (OSS) is needed since it has been scanned and found wanting. I have lots and lots of scans going on in my company. I'm being scanned, or something I use is being scanned. My boss told us one day, "We're scanning. We know if you are doing work or not on your PC during core hours." So he's getting scan reports on us.

Remediating other types of security vulnerabilities in computing environments is also largely pointless. By the time someone has breached so far into your systems that they can read a token exposed on a UI in the cloud portal, you are already compromised. Still, you can never be too secure.

The truth is most security issues are caused by humans on the inside willfully, with malice aforethought, doing nasty things. I know because I worked for a company whose purpose was security. Investigating devastating fuck ups was one of the things I did, trying to locate the evil doer from logs, traces, etc. It was never l33t hackers from North Korea breaching the premises and then doing all sorts of things like in the movies. Remember Chloe O'Brian from 24? You know, "the protocols"? No, it was always some disaffected, fed up employee who decided to load Minecraft on his PC because he had a friend who worked in IT support and owed him a favor.

Software code also has security scans. These are also largely pointless. Endless mountains of paperwork about how the use of this character in a file path could lead to this, if X, Y and Z happened and if, if, if, if, if. We would get dozens of these reports every month and have to deal with them. It was the beautiful cottage industry, a never ending buffet of red taping that could drain the life out of people. They did in fact. Toilsome.

Recent fuck ups in the cloud world causing massive outages were not caused by North Koreans using ampersands in a weird way in a Windows file path. They were just fuck ups caused by miscalculations, faulty assumptions and so on. The really malicious stuff we read about – malware – stems from a user inviting a program of unknown provenance onto their systems. It wasn't l33t hackers using O'Brian's "protocols" to mastermind a deep penetration into enemy territory. There are of course scans galore now to detect if you are running unauthorized software.

At this point, any purists still reading will be shaking in horror and outrage at how glib I've been about the vitality, the essentiality of scanning. When the scanners go dark, the forces of darkness are right behind, galloping into the precious stores of knowledge and business/personal secrets. You can never be took secure, or think that the many layers of security which make it hard for employees to even function, will stop them.

Yet ironically, web sites are still susceptible to bot attacks. When I asked about a very expensive product's inability to stop them since they can crash our systems, I was told it was impossible. I was probably given extra sign-ins, login boxes, etc. as punishment for my impertinence. People will look at you in disbelief if you murmur against security. "But it's for our security... You wanna be secure, right? Right?"

The biggest pressure of course relates to the Anti-Christ. The hysteria over security and the proliferation of security measures heralds his arrival. Think about it: The increasing levels of security make any appeal to a simpler, more sane security system rooted in biometrics all the more appealing. As of now, I already use biometrics for some of my work because it's convenient and I gladly slap the fingerprint scanner or do the facial recognition if it means I can dodge one more fucking login. But, like all things technology-related, the solution is impure because biometrics aren't universally... trusted. So most of the systems I work with still require a fucking password plus MFA to get into them. And no federated security with credentials that are days and days old. Nope. You end up with a mish-mash of things. Use this fingerprint reader for OS sign-in. Use this smartphone app for MFA, except for this system, in which you use a physical device...

There is still so much decentralization that biometrics in security is half-baked. Fortunately, this gap has been recognized and will be filled. Muah!

And then they give you multiple logins. Because it's safer that way, to manage two or three of those instead of just one.

So you can get access to wade through security scan reports and remediate them.

The tedium of computer security was one of the reasons I began considering a new career as a grocery bagger. Honorable work, no security scans, logins, rituals. While I am more sensitive to repetitive and pointless work, I might just be complaining about a First World problem. However, I don't think so. It looks to me like we are being herded towards a future of much more intense security practices, with the final goal being an implanted chip. As a problem solver, I determined one day this would be the only way to alleviate the constant aches and pains from having to manage security. Just let me scan an embedded chip implanted in my right hand or forehead and all will be well. I can get back to actual work.

If I could submit a support ticket and get one of those installed, boy would it be awesome!

In the practice, we are invited to think about eating and pooping, brushing our teeth, urinating, fatigue, happiness, sneezing, spitting, ejaculating and other bodily functions. Enthrallment and enchantment are what drive us to seek out that next experience that will be better than the last. We focus on these things exclusively where possible, or spend hours sulking about the things that drive us mad or cause us a hassle. The modern West is nothing if not finding solutions to inconveniences caused by our own thirst for technology, and we never see very far to ahead, to when those conveniences will become sources of misery. We usually decide that death is not so bad once the thrill of a sense experience no longer provides the same kick it once did. Take away the nice sensual pleasures, most of us aren't left with much to look forward to in life. For most, this will sound hyper-depressing, but it's also the open invitation to the spiritual path, the one that leads to true freedom from want.

A smartphone that lets you stay in constant contact with the social world amplifies your misery because the other creatures you "follow" like a dumb pack animal are themselves, dumb pack animals. The screen is ever present, with its endless pages to scroll for the sake of amusement, outrage, or time killing. You cannot however kill time because it doesn't really exist. The world, we are told, is full of state actors hell bent on undoing us if things turn hot; in the cold, they move around in the dark, planting seeds of future destruction, only until the cold flashes hot in a blinding moment.

The Anti-Christ will of course fix all of these things. We will be able to glide through checkouts, the endless assault of login boxes will go away, if we but just accept a chip suggested by him. For our own convenience of course. It will make everything more secure transparently. Transparent means the barriers come down, you can move about freely in the cabin, do your workflow in the flow state. He will solve all our problems, great and small. When the nations of the world are living in peace and harmony and we are not henpecked by a thousand stupid fears of North Korean hackers in our software, our precious systems... then we will achieve the new flow state unparalleled. Technology will have, at last, lived up to its promise and life will be pleasant, a slice of warm butter on fresh baked bread.

One aspect of security relates to AI: Not only is AI now the excuse for increasing more surveillance, more scans, more monitoring by your employer, but it is also the solution to our problem. That problem in turn is people. People build shitty software, the kind that is easily exploited and is distributed daily via OSS packages. There are millions of OSS developers, pushing out commits with all sorts of vulnerabilities and exploitable back doors. They have in turn the whole business world dependent on them now. It's free software, man! These projects apparently don't worry about the CVE lurking in the code they create. Not their problem. Even if you don't want this package because of this or that vulnerability, you don't get much say unless you are willing to retool, rearchitect, redo everything. Why? Because if you like Package A, but it uses Package B, which uses Package C, which uses Package D, and Package D is sporting CVE X...

What now, bitches?

In normal civilian mode, I deal with bad software. Things still don't work as well as we think they should. Dukkha is in everything and when the irritation subsides, disenchantment sets in if we but let go of the grudges. I am a donkey chasing a carrot dangled in front of him and have been my whole life. If you are far enough along, you will realize it stretches back aeons. About 1 trillion years ago, you were somewhere hunched over a Windows 3.11 station punching in passwords like b@nana100 to get access to a FoxPro database that a college intern in HR built. If that doesn't induce a sense of samvega, I don't know what will.

Earlier this evening, I spent 15 minutes trying to get signed back into a web site because the MFA was borked. How did that happen? Humans. Every day, it's some inconvenience cause by poorly designed, poorly built software despite our decades of technical advancement. Yes, a lot of things work really well relative to twenty years ago, but you've never looked at a security scan probably, looked into the bowels of the beast, seen the half-digested food. We put up with bad UI design, bugs and "quirks" to this day. AI enthusiasts point to this and say, "Hey, we've reached a plateau as a species and it would be so much better if an intelligent, autonomous agent trained on the sum of all human knowledge could just step in an prevent these problems and give us the technology we deserve!" Who can disagree with that?

And the agents who train other agents eventually to do the human tasks that were so difficult, so tiresome, so error-prone? Well, that shit don't sleep. An agent would be instructed to not only identify CVEs, but fix them with a better implementation that was faster, better, stronger, etc. That day is close at hand.

The truth is that software and complex technical systems have been very stagnant for quite some time. Sometime around 2018 or so, we hit a plateau and innovation slowed greatly. Everything now is just shaping and using existing technology that was designed and built years earlier. CSS, JavaScript, Python... they all get refinements that make them better, but there's be no big disruptions apart from AI and in many ways, this stagnation is what helped AI gain a rapid foothold in IT. It could be trained on anything in software because there was so much code, so much documentation out there already from a very still, quiet landscape. React isn't going away, but there is nothing to replace it as the Next Big Thing. The focus now is exclusively on leveraging the existing knowledge base via agents to do more work.

At the point that AI creates an entirely new framework for doing software, it will have surpassed its creators and the language it uses will probably not even be readable in its uncompiled form. It won't even need to compile anything since it will write a machine level.

Read more