#
 

‘We Can Learn a Lot About Open and Closed Software Systems by Having Dinner’

April 7, 2017

Ted Burton

Suppose I own a commercial garage. I don’t; I’m not smart enough to own a garage. If I did, I would probably be rich enough so that I didn’t need to ever set foot in the garage. If I’m wise, I have probably hired a management company to manage the overall building and garage. In turn, they have hired a reputable operator to manage the garage, which, in its turn, has hired employees to do the work.


I might also believe that I had bought and installed the “best” automated “open-architecture” revenue control system that money can buy.


Every month, I would receive reams of financial data showing how well the garage is doing. I’d be told that the reports are automatically generated by the latest and greatest (open-architecture) software. Names such as Excel (to name a name that won’t elicit a lawsuit) are bandied about.


Six months ago, I awoke with a start at 2 a.m. “Can I put all my financial faith in the reports I receive?” Duh!!


Later that evening, I visited the garage. Met a young woman named Sally who had been recently hired to valet-park cars. She studies at the local college. We hit it off from the get go. Ended up at dinner, where she filled me in on the garage politics.


When the bill came, I was horrified – no cash, no credit card. She offered to pay ... that won’t happen. “I can get it from the garage,” she offered.


“If anyone finds out, it will be embarrassing for me,” I countered.


“Nobody will ever know.”


She was back with the money in 15 minutes, while I enjoyed a quiet glass. It would be our little secret.


Today, I visited the garage for the second time. It was Sally’s goodbye party. Apparently, she had won some money and will leave tomorrow for an extended world tour. May be gone a few years, Sally said. The garage will miss her.


Quod erat demonstrandum. Or, as they say, QED.


So, totally open may not be a good choice. On the other hand, few would favor a totally closed system either. So, where’s the balance?


Often people tell me that that even if one is convincing in the argument that part of a financial, or control, system needs to be closed, what the hell, they say, anything can be hacked. That, of course, is not true.


Open-architecture systems are invariably designed to provide maximum flexibility. In a design decision that pits security against flexibility, security invariably comes out second. Oh, you will get abundant passwords and stuff, but there usually is a path in, and the more popular the system, the more people are aware of its weaknesses (or more user-friendly, as many would say).


For example, to get back to Excel and its ilk. One can make Excel report anything. It is useful (and it is useful) only if the report creator has no ulterior motivation. Such is more or less true for all widely used open systems. More on this later.


There is another aspect to this question. The software on all of my open-architecture systems changes daily. In my general daily software activities, I use the following operating systems, and have little intention to change: XP, Windows 7, Windows 8 and Windows 10. Only 10 is still supported. Half of all users still use XP.


The software packages that we and most other people use in the software we sell, are being constantly updated. Sometimes those changes are benign but often require substantial work from our software professionals. Sure, one can elect to not upgrade but often do so at your peril.


Adherence to PCI needs is a case in point. It always surprised me that PCI was approving Windows-based systems for PCI compliance. Every professional software expert is totally aware that this is something of an oxymoron, but such are the pressures in today’s world.


Increasingly it is becoming obvious, to me for one, that the banks, at least with regard to credit card transactions, have had it with open-architecture systems. The whole thrust of EMV is to remove the credit card transaction from all user systems The system will decide on the amount required, and a totally closed system processes the transaction. This seems to be somewhat difficult to implement, and dates for full implementation are slipping


All thinking people fervently hope that in the very near future, control of the national electricity grid and the water supply will pass from the existing open-architecture systems to closed systems. There will still need to be communications with humans using open-architecture software, but the important stuff will hopefully be run on closed, hard-coded machines that are impossible to hack.


We can only pray that the systems controlling the nation’s nuclear missiles are suitably structured. (The Iranian government learned that lesson when “Stuxnet” met its 3,000 open-architecture centrifuges.)


 It’s not all about things of national importance. Almost daily we see that this government department or that has been hacked. That a business’s sensitive customer records are gone, or a prominent person’s personal records or peccadillos exposed to all.


I hear many people assert that “all software can be hacked, so what difference does it make?” Such statements only show the speaker’s lack of understanding.


Fortunately, there are innumerable systems that cannot be hacked, while still providing access to humans; that, in itself, may or may not be hackable. The key is to keep the basic facts unchangeable. Everyone has a need for private unchangeable data. Total acceptance of an open-architecture world defeats the goal.


In PT’s open-architecture article last month, it seemed to me that the case was made to buy this gate or that ticket dispenser from some vendor, a PoF from another, transient billing from a third, monthly accounting from another, and so on.


Such a purchaser will invariably end up in a funny farm, for obvious reasons.


Ted Burton is Co-Founder and President of Secom. Contact him at: International, at ted.burton@secomintl.com.



#