They are wrong (so far), and it is not getting progressively worse. In the 1990s, it was realistic for an amateur hacker to aim at owning up a whole backbone network. You broke into computers by running "showmount -e" and looking to see which ones were exporting their root filesystems r/w to the entire Internet. In the early 2000s, worms targeting Win32 vulnerabilities were so effective there was almost legislation. Nothing was sandboxed (except for, ironically, Java applets), and virtually every web application on the Internet was riddled with SQL injection. The first time I ever did a professional consulting application penetration test, I logged in as "admin" with 'OR''='.
It's a lot more fun to be an attacker today (I mean, if you dig computer science), but I don't know a lot of people in this field who think it's gotten less challenging.
I think you can agree that _worse_ doesn't necessarily imply _harder_. More critical systems are online, software is more complex, more actors are in the mix, etc. Feels like semantics, anyway.
I don't agree at all that more critical systems are online. What I see instead is a greater recognition of the variety of critical systems that are and always have been exposed, leading in turn to better security for those systems. And we're kidding ourselves if we think that the attackers we're facing today weren't active 10 years ago.
20 years ago, owning up someone's voice mail was a funny joke (teenagers were literally owning up switching systems.) Today, we're all carrying HSMs in our pockets. Things are better, not worse.
Owning someone's voice mail, or even a PC, is ultimately very low impact on societal scale. But what about the increasing amount of physical systems that are on-line - factories, powerplants, hospitals, cars, pacemakers (via phone), etc.? Is this not as big of a problem as it seems to be?
The point isn't that voicemail is super important; the point is that infrastructure wasn't even secure a decade and a half ago. The systems you're talking about were all exposed then too.
As far as I can tell, the first openly networked pacemaker was implanted in ~2009 [0] (Probably earlier in not-announced mode, but not by much). A decade and a half ago, people pretty much only had a home PC connected to the internet in their house. Now they have everything from their lights to thermostats to home security systems connected. 15 years ago, there were probably some internet systems with large collections of personally identifying information on them, but western society as a whole hadn't yet decided to put all the data one could want to know about them in one place (multiple times over).
Everything might be more secure, as you say, but there are so many more ways a small hole could be exploited to do damage now.
Look, Dan Geer is fine, so I won't snark and say "that's one of the nicer things anyone has said about me on HN"†, but let's be clear: Dan Geer and I have a very different kind of day-to-day workload. We'd probably come to different conclusions about all sorts of things. I would also in a million zillion years never quote Nassim Taleb on anything. He's wrong here, as he has been in the past. We've all been wrong about things! I just happen to be right about this one thing.
† Sure, I just did, but I'm being upfront that it's a cheap and unfair thing to say. I'm human.
You don't agree at all that increasingly critical parts of society have been subsumed by the Internet during the last _28_ years? What planet are you living on?
Please elaborate because I don't see how you can even remotely defend what you wrote.
Well, angry anonymous commenter, I've been working in software security since (checks notes) 1993, and professionally since 1995, and the claim you're making just doesn't hold up. "The Internet" may have subsumed all sorts of things, but it's ~1.5 behind computers and telecommunications. Before there was an Internet, the world ran on dial-up modems and X.25, and people were breaking into things then too.
Things have gotten better, not worse, and personally, if I was being more aggressive about the argument (which I guess I am now), I'd go further and say you can't have been paying any attention in the 1990s (or to the history of what happened in the 1980s) and think otherwise.
I'm stating the following since I've seen you appeal to your work history and say "trust me, I've been in this for a long time" far too many times to give you a pass here.
There are plenty of tptacek posts on HN, where it is crystal clear to anyone with similar years in the domain as yours that you're either entirely wrong or deliberately misleading. You need to make a proper argument if you want to convince me.
There were computers, telecommunications, dial-up modems, X.25 and private networks in the 90s but the degree of cohesion, sublimation and intra-connectivity wasn't anywhere close to what we have today. Consequently, the actor domain looked very different and concepts such as cyberwarfare weren't even in the public eye. Morris worm vs NotPetya. Sure, barrier to entry was very low compared to now. But, as Dan Geer has repeatedly shown, risk has grown tremendously even if the field has gotten a lot harder. You don't think that completely disproves you?
Dan Geer is wrong. I already made the argument, upthread. I'm responding to your appeal to his authority with an appeal to my own experience. It has gotten harder to break into things, not easier. The Morris Worm was arguably bigger deal than NotPetya --- certainly, it was more sophisticated. Every couple years, there's some malware or other that manages to infect huge numbers of machines. IIRC, Nimda took down the entire Naval Marine Corps Internet. They said then that we had crossed some threshold, and from now on attackers were just going to get worse. Who cares? Guess what: the opposite thing happened.
I can't disagree from a technical perspective, nor should everyone else. But that just isn't that relevant. Sure, you could hack the entire world 20 years ago, but there just weren't that much impact.
If you read almost any constitution they protect "life and liberty". Today those things are being impacted by a lack of security. Peoples messages, private pictures, assets, infrastructure, opinions and even geopolitics are all affected.
Yesteryear the most you could do was largely to expose someones password, read their university e-mail and steal some source code. Relative to the impact security is a lot worse today.
Granted, some chunk of that is from an expanding surface area vulnerable to attack, and an expanding amount of valuable data available for the taking.