Lately one of my favorite jokes in SF is we haven’t reached peak yet because no one has tried to start AirBnBurrito. How can we just continue to order burritos without some kind of abstraction to improve our burrito experience? Why isn’t there a burrito sharing platform?

Platform is the hot new buzzword. We’ve never seen platforms of sharing like these before. Think disruption. Think possibilities.

WARNING: SECURITY PROFESSIONAL OPINION AHEAD.

VIEWER DISCRETION ADVISED.

---

For example if you put a smooth asphalt platform down where you live, then people can drive toxic chemical emitting boxes of death all around you. Those significant increases of disease in your home area from passers-by are a benefit, really, because they spur innovations in health care. Now that you have created a platform that leads to lead poisoning and asthma you can create a platform to search for how to remove lead poisoning and asthma…

I hear you saying broken window fallacy but wait, wait hear me out.

If you put a wireless transmission platform down, or even a spinning disc with recorded music platform down, you can give musicians pennies on the dollar for their work. You can build lavish studios and host amazing parties and promotional events on the backs of the kids who actually create music and then spit out those used up kids as the next batch of kids arrives.

Too much snark in my historic examples? Ok let’s be serious, the question should arise every time you hear the word AirBnB whether you have good reasons to trust a platform. What if history is just repeating itself, benefiting a few by allowing a clever shield scheme to avoid direct responsibility for harms that are externalized or spread widely? Platform risk is complicated and should not be treated lightly.

A platform company evangelist or product manager will probably tell you their developers are all responsible people who can be trusted implicitly to do the right thing; no need to have oversight because people are just naturally good. In reality, however, when you talk to the platform engineers behind closed doors you will often find a modern version of Sinclair’s 1906 novel “The Jungle”; history has some very important lessons to be remembered.

“Developers are our worst enemy” a car ride sharing platform security team member revealed to me recently, explaining further that “developers are so sloppy with credentials we had to hang one to make an example to the others”. This is a fine point. If we don’t make examples, or talk about security issues directly and openly, a platform may enable very bad things.

Sinclair wrote in 1906 the meat-packing industry was so poorly managed that the death of employees was a very real and pressing concern. He published a book about the need to protect worker rights. The US government, loathe to be too concerned with the lower classes, pivoted from complaints about worker rights to create an agency that protected consumer trust and capital investment in food and drug platforms (FDA).

Today the new “sharing industry” data is so poorly managed that invasion of privacy is a very real and pressing concern…any guesses the direction regulators eventually will go?

With that in mind take into consideration a new light-hearted story called “Airbnb Shares The Keys To Its Infrastructure”

Pfffffft. Right off the bat I have to wonder whether the title is meant to make infosec professionals spit tea all over their monitor. Because that’s what I did.

To be fair I would gamble the title was really meant to be some kind of innocent “sharing” reference. Cue the little bunnies and kittens fluffing around. So tempting…

But to the trained security professional ear it comes across as nails on chalkboard “AirBnB goes on vacation and leaves your doors unlocked”

Ok, but nevermind the title. It is just a title. Let’s get right to the meat of the issues within the story. Let’s go right to the paragraph about…

Search for the word security: 0 hits

Search for the word confidential: 0 hits

Search for the word privacy: 0 hits

Search for the word risk: 0 hits

Search for the word trust: 1 hit!

While renting out an apartment or a house when it is empty is certainly not a new idea, Airbnb has taken it all to a new level and has built the idea of trust – of the people you are renting from as well as the people you are renting to – into its system, which has no doubt been a catalyst that has propelled its business.

Wat. Trust is built into wat system. Wat

Color me shocked. First, their supposed “new level” trust system actually has been proven to be antiquated and quite primitive. It has run into easily predictable failures that any hotel, let alone a reasonably thoughtful individual, would be prepared to handle.

…logic and decency would suggest that when you’re in danger, as Mr. Lopez claimed to be, Airbnb would come to your rescue. And in the wake of this episode, Airbnb said on Friday that it was clarifying its policies to make sure that its employees know to always call the police when someone reports an emergency in progress.

AirBnB management was unprepared for an emergency, leaving customers and employees in an untenable trust relationship. Is that the “new level”?

Second, in the text of this new story about keys to infrastructure the closest mention to anything security related that I could find was a little bit on segmentation, and that was only because a failure of availability.

We actually had to do a big cluster migration at the end of last year to separate all data infrastructure into two separate mirrored clusters: one to run all of the business critical jobs – things that have to be run and done on time – and another one for ad hoc queries. When we had it all running on one cluster, people were so interested in learning from the data that the ad hoc queries could get in the way of some of the business critical work.

They actually had to separate clusters because load. Not because privacy. No, the lack of privacy control is exactly what led to the availability failure.

Let me just say that again to be clear. Segmentation is not described as a safety issue but only in terms of performance. And yet to me the age-old problem of having too many chefs in a kitchen is an obvious safety issue much more than a performance one.

If you’re like me you’re now dying to know how privacy is being protected in the AirBnB world of sharing data as widely as possible for profit. Surely there must be some importance of privacy meant to be implied somewhere…especially in paragraphs like this one:

Airbnb actually teaches classes in SQL to employees so everyone can learn to query the data warehouses it maintains, and it has also created a tool called Airpal to make it easier to design SQL queries and dispatch them to the Presto layer of the data warehouse. (This tool has also been open sourced.) Airpal was launched internally at Airbnb in the spring of 2014, and within the first year, over a third of all employees at the company had launched an SQL query against the data warehouse.

Great. SQL being taught internally to everyone is just great. Everyone is being told to crowd into the kitchen and sharpen their knives.

What I’m really looking for, however, is an explicit statement more like “Airbnb actually teaches classes in privacy to employees so everyone can learn to protect customer data…”.

Instead I hear a company talk light-heartedly about giving keys to everyone, training everyone to dive in and start without any mention of due diligence or care.

The article is alarming because it emphasizes trust and then gives basically no reason at all to believe in it. Is consumer safety of any real concern? If this doesn’t get regulators poking into AirBnB I am not sure what should.

And all that doesn’t even touch on the logical inconsistencies. For example contrast these statements from the same person:

• “the bad part is that Mesos, by its nature, is a layer of abstraction and it obscures some things from you”
• “I intuitively believe that we are making the most of our engineers to push the business forward and doing it in a cost effective way on AWS” [because abstraction obscures some things from you and that’s just great. it’s so great i look back and wish i had increased obscurity 45%]

Just to reiterate the lesson being taught here: The bad part is abstraction; it obscures things from you. That’s bad. So we should push the business forward and in a cost effective way with abstraction. Bad is good for business. See?

But forget about the illogical flaws in reasoning for now. That’s just typical of cloud platform hype. Instead ask the tough questions about whether AirBnB gives you any reason at all to trust them if they’re sharing keys to your data.

END OF WARNING

---

So anyway as I was saying you may want to read the new piece about hot platforms and how AirBnB is doing fun stuff these days. It’s a good fluff read on the platform. Check it out and enjoy.

Today in 1939 Hitler and Stalin signed the Molotov-Ribbentrop Treaty (non-agression pact) secretly dividing Poland. To add perspective I thought I would mention a classic spy video series that is not widely known outside Poland.

Polish television, from March 1967 to October 1968 (18 episodes), told the story of secret agent Stanisław Kolicki (codename J-23), who carried a secret mission in the Nazi army as Hans Kloss. Perhaps the most famous line of the protagonist is “Mow mi Janek”:

The series begins in 1941, two years after the Nazis and Soviets conspired to divide and conquer Poland. Episode one shows a young Pole, Stanislaw Kolicki, escape from Konigsberg camp on the Soviet side. He begins cooperating with Soviet intelligence by providing information about German troop concentration along the border. Soviet intelligence notices a confusing similarity, identical appearance, with a captured German Hans Kloss on the German side. Codename J-23 is born and Kolicki makes a daring run into German occupied territory. He begins organizing a counterintelligence network until the Gestapo become suspicious of radio communications and hunt him. He manages to fake his own death and escape back to the Soviet side. He then convinces Soviet intelligence to allow him to return. J-23 infiltrates the Abwehr again, this time as a “real” Lieutenant Kloss posted to Nazi military intelligence.

Often I have journalists asking me to answer questions or send advice for a story. My reply takes a bit of time and reflection. Then, usually, although not always, I get an update something like this:

Loved what you had to say but had to cut something out. Editors, you know how it is. Had to make room for answers from my other experts…I’m sure you can understand. Look forward to hearing your answer next time

I DO understand. I see the famous names of people they’re quoting and the clever things they’re saying. They won, I lost. It happens. And then I started to wonder why not just publish my answers here too. That really was the point of having a blog. Maybe I should create a new category.

So without further ado, here’s something that I wrote that otherwise probably never will see the light of day:

Journalist: Tell me about a most common security fallacy

Me: let me start with a truism: KISS (keep it simple stupid)

this has always been true in security and will likely always be true. simpler systems are easier to secure because they are less sophisticated, more easily understood. complex systems tend to need to be broken down into bite-sited KISS and relationships modeled carefully or they’re doomed to unanticipated failures.

so the answer to one of most common security fallacies is…

too big to fail. also known as they’re big and have a lot to lose so they wouldn’t do the wrong thing. or there’s no way a company that big doesn’t have a lot of talent, so i don’t need to worry about security.

we’ve seen the largest orgs fail repeatedly at basic security (google, facebook, dropbox, salesforce, oracle!) because internal and external culture tends to give a pass on accountability. i just heard a journalist say giant anti-virus vendors would not have a back door because it would not be in their best interest. yet tell me how accountable they really are when they say “oops, we overlooked that” as they often do in their existing business model.

for a little historic context it’s the type of error made at the turn of the century with meat production in chicago. a book called “the jungle” pointed out that a huge fast-growth industrial giant could actually have atrocious safety, yet be protected by sheer size and momentum from any correction. it would take an object of equal or greater force (e.g. an authority granted by governance over a large population) to make an impact on their security.

so the saying should be “too big to be simple”. the larger an organization the more likely it could have hidden breaches or lingering risks, which is what we saw with heartland, tjx, target, walmart and so on. also the larger an organization the less likely it may have chemistry or incentives in place to do the right thing for customer safety.

there’s also an argument against being safe just because simple, but it is not nearly as common a fallacy.

On July 31 in 1944 Antoine de Saint-Exupéry flew a Lockheed Lightning P-38 on a morning reconnaissance mission, despite being injured and nearly ten years over the pilot age limit. It was the last day he was seen alive. A bracelet bearing his name was later found by a fisherman offshore between Marseille and Cassis, which led to discovery of the wreckage of his plane.

Saint-Exupéry was an unfortunate pilot with many dangerous flying accidents over his career. One in particular was during a raid, an attempt to set a speed record from Paris to Hanoï, Indochine and back to Paris. Winning would have meant 150K Francs. Instead Saint-Exupéry crashed in the Sahara desert.

Besides being a pilot of adventure he also was an avid writer and had studied drawing in a Paris art school. In 1942 he wrote The Little Prince, which has been translated into more than 250 languages and is one of the most well-known books in the world. Saint-Exupéry never received any of its royalties.

It brings to mind the rash of people now posting videos and asking their fans to pay to view/support their adventures.

Imagine if Saint-Exupéry had taken a video selfie of his crash and survival in the Sahara desert and posted it straight to a sharing site, asking for funds…instead of writing a literary work of genius and seeing none of its success.