Short Story: You people think you have good security on your websites, don't you. Don't you?

A tongue-in-cheek original short story

This story is licensed under CC-BY-NC 4.0. You can share it freely, but if you want to use it in anything commercial, you need my permission.

"You people think you have good security on your websites don't you. Don't you?" said the cybersecurity consultant. "Right. Let me explain what you need to secure a website.

You don't want your website on a shared server. If other people have write and execute access on the machine you're running your site on, they could be the reaper. By which I mean they could bring your site down, accidentally or maliciously, or they could be social engineered to get access. No. You don't want to take that risk.

You don't want to be on a virtual server either. That means your software is running on an operating system that's running inside a theoretical box inside another operating system. Whoever has root on the operating system that theoretical box is running on, has your entire system inside a space they pwn, which means you they can bring your site down just by taking your theoretical box down, or taking their whole system down, and again, they might do that accidentally or maliciously, and could be social engineered to get access. Virtual server is no good.

So you have to have root on the deepest operating system running on the actual box. But you also have to pwn the box, you have to have control of all the ports on the box that anyone might use to access it if they get access to the datacentre. Also, you can't have that box inside a network someone else pwns. You have to have root on the entire local network wherever your box is plugged in. Otherwise anyone who has write and execute access to any box in the trusted part of the local network could be the reaper. So realistically, you can't have your box in a shared datacentre, even a private co-location. You have to have it in a server room you pwn. It has to be a room with a strong door, and tough locks, and you have to have the only keys. It has to be a vault-like room, with no windows, and metal or stone or reinforced concrete walls, floor, and ceiling, so people can't smash or drill their way in.

Obviously, there's got to be only one network connection which you pwn all the way to the ISP. For anyone to connect to your server and use your website, they have to tunnel through a virtual private network that you pwn, end-to-end, using a fifty digit random password which changes every three seconds. But there's also a risk that whoever pwns the network pwns any traffic going across that network, no matter what kind of encryption you're using, so really it's better if you build your own dedicated network, and get anyone who wants to use your website to get a dedicated cable into their house so they can use that. It has to be a cable, because wireless, well, it's going through atmosphere that you don't pwn. What more do I need to say?

So that's pretty secure, right? Wrong. Wrong, wrong, wrong. If your server is in a normal building, and anyone can get access to the outside walls, that's still a huge attack surface. Even at the top of a huge building, people could parachute in, or they could take out your server with a plane, or a missile. So it needs to be deep underground. At least a hundred floors down, with multiple elevator shafts so you can't just drop explosives down the shaft. There has to be only one way in and out. Ideally on the inside of a mountain. That's the best for keeping the ETs from pwning your server with psyonics too.

So if you do all that, and you let me and my little grey friends do a few years of penetration testing before you let anyone use your website, it has to be me, nobody else understands how to harden the whole attack surface, amateurs the lot of them, then and only then can you say you have good security. But not good enough, for that you need to..."

Two hospital orderlies watched the consultant continue his lecture to the empty room, as the on-call psychologist arrived.

"Classic persecution complex, leading to paranoia and delusions of grandeur" said the psychologist, shaking her head sadly. "It's sad what the security industry is doing to the mental health of its staff these days. Better double this patient's medication, and we'll see if that improves his condition. Otherwise, we might have to resort to electro-shock therapy."

The psychologist shook her head again, and continued on her rounds, as the orderlies tried to get the patient to stop talking long enough to take his pills.

Image:

• "strung out" by jonathan.youngblood, CC BY 2.0, hosted on Flickr, found via OpenVerse.