96 Hacking and the real world

I was reading an article by Adrian Spinei and, not for the first time, it made me think about how our society likes to consider computer hacking similar to physical aggression, invasion of personal space or privacy violations.

It wouldn’t be so bad if just the uninformed masses had the wrong idea. But it doesn’t seem to be the case anymore. When the entire society, from mass-media to lawmakers and specialists (who should know better) tends to adopt this way of thinking, I know we have a problem.

I’ve always thought that the analogy between digital security and the real world is basically false. People like to compare breaking into a computer with breaking and entering physical premises, or hacking a pacemaker to an armed street assault. But there’s an essential difference.

You cannot expect real world victims to live their lives perfectly prepared against such aggressions; install an alarm system, barbed wire fence, water trench with crocodiles in it, learn karate like Jackie Chan and so on.

But you can and should expect makers of digital systems to secure them to near perfection. All it takes is willingness, professionalism and following some basic rules. Granted, 100% security may never be achieved. We’re humans and we make mistakes. We’re not perfect. But we can get very very close to digital security. Certainly a lot closer than we’re doing now.

Computers are a virtual world which can be made perfectly secure. The only real danger here is lazyness, slacking off and overlooking things from the part of the software and protocol creators.

This is how digital villains come to be crucified. The industry claims damages of many billions. Law enforcement issues enormous sentences. Security vendors push their latest product on you. Mass-media gnashes and vails and foresees doomsday. The public cowers in terror. And everybody raises their hands and wonders, where will this end? It’s getting worse all the time.

And all this time, the real villains keep on doing what they do quietly, while the world around them suffers. Yes, I mean incompetent software makers. Their cutting cornerns, overlooking things and generally taking the easy route is what makes the rest of the world suffer. When a pacemaker has poorer security than your average mobile phone you know there’s been a new kind of line crossed. This is incompetence taken to the next level. Now we’re talking human lives.

I’m not saying hackers should be cut some slack. I definitely don’t like portraing hackers as some kind of modern Robin Hood, because most often they’re no such thing. They are vile people. But there’s no point in denial either. We should go for the source of the problem, and hackers aren’t it. They’re just parasites taking advantage of a situation that others have made easy for them.

You want an analogy? Think of a bank without a vault or walls, a bank that keeps all its money and gold bars on the sidewalk. Would you think it was evil if people passing by would snatch something? Or would you think it was unbearably stupid of that bank to do this?

Unless a system was supposed to be hackable then it shouldn’t be hackable. It’s perfectly possible to make secure systems. Systems that can stand buck naked in the middle of the Internet and still not have anything pass if it doesn’t have the proper credentials. Antiviruses, firewalls and their kind are just band-aids and they’re trying to patch gaping, bloody wounds with them.

Proper security is done from the ground up, from the thinking stage. It’s not done by pushing the problem on the users (”educating” users). It’s not done by treating the symptoms (with antiviruses and firewalls) instead of the cause. It’s not done by issuing ferocious punishment to people who take advantage of other people’s incompetence.