I Blame Society

I ran across this screed which I thought was pretty darn insightful, it's called "The Six Dumbest Ideas in Computer Security" by Marcus Ranum and it offers some fairly unqualified contempt for ideas that have become axiomatic in the realm of computer security.

Some of the things that made the list like the idea that user education is an effective way to enhance security is laid to waist by the observation that:

...the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.

Indeed. But the one that really got me thinking was #4 on the list and was entitled; hacking is cool.

One of the best ways to discourage hacking on the Internet is to give the hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems, right? Wrong! "Hacking is Cool" is a really dumb idea.

The essay points out that this phenomenon is largely a cultural problem. Hackers are portrayed as "cool" in the media, in books, and on TV. The media tends to lionize the "Hacker" as smart, industrious, and ambitious, I'm mean, so what, so is a Don of the Mafia.

…by portraying hackers, variously, as "whiz kids" and "brilliant technologists" - of course if you're a reporter for CNN, anyone who can install Linux probably does qualify as a "brilliant technologist" to you. I find it interesting to compare societal reactions to hackers as "whiz kids" versus spammers as "sleazy con artists." I'm actually heartened to see that the spammers, phishers, and other scammers are adopting the hackers and the techniques of the hackers - this will do more to reverse society's view of hacking than any other thing we could do.

What is not portrayed as "cool" is good engineering, anyone remember the WWII movie, "Sea-Bees of the Navy"? It was John Wayne making the guys who built bridges and air strips look not only cool, but downright heroic. Maybe we need a movie that makes engineers out to be heroes and the Hackers the villain (which, perhaps not so ironically is exactly the opposite of the plot of the film "Hackers" starring a young Angelina Jolie).

That hacking (or cracking as some prefer) takes a bit more training then vandalizing a vending machine is not all that relevant, both are pointless exercises that are destructive at best and downright criminal at worse.

Hat Tip Fred Avolio