You guys probably know my stance on the usage of the word hacker. You probably also know that the pop culture image of a hacker cultivated by Hollywood annoys the hell out of me. People think that hackers are some super-human geniuses who can break into just about any computer systems by simply rapidly typing on a keyboard. It’s sad – and while most people know that CIA agents to drive flying amphibious cars and have mini-machine guns in embedded in their wristwatches just like James Bond, they seem to eat up all the “hacker” science fiction.
Even the people who should know better, fall into this trap. Go pick up 2600 magazine one day and you will see what I mean. Of course, granted – 2600 is probably not your finest zine out there. Some issues feel like reading about stuff that was cool on the internets 6 month ago, only on dead tree media. But you’d figure that editors of a “Hacker Quarterly” would know better than this. But no – the whole thing is like “hackers this” and “hackers that” – ugh… Even my brother thought it was bit juvenile. I left the magazine in the bathroom once and he started reading it. Afterwords he told me it sounded as if it was written by a 14 year old who just watched Hackers. Btw, I’m not knocking their content – just the attitude. Then again, I guess those who read, or write articles for zines like that have a good idea about security so they are not really doing that much damage here.
Hollywood on the other hand does. Let’s face it – if the average Joe believes that a hacker can just sit at a computer and hax it by pounding on the keyboard for 15 minutes then we have a problem. Do you think they will adhere to all the security policies if they believe that: dude, like a real hacker could like break this encryption in like 5 seconds. Most people believe that hackers are these super intelligent people with awesome skills way beyond the understanding of a mere mortal. They are like some soft of computer gods that must be feared – which of course is bullshit. People have it all backwards. Anyone can hack. You, me, my grandmother – it’s really not that hard. The problem is on your end – your security policies and your setup determines how hard is it to 0wn your system. I think this Bigger Than Cheeses cartoon sums this all up perfectly:
You don’t need to be a security expert to implement basic security precautions. You don’t need to be a 3117 h4x0r to protect your systems from 90% of malicious attacks. Most of the security stuff is common sense. You have to keep two things in mind:
- All software is shitty and buggy from the get go. It is impossible to create sufficiently complex application that has zero bugs. Why? Because you can never find all the bugs by testing. Every single piece of software ever made is flawed and therefore potentially exploitable. The more applications you are running, the bigger the chance that one of them can become a security concern. There is not much you can do about this, but you can minimize the threat by following basic security guidelines like regularly patching the systems, not running as admin, disabling unnecessary services, keeping all machines behind a firewall, using encryption on sensitive data, using two factor authentication, reading the fucking memos from the sysadmin (even when he is a BOFH) and etc…
- Social engineering just works! You can have the best security experts in the world working 24-7 to keep your systems secure, but if the Joe the Janitor let’s Harry the H4x0r into the server room after hours you are fucked. So your security is directly proportional to how well you have trained the dumbest, most technologically illiterate person in your organization. Cause if I can convince that guy that I’m working for the IT department, and that I need the Admin password then I really don’t need any super-human computer skills to fuck you over.
So I think that this super-human hacker stereotype is detrimental to security awareness. I think it is one of the contributing factors to the lax attitude towards security exhibited by most folks out there. If you believe that the biggest security threat out there are these guys:
then you are ill prepared to face reality. Anyone can be a security threat – they do not need to have special skills, or a really cool nickname. They can be anyone – especially current and former employees or staff. They don’t even need to be that knowledgeable about computers – you can get “hacked” by that dumb, clueless guy who could barely figure out how to turn on his computer in the morning, or the disgruntled cleaning lady. But they can only do this if you give them the opportunity. And this window of opportunity can be minimized by hiring a good security conscious sysadmin, training your employees, and maintaining popper access controls (ie. Bob from accounting doesn’t get the Admin password, and Joe the Janitor doesn’t get the keys to the server room, no matter how much he says he needs them).
[tags]hackers, hacking, security, social engineering, software[/tags]