Monday, 4 May 2009

The Hacker Will Always Get Through

The BBC currently has a program up on the explosion in cybercrime.

Initially this program had me shouting "No! No! No! You just don't get it!", but eventually it did a twist-in-the-tail and hit the real reason that cybercrime is so rife:

Computer users are stupid.

I'm sorry, I know it's not a pleasant truth, we would far rather believe that there are these fiendishly clever, evil people out there who are doing super-clever things, and that's why people get hacked. But the truth is never pleasant, is it?

The simple fact is that a lot of people who get hacked, deserve to get hacked. And I can put my hand up here and say that I once did something stupid myself. I was in a youth hostel, and wanted to connect to my home computer and read my mail. I use Secure Shell to do this, and was surprised to see that there was a secure-shell program right there on the desktop. That's a rather surprising thing, I thought it was suspicious at the time, but I clicked on it and used it. And lo and behold, someone got into my default account on my computer (fortunately there wasn't much there that they could do, as they lacked the higher-level passwords needed to switch to other accounts). But still, I was stupid, and things followed from that. I'd been stupid, and got hacked, and deserved it.

However, in most programs I see that address these issues, there is often a focus on the infrastructure that criminals use to organize themselves. Take IRC. When people here that criminals generally use IRC as their meeting place, there's often crimes of "Why isn't that taken down? *I* don't use IRC, clearly it is only used by criminals! Remove it and the criminal problem will go away." No, it won't. The criminals will just move onto another communication method. This is equivalent to living in a world in which everyone leaves their front doors open, but the popular solution to the resulting crime is that the roads are too open. The roads allow criminals to move easily from place to place, and make good their escape, and that what we need to do is put roadblocks and checkpoints everywhere, or even dig the roads up!

The problem that leads to cybercrime is that most people leave their front doors open, and in fact, we've been leaving our front doors open since the dawn of consumer computing:

1) Most computer users *still* don't understand the basics of computing. I've had people who claim to be 'computer literate' refuse to send me a document in plain-text because they can't figure out how to do 'advanced' stuff like that. They just use all the default options of their operating system. They've got no concept of the issues behind using one document format, or another, nor of the issues of downloading stuff randomly from the net and installing it on your computer.

2) Most computer users will still run a mysterious program they get sent in the mail, or click on a link that promises to show them something 'fun'.

3) We've created a monoculture of operating systems. One operating system rules the planet, allowing hackers to focus all their effort on that one system. This is equivalent to everyone on the planet using the same locks, even with each lock taking the same key.

4) The operating system we've selected for dominance is, and always has been, radically insecure (though it has started getting better recently). Indeed, most computer software is radically insecure, using unencrypted network connections and storing personal data unencrypted on disk. Why? Because:

Security doesn't matter.

No one cares about security. Users don't care about security. If there is a new, cool widget out there with some security issues, users will download it and install it. When you try to point out to them that it might be making them more vulnerable to attack, they will look at you, blink, and carry on with what they are doing.
Because users don't care about security, so software writers don't care about security. Security features don't sell. Pretty graphics and animated icons and 'cool' is what sells. Until users start to care about security, *really* care about security, security won't sell.

Consider Active X. There is no good reason that I can think of for web-masters to still be using active X controls, but they still do. Active X is a means of sending little programs to run on your computer, which is an inherently insecure thing. Java does the same thing, but tries to make it more secure by not allowing the program to write to disk or gain access to other system resources. Flash is another approach. Most of the time these technologies really aren't useful, they are just there to do flashy animations that the web-pages don't really need. Every sensible user should block these by default.
But many people let them through by default, because constantly being told "Please enable flash...", "You need to download an active X.." etc etc, gets annoying. And, sooner or later, they will come across some 'cool' thing that they've just got to have access to. Maybe it will be a youtube video, maybe it will be Angelina Jolie naked, maybe it will be a little online game. People don't really *need* any of these things, but they are generally prepared to compromise their system security to get at them.

Consider firewalls: People pull down their firewalls. Back when I used to frequent IRC, I frequently came across people who weren't running a firewall, because it "Got in the way." Sometimes I'd connect to their machine and tell them what I could see on their hard-drive, in order to put the fear of god into them, but most times I wouldn't bother, they weren't going to listen anyway.

Consider passwords: People accept the 'Do you want me to remember your password for you?' option on web-browsers. This means that somewhere on their computer is stored the password they use for a website. Is it stored in encrypted form? No, of course it isn't! You are forgetting the rule "Security doesn't matter". If it were properly encrypted, you'd have to use a 'master password' to access it. Any encryption system that doesn't ask for a password, isn't real encryption. But people don't want to have to remember passwords, any password, so they'll always go for storing their password insecurely on their laptop.
I've known people to store their passwords this way on publicly accessible computers, so they can always come back to the same computer and log right in.

Consider email: People send each other games and 'dancing baby videos' (are you sure it's a video, and not a program?) in email. No one ever stops to think "Hang on, can I trust this game/video/whatever?" No, they just hit send. I've seen companies in which the staff email this kind of junk to each other across the company network. Then, some weeks later, the company gets a computer virus. Everyone is SOOOOOO surprised.

I could go on, and on, and on, and on. The reason cybercrime is so prevalent, and so *easy* is the users. And this isn't just ma-and-pop who don't understand computers, this is corporate interests too. If security gets in the way of anything that someone can claim, no matter how ridiculously, is interfering with the work of the company, security loses, and is taken down. If security requires users to remember passwords, it loses, and is removed. If security gets in the way of people seeing funny pictures, or dancing babies or having some cool new feature on their desktop, security loses, and is taken down.

Security always loses.
Hackers always win.

1 comment:

  1. I just read an article in Popular Science about the Chinese government hacking into a variety of computer networks. The Dalai Lama requested that an investigation be done because he felt that the Chinese were spying on him through the computers. He was right and the Canadian government discovered a huge infiltration on the part of the Chinese into the Dalai Lama's computers as well as the computer systems of many different countries ministries of foreign affairs and embassies. Some NATO and western government computer systems were also infiltrated and it was not the first time according to the article which can be found at: