Saturday, February 9, 2013

Everything will be hacked

Everything. Absolutely everything. It is just a matter of time. If there is a security flaw, it will be found, exploited and shared. For as long as it is not fixed or dealt with.

Fixing and dealing with a security flaw is not always the same thing. Sometimes, a hole is more than just a hole.

A worrying tendency of our times is the criminalization of those who find security flaws. Even obvious ones. The reaction to someone pointing out that there is a security risk should be something along the lines of "oh my, thank you for pointing this out, we will be right on it!". Instead, the response people actually get seems to go something more along these lines: "OMG, a hacker, to jail with you for pointing out these hacker secrets!".

Knowing enough about security to know about obvious security risks becomes a security risk in itself. For the knower, that is.

The criminalization of hackers amounts to a criminalization of knowledge as such. Because hacking is knowledge, and knowledge is hacking. Once you know something, you can hack these things - and the only way to keep yourself "safe" from hackers is to make darned sure that no one knows everything.

Needless to say, there are obvious downsides to this approach.

The results of a continued policy along these lines are easy to predict. For starters, people will inevitably find out how to hack it anyway. And they will most likely use this knowledge to great advantage. More so since the "solution" to the hacker problem is to send them to jail rather than to actually solve the security flaw itself. In larger institutions, such as public institutions, the flaw can remain for years while the criminal courts duke it out with the criminal minds.

Less security, less solved problems, more criminals and more legal expenses. Lose-lose all around.

If you've ever nodded in assent to stock phrases about how we need to base our society on knowledge rather than on old-style factory production, you now have a very clear picture about where to start putting these stock phrases into action.

Happy hacking!

1 comment: