Saturday, February 23, 2008

Cuckoo's Egg

How difficult is it to break into computers containing government records or corporate trade secrets? Well, that depends. It's really up to the person administrating the computers. These days people are paranoid about the security of their data, which helps motivate them to take the necessary precautions. Rarely does anyone's password not contain at least one number and a symbol making a dictionary attack more difficult. Any system administrator that leaves the default passwords on their machines will be quickly dismissed for incompetence. Still, the security is in the hands of humans, and humans aren't perfect.

The complexity of computers and computer networks continues to grow at an incredible rate. As the complexity increases so does the difficulty of keeping these systems secure. More code equals more bugs and back doors in our systems. You could always just disconnect your computer from all networks. You could also move into the middle of the woods and never communicate with the rest of the world. Sure, no one will harm you, but it's hard to get much done out there by yourself.

We are the at the mercy of the people who know about our systems' holes and insecurities. If we're lucky, those people have morals and want to solve the problem rather than exploit it. We're not always lucky but anyone who discovers a security risk has a few options available to them, each with pros and cons:

1. Publish the problem to the world.
Pro: Raises awareness so that the problem can be addressed and a solution can be found.
Con: The whole world now knows a problem that can be exploited until a solution is found.

2. Inform only the creator of the bug of the problem.
Pro: Limits the number of people aware of the problem to those who should be able to do something about it.
Con: The company may decide that solving the problem is more costly than it's worth or if they create a patch, people may not use it because they don't know the severity of the problem it fixes.

3. Write a "virus" program that takes advantage of the problem.
Pro: Forces people to take the problem seriously and find a solution quickly.
Con: Possible criminal charges, destruction of property, and/or lost productivity.

4. Ignore it and hope it goes away.
Pro: Maybe the problem is small or obscure enough that it's not a temptation to hackers.
Con: If it is a temptation to hackers the problem is still wide open and systems are vulnerable.

You get to decide what you're going to do when you discover the next security weakness. It's an ethical and practical issue that you'll have to weigh out in your mind. Or, you could continue to rely on other people to find the weaknesses and decide whether to protect or take advantage of you.

No comments: