Contrary to my tagline, I'm going to wax pessimistic for a span. Security is a big deal for obvious reasons. But for all the effort I can't help but get the feeling that all we are doing is filtering out the bad hackers from the good ones and making the job of the good ones a bit more difficult. At the end of the day I sort of feel like the nerd slinking down the school corridor hoping that I present such a small target that the bully won't notice me.
When Hacking Team got hacked on July 6 we were tempted to give a cheer. But this could have been any company, including the one that stores your credit card info (like Target). So really not much to cheer about except to say, "Better them than me". The proverbial bully getting taken down by a yet bigger bully or, better yet, a geek with a sling shot.
I remember a workmate at a software support company commenting that the crash proof computer is the one without any input device. The same clearly goes for the hack proof computer. But then the computer becomes pretty much a brick, so that isn't really an option.
It isn't just that the computer may be insecure do to negligence such as your typical home setup with an unpatched, unfirewalled Windows machine on an unencrypted wireless access point. Or insecure from an exploitable piece of software. There is also the fact that computers are extremely complex organisms. It isn't just a calculator with a piece of software for crunching numbers. It is a box full of software, all of which is mindbogglingly complicated all the while trying to play well with other equally complicated software. Stick this magic box on a network full of similar boxes, all with the ability to communicate one to another and at the same time allowing input from these even more complex organisms called humans and one has to begin to wonder at how anyone escapes detection by the bullies. I suspect it is because there are so many targets that the bullies get confused. Sort of like a school of tuna. Or something.
There really isn't any analogy that can accurately explain the degree of problem here. Believe me, I've tried. I almost came up with one which involved a squad of octopi playing twister to the beat of a polka band who themselves were being beaten by baboons in tutus. But by the time I got imagining that scene I completely forgot what the analogy was suppose to be analogizing for (which may be a good reason to keep it).
All of this leads me to the very pessimistic conclusion that there will never be a perfect security solution that will hacker-proof our computers or its data. Let me qualify that. There will never be a perfect security solution that will be convenient for the user. A fully patched, firewalled computer on an encrypted network using good passwords and multi-factor authentication is probably about as good as it will ever get and, in such a case, fairly hacker-proof. Yet there are two problems with this scenario. First, it is terribly difficult to get users to use good passwords and multi-factor authentication can be both expensive and, although inconvenient for the hacker, not entirely hacker proof. The second problem is there is virtually impossible to prove something as being "hacker-proof". So really we are back to where I started in this article.
So let me end on a note of optimism. As IT professionals one thing is secure: employment. At least more secure at the moment than our computers and networks. Because a hacker can gain access to any system given enough time, effort and ingenuity, our job is to make the systems so hacker unfriendly that they simply loose interest. Not ideal, but that is where we are at right now and as systems continue to evolve into more complex systems I doubt the situation will change much. So we might as well stop complaining or acting surprised when a system is hacked and get back to work.
