Sunday, September 11, 2005

Hacking as a social problem

For a long time, I objected to the whole area of security because, as I saw it, it's something we wouldn't need if we could just cure the underlying social problems that cause people to commit crimes in general (a true xNFp statement). At some point in the past few months, I realized that it goes beyond that, that it is in the blood of a good coder to want to break things, and so no matter what the situation, security would always be needed, because, to a coder, breaking the system is another interesting, challenging puzzle to solve, whether they intend to do anything bad or not.

I was reminded of this just now when I came across this article on slashdot (scroll down to point #4).

There are a couple issues to separate out here: one, getting the system to do something it was not intended to do, and two, doing something harmful with the results of that bug. In a security talk I once heard, the speaker told a story about how he discovered that the prices for items on one company's web ordering system were stored in cookies on his local machine, so he changed the prices to a tiny fraction of what they had been, and submitted an order that would have gotten through successfully, if he hadn't called them to cancel and tell them their system really easy to hack. Had fun breaking the system, but used the knowledge to help the people running the system he broke. That's an action I don't have a problem with, and his response upon finding the bug I certainly can admire.

Noting that distinction, it seems that both my earlier observations have some part of truth: good coders will always want to see if they can make systems do things that weren't intended, but the intent to harm is a social problem that might be largely treated.

What about harmful results that come of accidentally making the system do something harmful, whether you were trying to break it or not? Well, maybe a lot of the things we consider harmful now are only so because of some social problems. Information release, for example. It doesn't matter if your credit card number gets out if no one's going to buy anything with it they shouldn't. It doesn't even matter much if someone does accidentally charge something to an account that isn't there, so long as they realize it and report it and fix it (only damage is a bit of time to correct the error). What if a bunch of data gets deleted? Well, ideally it should all be backed up well in real time, so that shouldn't matter either.

There are far more examples I should go into, but I think I'll save that for a post (or, more likely, series) about my idea of utopia and how it could actually work.

0 Comments:

Post a Comment

<< Home