Dentist, mechanic... security expert?
When I was interviewing Anup Ghosh for today's roundup of hacking news, he expressed a setniment all too familiar.
"Never a dull day in the security world," he said. And it's true -- this week, we've learned about an Ebay data breach impacting 145 million users, a member of the Navy stealing identities of fellow servicemen from inside an aircraft carrier and a government report that suggests attacking public utilities connected to the Internet is as easy as Googling. That's just this week.
I can say "Target hack" and you know exactly what I'm talking about, right? The truth is that hacking -- the bad kind -- is becoming a regular part of our lives whether we're "into tech" or not. But here's a question I keep coming back to: how do we know the difference between a run-of-the-mill hack job, and a Heartbleed bug?
When I interviewed Brian Krebs last month about Heartbleed on one of the first days it was a story, his advice was "stay off the Internet." No modifiers, no caveats, just one simple sentence.
At that moment Krebs's statement felt like hyperbole, but as the days wore on, the emails from companies and social networks started piling up in inboxes. We talked to people who were actually trying to patch the security holes left open by Heartbleed, and they were barely sleeping. Heartbleed seemed to prove just as serious as Krebs had suggested. But it was also hard to tell what the impact really was. When there's smoke there's fire. But where there's just a ton of kindling and a book of matches... there's... ?
Hacking, as an idea, is really hard to get your head around. It's not as palpable as other kinds of threats. You might suffer from it, but you can't really see it. It's not an explosion, and you need some pretty legitimate tech creds to know how it actually works. In fact, the thing that worries me is that the vast majority of people who interact with technology every day -- and this includes me -- have a pretty simplistic understanding of how it all really works.
We're total noobs, to use the online parlance of our times. So the majority of us have to rely on obvious signs or people who know more than us if we want to identify it and calculate where a hack falls on the threat spectrum.
It's like going to a mechanic or the dentist. You have to trust someone who knows way more than you. And to be honest, I'm not entirely comfortable with that.
I've had dentists who I know attempted to get me to pay for their X-ray machine by telling me to get an X-ray every time I came in for a cleaning. And I don't think it's a stretch to suggest that if we came up with perfect security tools, a lot of cybersecurity companies would go out of business. That's a cynical idea that doesn't take into account the simple fact that most competing cybersecurity companies are trying to build the perfect cybersecurity tools so that all the other companies go out of business.
But it's a factor.
All this reminds me of another quote. It comes from cybersecurity expert at Sophos and Marketplace Tech regular Chester Wisniewski. A funny saying in the cybersecurity world, says Chester, is that "there's no patch for human stupidity." As in, people are fallible. They make mistakes no matter how powerful your security software is. And that might be a place to start from for us regulars, us noobs. To acknowledge how little we know, and promise to learn more about the technology we use, in the hope of protecting ourselves. Because hacking is here to stay.