In an industrial action against Qantas Airways Ltd., two right-handed aircraft engineers will work with only their left hands starting Friday.
I don’t care what side of the dispute you are on or what your motivations are. Fucking with my safety while I’m in your flying machine does not endear me to your cause.
Earlier this year, the DHS conducted a test at various government facilities and the facilities of some the companies that our government contracts with. The test was simple: leave USB drives and CDs in the parking lots of the building, and watch what happens when the employees notice them.
Now any one of my friends that work in I.T. could have answered this question within a few seconds: The majority of employees picked them up, walked in the building and immediately chunked said USB drive into a slot, or, in the case of the CDs, opened a CD tray, inserted the CD, and closed the door. That answer, of course was correct, but lets get into the details of how correct it was. Of the total number of employees that picked up the items, 60% installed them on their work machines. Another interesting part of the test was that some of the thumb drives/CDs had official-looking logos on them. Of those, 90% were installed.
Welcome to what security professionals talk about when they mention the term ‘social engineering.’ I.T. security hardware and software has made monumental leaps forward in the past 20+ years. Human security has not. Human security is why laptops disappear from Los Alamos and why Picassos disappear from San Francisco art galleries. Why is this? Don’t think about it in terms of trying to decipher what makes people tick at a granular level. Instead, apply a little of the ol’ Occam’s Razor, and think about the inherent differences between computers and humans. When you do that, you can boil it all down to one, all-encompassing, overriding principle:
People can choose. Computers can’t.
I had a CIS (Computer Information Systems – what they called computer science majors when I went to college) professor in college that loved to say the following quote so often that we got tired of it. By the way, the religious reference comes from the fact that he was Boston Irish Catholic.
“Next to Gahd, computahs ah the most pehfect beings on the planet. They only do what you tell ’em to do.”
Us being nerds, we all looked at each other to see who would start the philosophical argument as to whether God was actually “on the planet” and whether computers were in fact “beings.” But on a certain level, the guy had a point. The nugget of clarity that you should take away from this bit of insanity is the combination of the concept of perfection and the lack of its association to people. The guy clearly viewed a perfect being as something that executed your commands immediately upon receiving them, assuming those commands are valid.
A computer not only does that but it does it billions of times per day. I can certainly think of a whole host of humans who today will not execute ten commands, of any level of complexity, in a day. Not only does a computer execute these commands, they can be configured to also remember the commands and the results of those commands indefinitely (just ask any executive or politician who has every had an ancient email dug up with something incriminating on it), or until its storage media gives out, whichever comes first. I can’t remember the complete sequence of how I got out of bed this morning… or rather, my brain can, but retrieving that information is a whole different animal.
When it comes to security however, it almost always boils down to a matter of choice. Computers don’t get to make their own choices without us defining what those choices are, and that’s what separates them from us. Along with sentience (awareness of our own existence), it is what makes us the masters and computers the tools. To all the nerds in the house… if you’ve ever programmed an IF statement, then stand up, raise your sword high and exclaim “I HAVE THE POWER!!!!” because you have just defined the criteria to allow a computer to make a choice it did not previously have the power to make.
Humans, on the other hand, are a two-fold problem. The first problem that choice presents is the choice to ignore best practices and procedures that have been repeated to them over and over and over again. From the perspective of I.T. workers everywhere, this is the one we are all familiar with. The desire of a few to have a safe and secure network in which to get your day’s work done does not hold a candle to the desire of the rabid frothing masses to stream porn, listen to Pandora, play Farmville and Mafia Wars while chronicling every nanosecond of their personal lives in 200 character burst transmissions, instant message, download hacked games without paying for them, or to have a mouse cursor with a cute little animated kitty chasing it. Let’s face it… productivity just isn’t sexy anymore.
The second part of this problem is the 5% that choose to exploit the stupidity of those mentioned in the paragraph above. These are the folks that scamper behind the bushes tittering after they leave the thumb drive out in the parking lot. Why do they do it, because 1) they choose to, and 2) they are, as Paul Newman described himself in The Color of Money…
“I am a student of human moves.” – Fast Eddie Felson (Paul Newman) from The Color of Money
They know how you think. They study how you behave. They know that the bulk of the world, on a certain level, will behave as you do… which means you will behave without thinking. And they exploit that.
And there is the rub. The organization that achieves near impenetrable security is the organization that can get its humans to think a little more critically about security related issues. Maybe you should think before hitting the submit button. Think before downloading that file. Think before uttering what should be un-utterable… your password. Think about the fact that when you fuck up the network, it ruins people’s work, costs the company money, and directs everybody’s anger at the I.T. department and not your dopey ass. And think about human moves and how about changing them would make the job of the cracker/phisher/black-hat/etc. that much more difficult.
You can see them both coming a mile away.
A motorcyclist riding without a helmet, riding in a protest against mandatory helmet laws, dies pretty much how you would expect.