I have a friend who works at Tripwire, a software security company. Friday night we were hanging out and we got to talking about the state of software security today. Disclaimer: I am nowhere near an expert on this topic.
One thing that came to light while we were talking—and I hadn’t thought of this before, but now looking back on the conversation it seems so obvious—is that it takes a lot less to be an effective “hacker” than it does to design a secure system. (By “hacker” I mean someone who attempts to compromise the security of a software system, whether it be to bring the system down, access private information, or in some cases even gain control of the system.)
I think this is an important point for people to realize, especially in this day and age where the concept of “hacking” is viewed by the general populace (in the western culture I know and love, anyway) with a combination of reverence and fear.
The movie Hackers, for example—though it was released in ’95 and is probably not viewed by anyone at this point as being even remotely authentic from a technical perspective—captures fairly accurately, at least in broad strokes, what I believe is a common perception of the people we call “hackers”: frighteningly smart, renegade, anarchic—but mainly just crazy smart.
Well, I won’t sit here and make an absurd claim like “hackers aren’t smart.” I don’t know any people who could be called “hackers” in the Hackers sense, nor do I particularly expect that I ever will; so it isn’t like I have any first-hand info to begin with. And there’s no doubt that intelligence is needed if you’re going to set out to break into secured software systems.
But here’s the thing, which my friend and I talked about the other night: it’s always easier to bring something down than it is to build it up. And this is the true reason why developing secure software is such an uphill battle. It isn’t enough to be “better” than a potential hacker when you’re designing your system; you have to be something like 100 times better if you’re even going to stand a chance.
Consider a completely different area: architecture. The knowledge and talent required to go from a basic idea to a workable design that can actually be executed and will result in a standing, functioning structure is huge. But what does it take to bring a building down? Not all that much. If you can make a device that explodes and can detonate it in just the right spot, you can destroy in a matter of seconds what it took months, even years to create.
You can even witness this watching kids play with blocks. I have a nephew who takes great pride in his buildings of multicolored blocks. He puts a lot of care and attention into his creations (to him: masterpieces).
But sometimes his baby sister comes along and tears down his work with little more than the swipe of a hand. That’s all it takes to destroy his work! A baby can do it!
Or think of airport security. If you’re in charge of the security at an airport, you need to consider so many factors: what could be used as a weapon, how might a weapon be assembled, how do you identify potential attackers, what effective deterrents can you use to prevent attacks in the first place, etc. (It should go without saying that I know next to nothing about airport security, so these are obviously just best guesses; chances are that it’s significantly more complex than I’m even making it out to be.) On the other hand, if your goal is simply to sneak something illegal onto a plane, it turns out it isn’t that hard. You might even do so by accident.
It’s like they say: a chain is only as strong as its weakest link. Say you have a piece of software consisting of ten components, nine of which are completely 100% secure, absolutely invulnerable to any kind of attack. (This is obviously a totally mythical scenario to begin with.) Only one component has a security vulnerability. Then your system is not secure, and all a “hacker” has to do is find that one vulnerability.
As I said, I’m not foolish enough to think that people who hack into systems, like the guy(s) who hacked Gawker, aren’t clever. What I’m saying, I guess, is that they aren’t necessarily smarter than the people who’ve designed the systems they break into. Not by a long shot. Would you guess that someone who smuggles a bomb into a building and blows it up knows more about architecture than the person who designed it?
Really, I just don’t think “hackers”—the malicious kind (these days the word “hacker” has pretty broad connotations)—deserve the reverence that a lot of people have for them. As with most other kinds of criminal activity, the number one barrier to entry for the average person is simply that normal people aren’t interested in hacking, not that you have to be a genius to do it.
(Now just watch: somebody’s going to hack all of my accounts. It wouldn’t prove anything, though; I never said I was smart either!)