Software security: an uphill battle OR: Why hackers aren’t sooo special

I have a friend who works at Tripwire, a software security company. Friday night we were hanging out and we got to talking about the state of software security today. Disclaimer: I am nowhere near an expert on this topic.

One thing that came to light while we were talking—and I hadn’t thought of this before, but now looking back on the conversation it seems so obvious—is that it takes a lot less to be an effective “hacker” than it does to design a secure system. (By “hacker” I mean someone who attempts to compromise the security of a software system, whether it be to bring the system down, access private information, or in some cases even gain control of the system.)

I think this is an important point for people to realize, especially in this day and age where the concept of “hacking” is viewed by the general populace (in the western culture I know and love, anyway) with a combination of reverence and fear.


The movie Hackers, for example—though it was released in ’95 and is probably not viewed by anyone at this point as being even remotely authentic from a technical perspective—captures fairly accurately, at least in broad strokes, what I believe is a common perception of the people we call “hackers”: frighteningly smart, renegade, anarchic—but mainly just crazy smart.

Well, I won’t sit here and make an absurd claim like “hackers aren’t smart.” I don’t know any people who could be called “hackers” in the Hackers sense, nor do I particularly expect that I ever will; so it isn’t like I have any first-hand info to begin with. And there’s no doubt that intelligence is needed if you’re going to set out to break into secured software systems.

But here’s the thing, which my friend and I talked about the other night: it’s always easier to bring something down than it is to build it up. And this is the true reason why developing secure software is such an uphill battle. It isn’t enough to be “better” than a potential hacker when you’re designing your system; you have to be something like 100 times better if you’re even going to stand a chance.

A chart of skills

This chart is highly accurate, based on solid data (you can tell from the absence of numbers along the X-axis)

Consider a completely different area: architecture. The knowledge and talent required to go from a basic idea to a workable design that can actually be executed and will result in a standing, functioning structure is huge. But what does it take to bring a building down? Not all that much. If you can make a device that explodes and can detonate it in just the right spot, you can destroy in a matter of seconds what it took months, even years to create.

You can even witness this watching kids play with blocks. I have a nephew who takes great pride in his buildings of multicolored blocks. He puts a lot of care and attention into his creations (to him: masterpieces).

Kids playing with blocks

I totally stole this picture from a Google image search

But sometimes his baby sister comes along and tears down his work with little more than the swipe of a hand. That’s all it takes to destroy his work! A baby can do it!

Or think of airport security. If you’re in charge of the security at an airport, you need to consider so many factors: what could be used as a weapon, how might a weapon be assembled, how do you identify potential attackers, what effective deterrents can you use to prevent attacks in the first place, etc. (It should go without saying that I know next to nothing about airport security, so these are obviously just best guesses; chances are that it’s significantly more complex than I’m even making it out to be.) On the other hand, if your goal is simply to sneak something illegal onto a plane, it turns out it isn’t that hard. You might even do so by accident.

It’s like they say: a chain is only as strong as its weakest link. Say you have a piece of software consisting of ten components, nine of which are completely 100% secure, absolutely invulnerable to any kind of attack. (This is obviously a totally mythical scenario to begin with.) Only one component has a security vulnerability. Then your system is not secure, and all a “hacker” has to do is find that one vulnerability.

As I said, I’m not foolish enough to think that people who hack into systems, like the guy(s) who hacked Gawker, aren’t clever. What I’m saying, I guess, is that they aren’t necessarily smarter than the people who’ve designed the systems they break into. Not by a long shot. Would you guess that someone who smuggles a bomb into a building and blows it up knows more about architecture than the person who designed it?

Really, I just don’t think “hackers”—the malicious kind (these days the word “hacker” has pretty broad connotations)—deserve the reverence that a lot of people have for them. As with most other kinds of criminal activity, the number one barrier to entry for the average person is simply that normal people aren’t interested in hacking, not that you have to be a genius to do it.

(Now just watch: somebody’s going to hack all of my accounts. It wouldn’t prove anything, though; I never said I was smart either!)


4 thoughts on “Software security: an uphill battle OR: Why hackers aren’t sooo special

  1. Kathryn says:

    I think what scares me more about hackers, or other criminals for that matter, is that they seem to lack a moral compass. Of course I am probably overgeneralizing, and if there is a “good” kind of hacker then I apologize, but in my mind a hacker is a person who creates computer viruses that mess with people’s computers… for what? I can think of no other reason than to simply be destructive and malicious. I don’t FEAR smart people, I FEAR people who take pleasure out of harming others, whether that be in a physical or virtual sense.

  2. Kathryn says:

    Awesome blog, by the way! I’d love for you to do a post on pickling sometime.

  3. Bragaadeesh says:

    This post reminds me of one of the greatest poets in my part of the world (Thiruvalluvar). He has written a lot of two line poems on Virtues.

    • Daniel says:

      I just looked him up–very interesting. I might like to read the Thirukkural some day, assuming there is an English translation (there must be?). Out of curiosity, was it a specific poem that this post reminded you of? Or just his work in general? Either way I will take that as a compliment!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: