Quis custodet custodes?

Complacent, even smug, we sit at our desks and smirk as we read about some more poor fools who have just been hacked or attacked, secure in the knowledge that our firewalls and system policies are sound.

Complacent, even smug, we sit at our desks and smirk as we read about some more poor fools who have just been hacked or attacked, secure in the knowledge that our firewalls and system policies are sound.

"Besides," we bray, "they're only acne-faced teen-aged gits with questionable sanitary habits and social adaptation problems - what threat could they possibly be to a properly-run network?" Come on, admit it: you really think your network is safe from unauthorised hacking, don't you? Sure you do - deep down, we all do.

We're wrong.

If you want a genuinely scary experience, get yourself a copy of Hacking Exposed, 2nd Edition (Osborne Press, ISBN 0-07-212748-1) by Scambray, McClure and Kurtz. This book is likely to change a number of your preconceptions (and misconceptions), and may bring you out in a cold sweat in places. Do not show this book to your boss under any circumstances - I can practically guarantee it will make him yank your internet connection immediately.

Hacking Exposed is one of those difficult books whose purpose depends on your point of view: on one hand, you can view it as a hacker's cookbook, with detailed information on how to hack practically any kind of system, including detailed coverage of hacking tools and how to find them.

From another perspective, though, the book can be viewed as a guide to defending yourself against the kind of hacking it describes. Which point of view you adopt ultimately depends on whether or not you believe that "security by obscurity" is really any kind of security at all. It's the same argument that has raged for years over the BugTraq mailing list, where software weaknesses are mercilessly exposed with depressing frequency - the idea being that the best way of establishing a defence against a weakness is to make it as widely-known as possible.

It's one of the paradoxes of the software industry that, over time, software systems are probably getting less secure rather than more so: this is largely due to burgeoning complexity and rampant "creeping featurism", combined with the evolution of steadily larger programming teams - it is axiomatic that the more people that are involved in developing a software system, the more opportunities there will be for security weaknesses.

Now, into the cold spotlight of software insecurity comes the recent disclosure that certain organisations are going to be able to do this kind of hacking legally in New Zealand if the government and the Faceless Agent Lobby have their way - the SIS, the Police, the GCSB, God knows, probably even Statistics New Zealand, given the way legislation gets formulated in this country - are going to be LEGALLY entitled to hack into your systems. Naturally they will come out with the usual parrot cries of "national security", and that tiredest of old favourites, "the innocent have nothing to fear", but do we believe that? Are we willing to have them trawl through our most private data in order to establish that we are "innocent"? Hell, pull the bus over - I want off.

I thought it curiously apposite that the movie Sleeping Dogs (based on CK Stead's novel Smith's Dream) has been showing on Sky recently. While it paints a paranoid view of the so-called "security services", it does emphasise the fact that giving significant power to such organisations is based on the dangerous assumption that they will always be staffed by people of unimpeachable integrity, and that the government's view of what is right for the people will always coincide with the people's view of what is right for them. Personally, I find the notion that people in positions of power are likely to be trustworthy is either laughable or frightening, depending on the context - but never reassuring.

Personally, I'm deeply perturbed at how little coverage these security proposals are getting - troubled at the apparent complacency of the IT community in this country, the same sort of complacency that leads otherwise sensible people to believe that their systems could never be hacked. I'm hesitant to trot out old alarmist cliches like "slippery slopes" and "police states", but I do believe strongly that no erosion of our basic human expectation of privacy should be permitted without a full-on fight.

Needless to say, all of this stuff has me a bit spooked at the moment (pardon the pun). I'll sure as heck be double-checking my security measures as a priority now - in the end, I don't really care who the acne-faced git works for, I just don't want him tapping at my Windows.

Dunedin-based Harris is the developer of internet email software Pegasus Mail. Send email to David Harris.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]