The news this week that the 'World's biggest hacker of military networks' may be extradited to the US where he faces up to 70 years in prison is a great story, if you’re a journalist, work in the IT security industry or the US government. For everyone else, including the protagonist, it’s a divisive, misleading, pile of spin.
An unemployed UFO obsessive from North London may really be public enemy number one. Gary McKinnon, 39, may even be in league with al-Qaeda and anyone else you can think of. Or it could be the silly season starting early, with the American establishment happy to spin stories that the UK media is happy to pass on.
This pleases the IT security industry. If NASA, the US Department of Defense, and even the shadowy spooks at the National Security Agency can be hacked then what hope has the average enterprise got? Best buy things - lots and lots of things. How else to explain the British Airports Authority (BAA) decision to invest £23m in 'Shield', a programme to combat the threat of cyber-terrorism, when nobody has ever seen a cyber-terrorist? McKinnon, you're hired.
McKinnon's plight is also a great excuse for the US authorities. By building him up into the Matrix's Neo made real, they are able to sidestep the rather embarrassing fact that an unemployed bloke from Wood Green was able to breach what should be the toughest IT security systems in the world.
The facts, as they are known so far, do not support the idea that McKinnon was a professional or even particularly expert. For one, he failed to conceal his IP address or use any false identities to cover his tracks. McKinnon also apparently used a very common port scanner that is widely available on the Internet. There is even the posibility that McKinnon accessed the military systems by checking whether any users had used the word 'password' as their log-in.
The real story here is how US authorities allowed a hacker with rudimentary tools to crack their systems. If he could do that, then the real experts must be wreaking havoc. Seen any havoc recently? Odd, that.
As a report from analyst Gartner this week claims, most security threats are over-hyped; the real problem lies with IT systems not being installed correctly: "Two out of three successful external attacks are due to mis-configured systems", the group claims. "The problems were mainly to do with people and processes rather than IT. The IT industry is trying to sell its products hard, but it’s not where the issue is at."
If McKinnon is found guilty he deserves to be punished but it should be punishment proportional to the crime. Hopefully, justice will be served in this case and he will be allowed to have his case heard in the UK where hopefully headlines such as 'World's biggest hacker' or 'Biggest military computer hack of all time' will eventually be superseded by 'NASA launches investigation into security blunder' or even 'NASA Chief Security Officer Resigns'.
Talkback
very goog job:-)
A system that is required to have the best security surely should have some checks to stop people having potentially weak passwords. It's not rocket science. Simply requiring the password to be 10 letters minimum and contain at least 2 numbers would eliminate this problem.
Just by the fact that some users have the password "password" means that the head of security is not actually the head of security but probably just an upgraded politician with no clue of security whatsoever.
I keep reading that 'it's not the fault of IT', but surely if a system is so complex that it's easy to mis-configure then it IS the fault of IT.
It's not difficult to build a system that's easy to configure and (as per the previous comment) checks that passwords are sufficiently secure. I mean, even Gmail doesn't let you have easy to crack passwords!
The IT industry should take a long hard look at itself and face up to its responsibility to provide tools that people can use easily and effectively.
Lack of liability is the cause here.
There are many people involved in the process of making some IT solution a reality. And a whole bunch more to ensure that it keeps doing what it's supposed to do for the rest of its life cycle.
However, in that whole chain of events and people of various companies involved there's no real liability in play.
"The computer did it" is nowedays greatest excuse to get away with practicely anything and the once-in-a-while time that someone needs to get the blame for something (usually loss of face, prolonged loss of availability, structural blundering or gross budget overruns) the finger of blame is pointed to some external event or person. Ofcourse happily agreed with by all those who are at least partly to blame for the mishaps in questions.
Also, most IT related projects start on the wrong foot to begin with. Initiated by reasoning that will not withstand the test of time and reality. By people that in general have no clue as to what impact there little IT project will have on all the aspects (technical, organisational, legal, health, safety, liability, availability, PR, security, etc, etc) of the entire company in the short and long term. So something is bound to go wrong somewhere in a way that can't be easily "reasoned away".
One thing standing out here is lack of maintenance. What's the first thing to get pushed to the back on the schedule or even thrown out of the window in budget or time restrained IT departments? Maintenance. But that's what keeps systems humming and secure. At the same time it's hard to explain, on paper, to the rest of the organization what the benefits are of all those spend costly hours on maintenance. Mind you, the systems that are to be maintained where bought with the tremendously ignorant idea in mind that all those systems would practicly manage themselves and the only extra thing needed is some trained monkey pushing the right buttons every now and then. Yeah, right. There are the benefits of hyped up PR filled with FUD and zero liability for you. Enjoy.
The "if it ain't broke don't fix it" attitude has two versions. One of realism and the more used one: as an excuse.
And as long as excuses and FUD are the driving force behind most IT environments (rather then cold hard facts) there will be a need for people or things taking or getting the blame.
By the the way what's the planet called?, it's our tenth planet, but what's it's name?