Last week, the amazing Bruce Schneier talked about the bomb threats at Pittsburgh as a denial of service (DOS) attack. You can find that entry here. (Anyone who ends up reading my blog and doesn't know about Bruce Schneier, check him out. He's a sort of rockstar in the security world, but whether you're in security or not he is very intelligent, and always has an interesting view on issues.)
Articles like this, linking social issues, or social situations directly to information security is very interesting to me. Obviously the weakest link is humans ourselves, not the technology. Its the same issue as cryptography. We have algorithms that probably won't be broken in our lifetimes, however many encryption systems are easily broken because they don't implement the algorithms correctly, hence a human failure not a technical failure. Back to the point, bomb threats as a form of denial of service attack is almost brilliant. As Bruce says, the payoff is tremendous.
My girlfriend is going to graduate with a Social Work degree in about a month. When her and I discuss our careers, they're obviously extremely different. Mine is quite technical, while hers is all about social issues. When she tells me about her classes, or some discussion they are having however, I can't help but think of security. Almost any social situation can be paralleled with a technical issue, especially in the security field. It goes the other way too, almost any technical issue can be paralleled with a social situation.
Here's one example (though its not my best). She deals with clients who are drug addicts, prostitutes, violent criminals...etc. They come to her for help, and she is obligated to help them. They may steal from her, they may stay clean for a week then disappear and never come back...they may be violent or mean towards her and still ask for help...and no matter what she has to keep trying. This could mean a few things in my line of work. This could be applications, and operating systems. They're made insecurely, and I sure as hell wasn't consulted when they were being made...yet I have to figure how to secure them. Not just one, but ALL of them. If there's a critical Adobe vulnerability (which there usually is) and someone gets into one of our servers because of it, its my fault for not stopping them...it isn't Adobe's fault for not making their own product secure. If my girlfriend is helping someone get over a drug addiction, she fails if they can't stay clean...however its truthfully up to them to fix it...and only they can truly fix it. I'm not saying to blame drug addicts or Adobe, or make them deal with it themselves...but sometimes the originator of a problem needs to held accountable for that problem.
I kind of get off on tangents...This didn't exactly tie back up to the bomb threats article. It did spark my thought process though. .
I'll attempt to tie it back...though don't judge me on how poor it will be :). In keeping with the DOS attack idea...My girlfriend could DOS her clients by either refusing help (which would be a LITERAL denial of service) or referring them to someone or something else. In the same way, her clients could DOS her by coming for help twice a week for a month, then disappearing, or relapsing.
There's even bigger social issues when it comes to security if we get into cyberwarfare, hacking into machines in other countries...things of that nature. I'll save my thoughts on that though.
Any ideas, thoughts?
Thanks for reading...and don't forget to get your taxes done...like, right now! :)
No comments:
Post a Comment