Jeff Blankenburg has a post wondering about the lack of security online, and how people are able to exclaim, ex post, exactly what was (and was not) done and that Everything Will Be Alright.
It’s worth reading his article (which is par for the course), but here are a couple of thoughts, jumping off from my post from a couple of days ago. Security is difficult. You can read books on the topic (Security Engineering and Software Security are two of my favorites), but the same stupid mistakes keep coming up. People storing passwords in plaintext, sites without SSL certificates, people blindly downloading and opening all kinds of files, databases susceptible to SQL injection, etc. You could probably have written a software security book from the 1980s and still have it be almost exactly as valuable today—whenever Steve Gibson re-publishes his TechTalk columns, that would be a good opportunity to see just how many of the problems that existed then are still around.
Maybe there are some people who would do better but just don’t know any different. Those people could be helped by demos which focus on security topics and implementation. I like Microsoft’s Security Development Lifecycle, but it is a lot more difficult putting that into place than watching Rob Conery build a site. But for every person like that, there are a number of developers who just want to copy-paste the codez. Then, there are the people who rationally ignore security advice. Why? Because some of it is totally messed up. Why do I need to change my password so often that I will never remember it, and so I need to write it down somewhere?
Security comes down to the problem that the IRA brought up after trying to assassinate Margaret Thatcher: “[R]emember we only have to be lucky once. You will have to be lucky always.” If anything, given the number of users who will gladly open any attachment they receive or paste any code they found on the internet into their project, it’s amazing that we don’t see more problems. But then again, maybe that’s because many of the people whose systems have been compromised simply do not know about it—think of all of the bot-nets around. Those computers are owned by somebody, and they almost certainly aren’t in on the scheme. And not all of those systems are grandpa’s desktop computer that he bought to get e-mail from the kids; they also include plenty of corporate and even government machines.