July 12, 2005

New York Times Columnist John Tierney: No Undestanding of Computer Security

The Times is running a very tongue-in-cheek (I hope) editorial today about fitting punishment for "hackers." I won't bother spending time complaining about the media's terrible abuse of that term (which I believe the New York Times started about 25 years ago). For correct usage see the The Jargon File, s.v., and also the entry in the more "official" RFC 1983 (RFC stands for "Request For Comments;" RFCs are official documents describing Internet (and ARPANET before it) standards dating from as early as 1969. RFC 1983 is "The Internet User's Glossary" and was written in August 1996. Some RFCs are normative, and some, like this one, are merely informative).

Leaving that aside, when Tierney says that "the social costs of hacking are estimated to be ... $50 billion per year" he displays limitless ignorance of the state of computer security. "Most ['hackers']," he notes, "are teenage boys." Doesn't this tell you anything? Tierney mentions Sven Jaschan, the author of the Sasser worm. Jaschan was arrested by German police for this offense a matter of weeks after his 18th birthday, and Jaschan's age is about average for virus writers. Upward of 99% of all computer worms/viruses affect only Microsoft products. Microsoft employs thousands of people with M.S. and Ph.D degrees at an inestimable cost per year and their software security is routinely broken by a bunch of kids! Maybe it's time to stop marvelling at the intelligence of the kids and start marvelling at the stupidity of the adults. Kids who don't even know any real programming languages, and couldn't write a useful program to accomplish a real purpose teach themselves, in the course of a few months, to write viruses in MS Visual Basic that subsequently cost millions of dollars in lost productivity and limitless frustration to computer users everywhere. The kids do it on purpose, so I suppose we can punish them, but seriously, isn't Microsoft the more culpable party? Or maybe we should blame the millions of consumers who buy their products. There are no viruses on this scale for non-Microsoft operating systems. Macintosh viruses typically have to masquerade as some kind of program and convince the user to install them. Linux/Unix viruses tend to affect only a very small percentage of systems configured in a very specific way and tend only to open up some security hole or something along these lines, rather than actually damaging the system. This types of viruses, in additon to having little or no effect, are extremely rare and tend not to be written by dysfunctional teenagers (who wouldn't know how to begin cracking a Unix box).

In the end, Tierney does make some passing comments about spammers, to which his analysis may in fact apply, as emal filtering is expensive in terms of processor cycles, bandwidth, and manpower and these do translate directly into money, but his comments about so-called "hackers" are just plain ridiculous - even if they are intended somewhat humorously. When it's this easy to write viruses, there will always be another kid who feels like doing some damage and thinks he can get away with it, no matter how harshly we punish offenders. We have to put the cookie jar out of reach, so to speak. If it took years of study to learn to write viruses, kids wouldn't do it - and there are operating systems already in existence for which this is the case. What we need is for consumers in the desktop market to take other platforms seriously enough to force Microsoft to compete, as is already happening in the server market. Microsoft has begun making strides in the realm of security, but they have a LONG way to go to catch up with Unix-type operating sytems (including Mac OS X), and then when they've conquered security, they've still got stability issues. Tierney's complaints are valid, but misplaced. Microsoft's general sloppiness in software design and consumer apathy in the operating system market are the real culprits here.

Posted by Kenny at July 12, 2005 6:39 PM
Trackbacks
TrackBack URL for this entry: http://blog.kennypearce.net/admin/mt-tb.cgi/88

Post a comment





Return to blog.kennypearce.net