An Information Security Community
It's quite amazing to watch people's reactions when things that you told them could or would happen actually do happen.
This throws up the question if we ever can proactively prevent bad things from happening as long as we are depending on a broader community to actually help and enable society to prevent them from happening.
Those are not only my own personal thoughts - this is an observation which is quite old and now being discussed again very widely.
It has also been discussed in EP #189 of the Risky Business Podcast by Patrick Gray and his co-host Adam Boileau and his guests.
1.) Firesheep. We all knew how theoretically and practically easy it is to snarf data from unencrypted networks. But people and society only began to realize and believe it when Firesheep came around and demonstrated that this is for real and can be and actually is being misused and very easily so. Now at last we see some change in society. People now demand that they can encrypt their communication. And vendors as well as providers react like Twitter now giving you the option to enforce SSL for your account.
2.) APT - which I will define here for what it really is: targeted attacks of every thinkable form, be it just exploiting negligence and stupidity or chaining multiple 0days together. Bottom line is - people targeting any organization will sooner or later pwn it. Now since it has happened multiple times in a row, people only begin to wake up. So if your organization hasn't been hacked until now you just have been lucky that you haven't been targeted, yet, or you just haven't detected that you've already been hacked.
3.) Tracking people via cell towers. When the Chaos Computer Club told the Bundesverfassungsgericht (the highest court in Germany) how mobile providers can track people and what the potential of misuse of data retention laws is to track people, the court was very interested in this. But the politicians who had a keen interest in pursuing that data retention policy said it's not that bad and that the implications are blown out of proportion. But when a member of the Green party fought through to get his data records from his mobile provider, all of the sudden it was there, nicely visualized and impossible to deny. And on a side-note: he really had to fight this through legally for months, despite the fact that every person has a constitutional right to get the personal or personal identifiable data that is being stored about him by third parties.
4.) Fukushima. Well don't get me started. I already tweeted and blogged about single loss expectancy (SLE) and residual risk for nuclear plants...
But why do we have to see in order to believe and then as a consequence adapt and change?
It is in our genes. We are here today and not extinct because evolution provided us with an important feature: the ability to concentrate on the problems that pose an immediate - like in the next few seconds or hours - threat to our lives. People don't sit down and muse about what they're going to do when the next ice age starts if they don't even know where to get food to survive the next week. They don't tell the grizzly bear to hold on for a sec because you have to figure out how to get your fire started. You kill the bear and care about the fire afterwards. So our ability to blank out remote problems and uncomfortable truths once was a key to our survival - and in may situations still is. But today there are also problems and facts - some of them man made - that we just cannot ignore even if our own personal daily problems - like how do I convince Irene to go out with me - affect us so much more directly and personally.
We have to realize and accept that we are what we are and why we are ticking that way. Only when we understand the reasons for our decisions and how and why we are making decisions can we understand where we are failing and where we have to change.
Like the oracle said to Neo in "The Matrix":
"Because you haven't come here to make a choice - you've already made it.
You are here to try to understand why you made it."
Well and maybe change that choice...
I've always been skeptical of full disclosure and still think that coordinated disclosure is a good thing because of ethical reasons like being fair and helping each other or just for not being an asshole even if multi national firms who sit on their hands while earning loads of money just don't deserve that some hacker does the QA for them and does it for free.
But if it is so, that people only begin to change when things kind of explode in their faces, then I am all in with full disclosure.
Well dude, wake up. We are not playing games anymore. We are not just tinkering with the tech and the internet for fun.
There are things that you just can't leave to market mechanisms and hope it will handle it in everybody's best interest.
The computer says you are bankrupt - you are bankrupt.
The computer says you haven't paid your taxes - you will be in trouble.
The computer says you have blood type A - you'll get that infused
You can go on and on with that. I guess you get the idea.
If it is so, that people only believe and act on what they are actually seeing, we have to show them as long as they can change their ways. And we have to do a better job at doing that. I kind of changed my opinion on FUD at least little bit.
I think sometimes a little FUD can help. Just eliminate the F and the U and the D in those three letters and replace them with a S like in "show", an E like in "educate" and an A like in "advice". If the initial motivation has to be a little shock in a controlled environment (which could at first result in some fear) than I guess this is okay.
But you have to show people how this is happening for real in their environment not only in a hacker demo on stage. On the other hand: who pays you for a pentest that allows you to prepare for months and then finally compromise the organisation like an APT would do it?
The question is: how do we solve that problem? Ideas?