I generally have refrained from discussing information security for the most part for multiple personal reasons. However a thought chain has entered my head that i just have to discuss, this doesn’t mean i am going back into infosec, just one last rant about it left in me i suppose.
The problem with information security in my view is a bit complex.
First we have the absurd idea that end users who don’t do all the “just the right things” deserve to be compromised and exploited, if you subscribe to say, the full disclosure mailing list you see this attitude of victim blaming is dominant, and almost any attempt to place the burden on the attackers is met with extreme hostility.
The problem with this is two fold.
1. Victim blaming is wrong, why this is true should be clear.
2. Everything is already compromised. No exceptions, it does not matter what you do, if someone wants in they will find a way. This sounded like tinfoil talk years ago and i was accused of being paranoid many times for this, but the Snowden leaks have proven this as reality. Everything is compromised by design or by flaw.
If we want our information to not be used to harm us, we must start by dismantling the national security agency in its entirety, destroy every server farm and datacenter and make those assholes get real jobs. Then we must teach people to not abuse each other over the internet. This is a real issue that must be addressed by education, all too often people have the attitude of interactions on the internet not being real, or just a game. People forget there are other human beings on the other end of the screen. Educating people on not acting in harmful ways is effective in many situations so i don’t see why it cant be used here.
Then we have to destroy the information security industry who profits from arming criminals with exploits in the name of “full disclosure”.
Basically if you don’t buy their product or apply their patch they have an army of angry kids standing by to punish you for this, then they punish those kids or suck them into the information security complex.
You heard me right, the information security industry is blackmailing you and you dont even know it.
Where do you think those kids get the tools and exploits that they use to hack you? Most of the tools used are open source and available to the public, the rest are very easy to acquire. The exploits themselves are released to the public on a regular basis with the logic that
if they did not then companies would not patch their systems and then people simply wouldn’t know they were owned. But, you are already owned. You always have been, they sold you the illusion of safety from the army of script kiddies they created.
Most virus and malware code has not changed much in the past..10-20 years, its all the same stuff. All they do is adjust the methods of masking it from an antivirus and this is simple to do. (google “crypters” for more info)
Now this does not mean we should not take precautions or not look for red flags, but we should focus with the majority of our energy the idea of prevention through education. Anti malware systems should come with the operating system by default. Operating systems should be designed to be secure as possible out of the box.
Put the burden on the software writers, not the end users. Put the burden on the people causing harm, not those they harm. Put the burden on the people arming ignorant or desperate kids with cyberweapons.
Laws need to change also in regards to how we deal with these kids, because most of them are kids. We need to teach our children empathy, and teach them not to do evil online. And parents need to observe their kids online activities. A computer is not a babysitter.
We also need to hold the information security community as well as the operating system developers and hardware manufactures responsible for their cooperation with government agencies who want to reduce our security.
They had a moral duty to disobey the law and inform the public and they didn’t because they don’t actually care about your security they care about profits. these people should be held accountable and all profits made by this stripped.
I also believe we should have an international ban on government used cyberweapons and cyberwarfare with full government transparency and accountability in this area.