Jay Little - Software Obsessionist
logo
Dear PBS Nightly News...
6/2/2011 4:20:00 AM

Subject: In regards to your "Computer Hacking" story

To whom it does concern,

To start I would like to say: I've been a fan of PBS for years and for the most part I appreciate the dedication and the impartiality of the PBS News Hour staff. In addition I make my living working in IT and have a sizable level of experience in regards to Computer Security. However on a less congratulatory note, I just finished watching your "Computer Hacking" discussion that was broadcast on the PBS Nightly News on 2011/06/01 @ 6 PM EST and I was appalled. I've seen very few pieces on the "Nightly News" that I would characterize as lacking and/or shoddy. However this discussion was appalling in the unchallenged slant that was presented.

Computer security is a problem, of that there is no doubt. It is most certainly a problem of what I would refer to as unrealized importance. Most people simply do not take this situation seriously. In the case of what happened to the PBS servers over the last few days, I sympathize with you and your staff. Admittedly I am a great fan of Wikileaks as well as so-called hactivist groups such as Anonymous. However the Front Line story the responsible group is taking issue with, was not nearly so bad as they want people to believe. It was a different viewpoint than I would've picked, but a valid one nonetheless.

That having been said, I think you all would benefit from spending a greater amount of time considering the circumstances surrounding these hacks. In each case the situation differs, but is still worthy of consideration. However in all of these situations regardless of whether the victim is PBS or Sony, there is one common thread: The IT personnel responsible for the network failed to protect that network. One of the members of your panel tonight made the claim that college kids can just Google how to break into systems and he is absolutely correct on that front (though very little else). In truth, the question you should be asking yourselves is:

"Why did my own IT people not Google how to break into systems and make sure our systems were impervious to these attacks?" Now of course this is a bit of a generalization since the specifics of the attack itself in each instance have not been made clear. I don't know whether or not the hackers used social engineering, a well known software security hole, a zero day exploit or exploitation of a configuration oversight to obtain their access. However it has been my personal experience that the majority of security breaches are preventable and therefore not the result of zero day exploits and more often than not a result of oversight and/or laziness on the part of the IT department.

In your particular situation, you addressed the responsible groups motivation and that was good. However in the case of other high-profile hack attacks that were mentioned such as the Sony attacks, the motivation was not addressed. Let me be clear: Sony is not the victim here. Sony was hit but two attacks simultaneously. One was a DOS (Denial of Service) attack from the hactivist group, "Anonymous". This attack was initiated in response to a war that Sony has been and continues to wage against it's own users in regards to what constitutes a legitimate use of the hardware (i.e. the PS3 and PSP units) that customers have purchased from them. Bottom Line: Sony wants to sell you hardware and then tell you what you can and cannot do with it. From a technology standpoint, it is unprecedented, comparable to the war AT&T tried to wage on third party phones plugging into their network many many moons ago.

In regards to the second attack, Sony is still not the victim. Sony's customers on the other hand, are the victims. Sony as a company failed to protect the interests of those customers by failing to protect their personal information. If Sony loses business (as they should) then it hardly seems fair to solely blame the hackers. The hacker simply broadcast the failure of Sony and turned their incompetence into a public affair. Just as was the case with PBS, the IT department failed. As it became evident later on, their software developers also failed. Neither group appears to be very knowledgeable on the subject of security. This is the Achilles heel that you all completely glossed over. In addition individual users have to take some level of responsibility for their actions and the consequences associated with those actions.

Finally, one of your panelists argued that the industry needs to build a better piece of software that would be so susceptible to these kind of attacks. To be frank, while there are improvements that can be made (in regards to the reduction of technical exploits and the like) the majority of hack attacks occur through the exploitation of mis-configured services/software and/or social engineering. He compared the failure of the software industry to the failure of the car industry to make roads safer. I find this to be a non-sequitur. Much like the statement that was made about hackers "misappropriating" security tools for their own nefarious purposes, that comparison is missing the point. Cars, security tools, software and swords can all be used in good ways and they can also be used in bad ways. For example, I can use a sword to defend myself from an attack but I can also use that same sword to decapitate somebody. The same concept applies to cars, security tools and all of software to consider.

Thank you for your consideration and for the most part your fine work,

Jay Little

Search:
  [Rss]   [Email]