Monday, January 07, 2008

People who should know better


People are worried about the wrong things. This gets my bile up sometimes because they have all kinds of crazy rationalizations for their misunderstanding of risk. For example, they might not want to fly or sky dive, but they get in a car all the time. They neglect to look left and right before crossing the street. They get complacent about all the little, important things their parents taught them when they were a kid. Instead they are wooed by the F.U.D. spread by mass media.

Fast-forward to the digital age. It's the same thing. It's not the little lock icon on the web site that makes you secure. It's your behavior. And, even worse is when the people who should know better, system administrators and system architects, build systems where the windows have bars, but the front door is left wide open.

And complacency is not only for the uninformed. Sometimes it's willful ignorance (or even flat-out stupidity) from people who should know better that creates the problems. If someone says, "Oh, it's SSL encrypted," you had better challenge them by asking, "SSLv2 or SSLv3? What is the cipher used? Are you sure it is sent to encrypt? Better yet, I'll sniff packets and check myself." This happens because the people who should know better don't do their jobs. And then (this is the best part), they defend their position vehemently. As in, "Well, SSLv2 is good enough. Do you think hackers really want this data?" Or, as I heard not long a go (I kid you not), "Who the heck would crack a non-priveleged account?"

Sigh. It's a tough world out there folks. If you should know better, act better.

/soapbox-on (still)