A World Without Security

by Donald Blake

First off, I love 2600 Magazine.  I've been a lifetime subscriber since around 2004.  I really love the hacker community and what they do.  I'm writing today because I've come to realize something about security.  I've finally realized that I hate it and it's a drain on my time when working on it.

This made me start to think about what the world would be like if there wasn't a need for security.  Just think of the things we could do without security.  One of the best things we could do is eliminate our defense budget.  Some soldier or sailor wouldn't have to stand watch for five hours in the middle of the night in the freaking cold and then have to go do his real job the next day.  I feel for you, guy.  Think about all the money that could be put into things like education and roads.  Then maybe I'd be able to go to Miami Beach without having to pay for parking or driving on the highways.  Being from California, it is sacrilege to have to pay to go to the beach.

My personal life without security would be awesome.  The computer that I'm typing on could lose its Guardian Edge software which encrypts my data and makes it run like a computer built in 1990.  I could lose the five passwords that I have at work.  I wouldn't have to worry about someone getting onto my system through Wi-Fi.  Oh, how my world would change if I didn't need security.  Life would be so much easier.

The real reason I hate security is I have to develop it and incorporate it into the software I develop.  It also takes forever to develop and it's expensive.  It's also the part of the project that users don't really care about; in fact, they hate it!  It doesn't show the cool graphics or crunch the numbers extremely efficiently.  It usually drives users crazy because they're average people.  All they want to do is play their game and not have to worry about getting hacked!  It's really annoying when they lose their authenticator.

After working on security software, I've come to realize that when I read about a hack in 2600, I can imagine how it got missed in the first place.  The developers probably didn't care that much about security software at first because they were more interested in working on things that made their software better for their users' experience.  Then they realized that a simple username and password wouldn't work and they had to develop software to make sure that the user's information was really protected.  They developed it enough and had enough confidence in their security software that the benefit of developing it further wasn't really worth it.  Then they deploy it and their users are happy and they love the software because it shows cool graphics and has a really slick user interface.

Six months after launch, some kid comes along and writes an article in 2600 Magazine showing an easy way to get around the security software and our worst nightmare occurs.  Someone steals the users' information.  After the hack gets reported to the world on CNN, the hacker is identified.  And CNN is nice enough to credit him as some mastermind, when in actuality what really happened was the developers really did think of it.  However, it would have taken six months or longer of development and cost a couple million dollars to implement and the odds of someone figuring that out was very remote.

After the fiasco, the hacker goes to jail.  The budget for software development gets halved and now there's a software security budget.  Then half of the developers who didn't like working on software security in the first place have to go work on it full time or find new jobs (job hunting sucks).  The users get a stupid authenticator which they lose constantly.  It drives them crazy and they realize that it's worse than losing their car keys.

We developers think it's really awesome you hackers find security holes.  Good job!  That's one less bug we have to find ourselves.  Just tell us about it first and give us at least six months to fix it and don't mess with our users' information.  I'm sure we could even negotiate a bug award.  If after six months it's not fixed, that's because management hasn't assigned it, so you can tell everyone.  It'll get fixed after that!

Shout out to Violet.