The “blame the victim” mentality is prevalent in many facets of society today. Cities pass ordinances that make it an offense to leave things of value in view inside your vehicle, lest some just-in-time thief be tempted and break in to take it. Victims of motor vehicle burglaries are astonished, when they report the crime, to find themselves receiving a ticket.
Blaming the victim is an attitude that's seeping into the computer security arena, as well, in several different forms. I recently read an article by a fellow security expert that “if you leave something unlocked, you invite crime.” [my emphasis]. That sounds a little like the old (and thankfully, pretty much abandoned) idea that a rape victim whose dress was a little short was “asking for it.” I've heard and read similar statements on numerous occasions, with some going so far as to say that computer users who don't have all the OS patches installed, AV updates and properly configured firewalls installed “deserve what they get.” Ouch!
Sure, we all need to take responsibility for protecting ourselves and doing our parts to protect our networks and The Network. But let's get real about who bears the BLAME for DoS and other attacks, viruses and worms, etc. -- that's the person(s) who launched them.
Another popular variant on the “blame anybody except the person who did it” theme is to bash the software vendor for not creating a perfectly secure OS or application. Well, guess what? There's no such animal, and never will be.
Back in my “previous life,” when I was teaching defense tactics to embryonic cops at the police academy, one important block of instruction was weapon retention. A disturbingly high number of police officers are killed each year with their own guns, and it's essential to know how to defend against an attempt to take yours away from you. However, there were always a couple of kids in each class who knew it all, and discounted weapon retention training because they were going to use so-called “security holsters.” These are holsters designed to make it more difficult to get the gun out, to help thwart just such an incident. The problem was that, when many of these folks got to the range for firearms training, they couldn't draw and fire their weapons in an acceptable amount of time. Oops!
Does that security holsters are useless? No - but it does illustrate an important point that carries over to my current incarnation as a network security author, trainer and consultant: security and accessibility are always on opposite ends of a continuum, and the more you have of one, the less you have of the other. A good security holster can provide an extra measure of protection - if you practice faithfully to burn the moves required to draw your weapon into muscle memory (standard theory is that it takes about 3000 initial reps to do that, plus ongoing, regular practice to maintain it). However, there is no 100% secure holster (just as there is no 100% secure piece of software) and if there were, you (authorized users) wouldn't be able to get to your weapon (data) yourself.
I believe we can educate users on how to make themselves safer from hackers, crackers and network attackers without painting them as being somehow complicit in the crime if they do get victimized. And I think we can encourage software vendors to do all they can to make their code secure without making them out to be bigger villains than the real bad guys.
Posted
Jun 23 2004, 11:45 PM
by
debshinder