The home door lock is a bad analogy. We are not talking about private property. We are talking about a business, which you expect to take reasonable precautions. Let's try these to analogies and see what you think:

1) Suppose you have a safe deposit box in a bank. You read on the Internet how some safe deposit boxes have locks so crappy, you can pick them with a bobby-pin. You have a bobby pin and you try it on yours and it works. You can't believe it so you try it on another box, and it works again. Are you now a theif?

2) A mall has closed for the day. You see through the big glass doors there is a motion sensor on the inside. You remember your friend telling you how some sensors can be fools by sliding a piece a paper under the door. You try it and it works. The door unlocks. You are totally supprised it worked. You get scared and immedately close the doors. Are you now breaking and entering?

What you have is a war on the curious and the educated (and usually young). People can learn things that were once "industry secrets" and they try things out to see if they work. When someone figures out how bad a security measure is (example Krypton locks and ball point pens or a university with a crapy web application) companies become scared of that knowledge as it costs them money and reputation. The knee jerk reaction is to make the individual the bad guy, because it is that person's fault for finding the flaw, not the fact the flaw was built and baked into the system.

As long as companies take this tack with "Good Samaritans," the bad guys will win. I mean, how many times you see a bad guy say, "Oh by the way, I have been robbing you for years, but I'm rich enough now, so here is how I did it."



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/481/35174#35174