Are You Mad? Are We All?

by Anton Chuvakin

Imagine you bought something.

  • You rely on it with your business, with your very livelihood. Sometimes even with your life.
  • There is no warranty whatsoever on what you bought.
  • And you don't know what's inside the box.
  • Also, you cannot look inside the box, in fact, it is illegal.
  • You might not have have heard about the seller before and you have no particular reason to trust him.

Are you totally and irreversibly mad? How can you do it?! If you are not mad, aren't you criminally negligent? Or just very, very, very stupid.

However, we all are. We all bought software at least once in our lives ...

This blurb is inspired by some discussions I had at CONFidence 2007 Conference (where I presented on "Log Forensics" in front of about 180 people). Another related fun thought I picked there is that the most scary cyber-criminal of the future is not a spammer, a scammer, a phisher or a pharmer, and not even a good ole "cracker" - it is an unethical software engineer, who changes the code slightly to introduce a weakness (or a full-blown backdoor or a logic bomb) and later uses or sells this knowledge. In light of the above characteristics of software purchases, think billions stolen in one shot, think ruined companies, think stock market manipulation, think direct physical damage (and, yes, real cyberterror), etc. We do live in interesting times ...

Technorati tags: , , ,

2 Comments

Reedo
2007-05-17 12:04:21
Yeah, paranoia will do you in if you let it. Ever been on a plane? Passengers must rely on the plane working, assume the risk of travel by buying a ticket, be ignorant of and unable to inspect its innards from top to bottom, and trust the airline in spite of not being acquainted with all of its employees. Scary.
Bryan
2007-06-29 20:24:23
Perhaps you as a passenger can't, but the airline company can and does look inside their airliners. The companies that make money using the planes know what's in them, know how they work, and are able to fix problems with them. So why not companies that use software to make money?


(I would argue that warranty here is a slight red herring. You don't need a warranty if you have the ability (both technical and legal) to fix problems yourself. OTOH, if you can't fix it yourself, then a warranty does become useful, or even required.)