Earlier today several people told me that my name was referenced on SlashDot. Specifically it was in reference to me calling programming a super power in a post on my old blog back in 2010. The post on SlashDot said that the recent events with regards to Sony demonstrated that software was a super power and ended with the line “remember to always use your coding superpower for good.”
One of the things we discuss in my classes is the impact of technology on society. I tell students to remember that just because something can be done doesn’t mean is must or even should be done.
Software is very powerful especially when connected to data. We’re collecting huge, almost unimaginable, amounts of data these days. Some by governments but even more by companies. The Sony break in shows the damage that exposing data can create. I have heard people speculate that this could bring down Sony as a company and that at the minimum it will be terribly harmful in the near term. Clearly many people have been negatively impacted.
It seems like a lot of people are ready to blame the crackers and their technical expertise for the break in. Friends of mine who are in the business of information security are skeptical that all the information was taken without inside help though. While there is a tendency to blame the technology or poor software for break-ins like this one thing people who have been around for a long time know is that many big break ins take place with inside help – knowingly or unknowingly.
Social engineering is a huge part of the information security situation. That is where someone convinced someone to give them access or information my claiming to be someone they are not. It is how a lot of systems are broken into. It turns out that the ability to program is not the only “super power.” Sometimes just the ability to access data or computer systems comes with a lot of power. Power that not everyone realizes is intrinsic with that access. Power that not everyone guards as closely as they should. No matter how much people talk about firewalls, access codes, viruses, Trojans, Zero Day exploits and other software security issues the weak link in most systems is still the people who have access to them.
That is not something we spend enough time talking to students about. And frankly most companies don’t talk about it or train about it enough either. A company that trains people to look for shoplifters often has more to lose when people are careless with passwords or leave terminals/computers logged in and unattended.
We need to teach more about security. I remind people that increased security training was added to the CS 2013 Undergraduate curriculum recommendations in recognition of how important this issue has become. But in many ways university is too late and computer science majors are a much smaller group of people who needs to understand these issues better. As educators we have the power to improve this condition and I would argue the responsibility as well.