So who’s to blame? First and foremost, the victimizers. Well, persistent victims, yes. And anyone in the security industry who pushes the TOAST principle, the idea that all you have to do is buy Brand X and you never have to take responsibility for your own security. Though, of course, “who’s to blame?” is the wrong question: what matters is “how do we fix it?”
…not, on this occasion, the classic Blackhat "It's your fault that we've hacked your server, infected you with a virus, and broadcast your credit card details and gaming credentials to anyone one who cares to access the torrent" self-justification. (Which reminds me of a mugger saying "don't make me do this to you" while he slaps you about and steals your wallet.)
Nor the geek viewpoint: "I protect myself by running a cluster of sparsely-documented open-source network security tools and spending an hour a day reading the logs, and if you don't, you must be stupid."
Instead, two sides of a rather more rational discussion that isn't about amoral, self-serving alibi creation or self-congratulation. Maxim Weinstein takes issue with an article by Lee Matthews at Extremetech blaming user laziness for most of the security breaches we've seen this year: Weinstein tells us to stop blaming the victims, and he has a point (several points, in fact). Security is hard, maintaining security is hard and time-consuming, and it's not surprising when people are intimidated or overwhelmed by the complexity and volume of the tasks we expect them to do.
However, Kurt Wismer has (I know, having followed his blogs and microblogs for a good while) thought long and hard about the mechanisms that underpin cybercrime and all the other cyberslurry that muddies our cybergaloshes. And he suggests that not blaming people who fail to follow best security practices is "a form of infantilism." And he's not wrong.
As far as I'm concerned, someone who suffers some undesirable consequence of a security breach is a victim, and I probably won't stop using the term. But I might, if I find myself encouraging the idea that being a victim is somehow a justification for remaining a victim. Furthermore, being a potential victim is no reason for sustaining the status quo.
So who's to blame? First and foremost, the victimizers. Well, persistent victims, yes. And anyone in the security industry who pushes the TOAST principle, the idea that all you have to do is buy Brand X and you never have to take responsibility for your own security. Though, of course, "who's to blame?" is the wrong question: what matters is "how do we fix it?"
What was that about TOAST? An acronym coined by Padgett Peterson, which nowadays I'd expand to The Only Anti-something Software That (you'll ever need to defend you from taking responsibility for your own safety). I'm not sure Padgett would support that interpretation, though. I'll have to ask him. :)
Heh. I've just realized that the last time I mentioned Kurt here, I also referred to TOAST marketing, particularly in the context of scareware, and went on to develop that line of thinking in an EICAR paper (Security Software & Rogue Economics: New Technology or New Marketing?). And, of course, that's very much to the point. Scareware quite consciously exploits the user's desire to avoid making his own decisions about his own safety. Which is why I sometimes think of what I try to do here as educationalist, an exercise in fostering critical thinking.
Though I sometimes wonder if the past 25 years of pursuing that goal have actually made the slightest difference. :(
David Harley CITP FBCS CISSP
ESET Senior Research Fellow