opinion

Ask Me No Questions...

It was Austrian logician Kurt Gödel who put his finger on something we all already know: You can't prove a system from within a system. Of course, that's an oversimplification of the famous incompleteness theorems. Still, Einstein himself — when not reminding God to steer clear of dice games — summarized a similar wisdom thus: "Problems cannot be solved at the same level of awareness that created them."

Recently, I was reminded of these wisdoms while responding to one of those routine pleasures of living life online. A nonprofit community website our company hosts, as a favor, came under attack by what initially appeared to be the usual culprits: teenagers with more time on their hands than appreciation for positive life trajectory. That was the story anyway, complete with l33t-style "brags" left after the first round of attack.

But something just wasn't feeling quite right about this. Maybe it's because, as a preteen myself way back in the era when 1200 baud was high-speed, I did my fair share of poking and prodding at vulnerable systems out of sheer bullheaded curiosity. One might even argue that I'm a card-carrying "hacker," having been around long enough in that world to fondly recount stories of the old days. Maybe it's just a lifetime's fascination with pattern recognition in nonlinear systems. Whatever the cause, it just didn't feel right.

And it wasn't. In fact, to understand — and resolve — what was going wrong with this particular system, it was necessary to step back from the system, move up a level. More generally, the boring-sounding field of "security management" relies quite a bit on that particular Sun Tzu-ish move. While it's always a temptation to look for "bugs" at a particular level of systems analysis, in the world of production systems we often see that "bugs" are subtler than that. For every line of code that's simply got flawed logic (or the usual, annoying typos), there are 10 examples of systems-level interactions that, paradoxically, result in insecure behavior without any specific "bug" at all.

It's a (not so) secret truth of the geek fraternity that asking the right questions is the tough part of solving problems. All of us can remember a handful of those delicious moments when, after hours or days of fruitlessly picking away at some seemingly intractable problem with a broken application, we suddenly feel our perspective shift and — aha! — the "problem" comes clear all at once. It's never complicated, nor difficult to make the fix, when that transcendence occurs; it's less of a fix than it is the recognition of a failed assumption, a faulty expectation, a missed logical connection. One changed parameter and, all at once, that "intractable" problem vanishes like platitudes in the face of intransigent reality. As deeply frustrating as those hours of hunt-and-peck can be leading up to it, the "eureka!" moment always is more than worth it.

With the benefit of hindsight, it's always easier to see what the error was — no surprise there. Over the years, however, one learns to trust more and more that hunch one gets when things seem like they almost add up … but not quite. That certainly was the case in the "hack" attempt on our freely hosted website. It turns out that the whole story about some random preteen script kiddie launching the attacks was just a lame-ass smokescreen. In fact, the person behind it was an ex-employee who was fired last year for, in general, being an incompetent fool. That sense I was getting that things didn't add up came from a few different data points: Some things didn't quite fit, others fit too well.

Specifically, the fact that all of the member accounts that were "hacked" during the (eventual) three rounds of the attack were created before we fired that dud of a team member — that was the key that unlocked the puzzle.

He and an accomplice were brute-force de-hashing entries from an old (hashed) member password table that he'd stolen during routine backup procedures — last year. Sure enough, he'd copied the entire table right before we fired him (we keep database access logs, for just that reason). Hands caught in the cookie jar, case closed. With a bit of grunt work, we had the site back up and running — traffic is not only back up to previous levels but already has surpassed them.

There are plenty of areas of the technology world where buzzwords and platitudes rule the roost. One of the more egregious examples certainly can be found in the security market: There's a never-ending stream of magic security software that will magically ensure no "hackers" get into your stuff. Yeah, right (sigh). Sure, yes, there's some code that is necessary for us to have, in order to keep things under control: firewalls, a basic Trojan scanner, some log analysis, even perhaps some heuristic access-control filters at the server level. But all of that is freely available (i.e. OpenSource, free for download) — in contrast, little of the truly complex/fancy/expensive software to "keep your website secure" is worth the paper it's not printed on.

Why? Well, for the same reason that Einstein remarked about systemic problems and solutions thereto being found at different analytic levels. Buying more software to plug the gaps in software security is (to quote a favorite saying of a now-deceased, BASE-jumping, forensic coroner friend of mine — Dr. Nick Hartshorne) like "fucking for virginity." That's the harsh reality of things: There's no magic software that will keep your website — or your home computer/laptop — safe and secure. By the very nature of the systems we are trying to secure, it's necessary to step back a level and look at the systems overall, to see where the weak spots are.

Crypto guru Bruce Schneier has made the same general observation in regards to the whiz-bang new technology of quantum cryptography. Yes, being a geek he sees the intrinsic "coolness" of quantum crypto, and we're all curious to see how it develops over time. (The fact that genuine researchers genuinely hypothesize that quantum computation can overcome P/NP completeness barriers by employing processing power found in parallel universes — that's just too cool for words!) However, he's clear that quantum crypto won't make anybody more secure in real-world applications. Today, our weaknesses really aren't to be found in weak crypto algorithms — far from it. Rather, the weak spots in the system are usually far, far simpler.

So, for all of our fancy technology and uber-geek capabilities, it was a disgruntled former employee (who was, incidentally, trying to launch a paysite to "compete" with the free service we host) with a stolen (albeit hashed) password list that was prying open our backdoor. No fancy software catches things like that, unfortunately. Rather, it takes basic observational awareness and, above all else, gaining confidence in asking the "wrong" questions. Even as our tech staff was chasing after more complex reasons the attacker had gained control of a few member accounts, I was musing in the background: "Something's not right here, guys; this isn't some random hacker. We're missing the forest for the trees." Technology? Nope, not really. It's just basic common sense.

All too often, folks are intimidated by "technology" if they don't consider themselves part of the geek elite. A friend just got his first BlackBerry, and he wanted my help figuring out how to use the built-in camera. He handed it to me along with the owner's manual. Hahaha! I started pushing buttons, and he was shocked —didn't I want to read the manual first? After all, I was just doing trial and error: "Hmm, what does that button do?" Yep, exactly!

That's how one learns, in tech — trial and error. If you want to do a better job of keeping your own files and service "secure," the first step is deceptively simple: Stop thinking of technology as some alternative universe that has really complex rules and people who know all the answers and act as gatekeeper. We don't know the answers, any more than anyone else — all we do is keep asking questions until things start to make a bit more sense. Tech is like anything else: poke and prod at it until it starts making sense.

Ask me no questions, and I'll tell you no lies? Beh — ask me all the questions you can think of, and so will I. It's through asking good questions that we learn how things really work. Indeed, through building that sort of "gut feeling" for the systems we manage, we're in by far the best position to keep them operationally secure. The next time someone tries to sell you some complex software to "ensure security," ask him some questions — he might, indeed, tell you some lies. But I bet you'll have no trouble feeling out which answers are which. Einstein would be proud, and even Herr Gödel might have tipped his hat to your ontological awareness of analytic constraints.

Copyright © 2024 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

opinion

To Cloud or Not to Cloud, That Is the Question

Let’s be honest. It just sounds way cooler to say your business is “in the cloud,” right? Buzzwords make everything sound chic and relevant. In fact, someone uninformed might even assume that any hosting that is not in the cloud is inferior. So what’s the truth?

Brad Mitchell ·
opinion

Upcoming Visa Price Changes to Registration, Transaction Fees

Visa is updating its fee structure. Effective April 1, both the card brand’s initial nonrefundable application fee and annual renewal fee will increase from $500 to $950. Visa is also introducing a fee of 10 cents for each transaction, and 10 basis points — 0.1% — on the payment volume of certain merchant accounts.

Jonathan Corona ·
opinion

Unpacking the New Digital Services Act

Do you hear the word “regulation” and get nervous? When it comes to the EU’s Digital Services Act (DSA), you shouldn’t worry. If you’re complying with the most up-to-date card brand regulations, you can breathe a sigh of relief.

Cathy Beardsley ·
opinion

The Perils of Relying on ChatGPT for Legal Advice

It surprised me how many people admitted that they had used ChatGPT or similar services either to draft legal documents or to provide legal advice. “Surprised” is probably an understatement of my reaction to learning about this, as “horrified” more accurately describes my emotional response.

Corey D. Silverstein ·
profile

WIA Profile: Holly Randall

If you’re one of the many regular listeners to Holly Randall’s celebrated podcast, you are already familiar with her charming intro spiel: “Hi, I’m Holly Randall and welcome to my podcast, ‘Holly Randall Unfiltered.’ This is the show about sex, the adult industry and the people in it.

Women In Adult ·
trends

What's Hot Now: Leading Content Players on Trending Genres, Monetization Strategies

The juggernaut creator economy hurtles along, fueled by ever-ascendant demand for personality-based authenticity and intimacy — yet any reports of the demise of the traditional paysite are greatly exaggerated.

Alejandro Freixes ·
opinion

An Ethical Approach to Global Tech Staffing

One thing my 24-year career as a technologist working to support the online adult entertainment industry has taught me about is the power of global staffing. Without a doubt, I have achieved significantly more business success as a direct result of hiring abroad.

Brad Mitchell ·
opinion

Finding the Right Payment Partner

Whenever I am talking with businesses that are just getting started, one particular question comes up a lot: “How do I get a merchant account?” It’s a simple question, but it has a complicated answer.

Jonathan Corona ·
opinion

The Taxman Cometh for Every Business

February may be the month of romance, but it is also a time when we need to think about something that inspires very little love: taxes. April is not far away, and the taxman is always waiting. This year, federal and most state income taxes are due Monday, April 15.

Cathy Beardsley ·
opinion

The Continuous Journey of Legal Compliance in Adult

The adult entertainment industry is teeming with opportunity but is also fraught with challenges, from anticipating consumer behavior to keeping up with technological innovation. The most labyrinthine of all challenges, however, is the world of legal compliance.

Corey D. Silverstein ·
Show More