Author Says It's Time To Stop Glorifying Hackers

First time accepted submitter Geste writes "Diane McWhorter pleads in this NYT Op-Ed piece that it's time to stop glorifying hackers. Among other things she rails against providers' tendencies to 'blame the victim' with advice on improved password discipline. Interesting, but what lesson are we to learn from someone who emails lists of passwords to herself?"

Dear Diane...

[stox]

If you want to see what real hackers are about, come on down to H.O.P.E. this year, http://www.hope.net./ [www.hope.net] We're just a short walk away from the New York Times at the Hotel Pennsylvania.

See you there!

Victims often at "fault", but not their fault

[Dutch Gun]

Ok, we're going to snicker at someone e-mailing password lists, because we all probably understand that e-mail, by default, is sent in the clear, and is therefore not secure. It's hard for tech geeks to properly empathize with "normals" who just want to get some work done, or surf around on the net and not worry about getting their computer taken over by some malware.

Honestly, though, it's hard to blame normal users for this. Should a user have to be a computer expert in order to actually use a computer? Some might argue yes, but that doesn't seem too realistic. The fault lies with software developers who blindly rushed features out the door without giving proper thought to the security implications. Microsoft had a really bad habit of this until they made security a significant corporate priority - it's time for Apple to catch up now, as proven by the recent "goto fail" fiasco. The focus has since shifted to softer targets, first Javascript and browser exploits, and then third party plugins as those closed up, such as Adobe products or browser-based Java exploits, and the good time for hackers (no, I'm not going to call them "crackers") is still rolling on.

Honestly, I'm not sure what the answer is: Probably most casual users should actually move away from fully-powered computers and move toward safer, more locked-down systems like tablets and phones (like they have been). For people not doing serious work or creating actual content, these are more than capable, and are certain safer systems in general. Alternatively, getting set up as a limited account in an operating system with a smaller attack surface like Linux would be fine too. BTW, I don't buy the notion that Linux is inherently safer than Windows (granted, that definitely used to be true) - it's a combination of fewer threats (because it's a less rich target) and configuration options - Windows is also very safe as a limited user account). We've seen plenty of serious security holes in very popular FOSS software, even recently. But people buy computers because they actually want to do computer-like things with them, including running popular software. Limited accounts / locked-down systems are not always feasible.

One thing I'd love to see is the death of standard login-password mechanisms. It's too much of a burden for both a normal user to both create and remember a secure password, and for the website to keep that valuable user information secret. We've demonstrated again and again and again that eventually a crack will be found and the info will leak. That's why I'm hoping that something like SQRL will eventually see widespread adoption. It's biggest strength is that it doesn't require trusting ANY second or third party with secrets of any sort in order to keep your identify secure (granted, associated data can still be compromised, but your identify can't be stolen at least). It's a very promising system, but we'll see if it catches on - it's sort of a long shot. But for the time being, something like LastPass is the next best thing. Someone needs to tell the author of this article about it so she can stop e-mailing herself password lists.

Re:Also time to stop

[Ardyvee]

The thing is, there is the general public definition of hacker (ie a criminal), and then there is the definition of hacker by other people that is something along the lines of: somebody who likes to take things apart, exploring the system's limits; an expert on the field. The later definition includes people like the Elf Lord you mentioned, Abby (from the same show), most security consultants, criminals, etc.

Therefore, his comment is valid for a certain definition of hacker (and most hackers don't reach the news because they are security consultants, or work in IT in a company, or report the issues to the companies who don't go "YOU HACKED INTO MY SYSTEM NEED TO SUE"). And thus: the biggest problem IT people have when communicating with the rest is that neither side really talks the same language. How are we going to communicate effectively and solve issues if we don't really share the same language?

Re:Also time to stop

[UnknownSoldier]

> In most cases a hacker is nothing more than a thief and criminal, the article is correct, they should not be glorified.

Originally, grasshopper, hacker meant someone who was curious about a system and/or learning -- non-destructive probing, or one produces elegant code.

1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary. 2. One who programs enthusiastically, or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value (q.v.). 4. A person who is good at programming quickly. Not everything a hacker produces is a hack. 5. An expert at a particular program, or one who frequently does work using it or on it; example: "A SAIL hacker". (Definitions 1 to 5 are correlated, and people who fit them congregate.) 6. A malicious or inquisitive meddler who tries to discover information by poking around. Hence "password hacker", "network hacker".

* The Original Hacker's Dictionary, http://www.hackersdictionary.c... [hackersdictionary.com]

Then the media hijacked the term and labeled all the white hats with the black hats.