Author Says It's Time To Stop Glorifying Hackers

First time accepted submitter Geste writes "Diane McWhorter pleads in this NYT Op-Ed piece that it's time to stop glorifying hackers. Among other things she rails against providers' tendencies to 'blame the victim' with advice on improved password discipline. Interesting, but what lesson are we to learn from someone who emails lists of passwords to herself?"

Also time to stop

[Anonymous Coward]

glorifying actors, sports figures, politicians, generals, soldiers, writers, artists, architects, Canadians, cooks, race car drivers, the old, children, dogs, accountants, spies, computer programmers, cowboys, drug smugglers, and the disabled.

Re:Also time to stop

[i kan reed]

Goddammit, you stole the thunder out of so many potentially good posts, fast-acting AC.

Re:

[Aighearach]

mice

Re:

[nucrash]

scientists never get respect.

Re:Also time to stop

[NotDrWho]

Come on now, no one glorifies clowns.

Re:Also time to stop

[NotDrWho]

That's because they think outside the box.

Re:

[bennomatic]

Let's stop glorifying the AC.

Re:

[jellomizer]

Well there is a difference between glorifying people who somewhat try to do positive things with their life, and achieved something from it.

But Hackers, drug smugglers and much of the other black market activity really shouldn't be glorified. Because for every 1 person who does this for some noble deed there are a thousand stupid kids who do this because they think it is easy money.

Re: Also time to stop

[Zero__Kelvin]

It took me a while to notice, but your post is what made me realize that most of the people posting here up until now have no idea what a hacker is.

Re:Also time to stop

[ackthpt]

glorifying actors, sports figures, politicians, generals, soldiers, writers, artists, architects, Canadians, cooks, race car drivers, the old, children, dogs, accountants, spies, computer programmers, cowboys, drug smugglers, and the disabled.

So long as we still glorify the Hypnotoad, I'm cool with that.

Re:

[NapalmV]

She was a student
Her father was an engineer
Won't you shed a tear
For my yellow rose
My yellow rose

Re:

[AlphaWolf_HK]

Wouldn't Walter White count as a chemical engineer?

Re:

[jeffmeden]

Wouldn't Walter White count as a chemical engineer?

No because making meth good enough for consumption/addiction is hardly a feat of chemical engineering; meth heads will consume actual shit, poison, air, rocks, etc if they thought there was the slightest chance of a buzz.

His exploits obviously color him as a social engineer (hacker alert!!!!!)!!!

Re:

[Anrego]

As a fellow Canadian, I'd like to point out that you forgot to say sorry.

Sorry :(

Re:Also time to stop

[Ardyvee]

The thing is, there is the general public definition of hacker (ie a criminal), and then there is the definition of hacker by other people that is something along the lines of: somebody who likes to take things apart, exploring the system's limits; an expert on the field. The later definition includes people like the Elf Lord you mentioned, Abby (from the same show), most security consultants, criminals, etc.

Therefore, his comment is valid for a certain definition of hacker (and most hackers don't reach the news because they are security consultants, or work in IT in a company, or report the issues to the companies who don't go "YOU HACKED INTO MY SYSTEM NEED TO SUE"). And thus: the biggest problem IT people have when communicating with the rest is that neither side really talks the same language. How are we going to communicate effectively and solve issues if we don't really share the same language?

Re:

[UnknownSoldier]

> In most cases a hacker is nothing more than a thief and criminal, the article is correct, they should not be glorified.

Originally, grasshopper, hacker meant someone who was curious about a system and/or learning -- non-destructive probing, or one produces elegant code.

1. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary. 2. One who programs enthusiastically, or who enjoys progra

Re:

[RabidReindeer]

The term "hacker" gets applied in the general public usage to:

1. Social Engineers, regardless of tech skills
2. ignorant script kiddies
3. malicious invaders ("crackers")
4. people who bang on systems with blunt objects ("hack jobs" in the pre-computer sense)
5. people who actually know what they are doing and do it for constructive purposes

It's mostly our own fault that we haven't managed to make the distinctions clearer. The first 3 on the list are basically criminals unless they're working for authorized pu

Re:

[saider]

"Timothy McGee" (NCIS), that occasionally needs to hack something to save a life

The fact that a law enforcement agent breaks the law during the course of their duties should be cause for concern. We have the 4th amendment for a reason. You cannot make an action permissible for one person, while making it illegal for another. That sets up all kinds of trouble.

Besides, he is rarely saving lives with his actions. The hacking is usually done to catch the perpetrator after the fact as a deus ex machina to move t

Re:

[wagnerrp]

Alignment has nothing to do with anything. "Hacking" is a constructive operation. You hack together a piece of code. You hack together a server. You hack together physical objects that have nothing at all to do with computers. "Hacking" is the process of building something new and useful without the full blown structure and overhead of a traditional engineering. Or, it could be violent coughing. Or, it could be chopping down a tree. Hacking has been around long before computer security was even a th

You keep using that word

[Overzeetop]

Note to the press: "Hackers" doesn't mean what you think is means.

Re:You keep using that word

[mwvdlee]

Indeed.

There's a difference between somebody who takes a list of passwords and abuses it and somebody who finds security issues and reports them responsibly.
There's also a difference between somebody who it a victim and somebody who gmails list of passwords to herself.

Oblig. car analogy: The person stealing your car is a "criminal", the owner of that car is a "victim". The person bypassing the lock on his own car and then reporting the issue to the car manufacturer is a "hacker". The person keeping a keychain in her unattended car, with keys of all her properties, conveniently labelled what each key is for and where it can be found, is called an "Idiot".

One does not preclude the other.

Re:You keep using that word

[lgw]

The difference between "idiot" and "at fault" is huge.

Users will be idiots. Does any IT admin deny this fact? If your system only protects users who aren't idiots, you're a sorry excuse for an admin.

Make your system robust against weak passwords. This is not rocket science. If it's something important, use two-factor auth. If not, make account recovery easy - put real thought and effort into it! And for goodness sake, make sure your DB of password hashes doesn't become public - that's all in your hands, and it's completely your fault if that happens, weak passwords or strong.

Re:You keep using that word

[Aighearach]

Your system cannot protect the idiots from themselves. That is a trap you fell into somewhere. Most likely you simply agreed it would be nice if it was so. "Yeah, why can't we protect all our users?!"

This isn't brain science or rocket surgery. The idiots have to have a way to access the system. They will NOT remember strong passwords, they will write them in a stupid place or keep them in gmail with public information as the account recovery. And guess what, you can't control gmail. Put some real thought into it, your idiot users will hand their access away to the first thief, and you can't do much to protect them.

All you can do is protect your system and try to make anything important difficult enough to access that the idiots can't get in.

Re:

[lgw]

Sure you can protect the idiots. Like my post said, you can use 2-factor auth, or if it's not that important, you can make account recovery easy. Debit cards work fine with a 4-digit PIN, because both "it's 2-factor auth" and "fraud prevention and recovery is well thought out".

Re:

[geekoid]

You can train people to sue strong but easy to remember passwords.

Re:

[jedidiah]

> The difference between "idiot" and "at fault" is huge.

It depends on the environment. In some environments, you will be punished for leaving your valuables unsecured. It is considered bad policy to tolerate idiots that invite thieves.

The meat space equivalent of what this idiot journalist does is illegal in some jurisdictions.

Re:You keep using that word

[Rinikusu]

I currently have over a dozen passwords I have to keep memorized for accessing various systems (each with their own unique login IDs and passwords), many of which are changed every 3-6 weeks and do stringent checks on previously used passwords. That's just for work, and not including the dozen or so username/passwords I use online in my personal time. Seriously, it's time to rethink passwords because if you don't like that I write all this shit down in a spreadsheet that I print out and stuff in a binder, well, it beats the other guys post-its on their monitors.

I have a problem with that.

[khasim]

Seriously, it's time to rethink passwords because if you don't like that I write all this shit down in a spreadsheet that I print out and stuff in a binder, well, it beats the other guys post-its on their monitors.

NOT ON THE COMPUTER!

For work passwords, WRITE them down (pen) on a piece of paper and keep that piece of paper in your wallet.

For home passwords, WRITE them down and then that piece of paper like any other important piece of paper for your home.

If you do it on the computer you do not know that the

Re:

[UnknownSoldier]

Why the fuck aren't you using a password manager like KeePass / KeePassX ???

Memorize one long master passphrase, copy/paste every other password.

Re:You keep using that word

[RabidReindeer]

You could use a password manager like KeePass, LastPass, PasswordSafe, etc. Is there some reason you don't?

And even if there is, reconsider it. You can keep a password safe database(s) on a thumb drive handcuffed to your wrist if you want to be really paranoid. The databases are encrypted, but if they're physically tethered to you, you'll have to take them with you instead of possibly leaving them unguarded on your desk.

The idea of making different apps all have different passwords (as opposed to single signon or a password safe/PIN vault under a master password) may sound secure, but nobody's memory is that good, and the resulting post-its, unencrypted spreadshhets, Windows Notepad files or whatever means that in reality, you may be less secure, rather than more secure.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bennomatic]

LOL, I hope we've never had an argument before, because I think this is awesome. Absolutely the best /. post I've read all day.

Hacker is not a term used for the good guys

[sjbe]

The person bypassing the lock on his own car and then reporting the issue to the car manufacturer is a "hacker".

That is NOT how the term hacker is used by most of the population and I suspect you know that. "Hackers" are not considered good guys. Someone breaks into a computer (or car in your analogy) that is not their own? Hacker. A hacker *might* do what you describe but most are (or at least appear to be) engaged in considerably less honorable activities.

I giggle every time nerd gets in a huff and tries to self righteously insist the word hacker is for the good guys and cracker (which is also a racial pejorati

That battle is long over

[sjbe]

So you would stand idly by and allow misinformation by a group who clearly and chronically has absolutely no grasp of the field they are discussing ruin your language?

It's not my language. I didn't invent it. I don't own it. I also am not so arrogant as to think other people are stupid and do not grasp the meaning of the word. And even if I have an opinion about it my opinion doesn't mean much. The word hacker, for better or worse, now means someone who breaks into computer systems. Intent doesn't play into it although usually the term isn't used with positive connotations. You may not like this but that is the way it is. Get used to it. That battle was lost a L

Re:You keep using that word

[Aighearach]

"Hackers" are called Makers now. We lost that language war, but we have a new term now.

Re:

[Princeofcups]

"Hackers" are called Makers now. We lost that language war, but we have a new term now.

Because "maker" isn't a completely generic term, that wouldn't get confused with ANYONE WHO MAKES THINGS. Sorry to yell. Some people are hard of hearing.

Re:

[Jaysyn]

We need people to build things far more than we need people to break them. Building things is cool. Breaking them isn't.

Gandalf isn't always right. Sometimes, you *do* have to break things in order to know how to build them better.

Re:

[Max Threshold]

And neither does "blaming the victim".

Re:

[NotDrWho]

Expecting a potential crime victim not to be a fucking idiot isn't the same as blaming them for the crime. Yeah, in an ideal world, I should be able walk through the worst neighborhood in town waving a wad of cash at 2 a.m. yelling "I'm unarmed and have a lot of cash!" and not get robbed. And if I was robbed, it wouldn't be any less a criminal act on the criminal's part. But it would still make me a fucking idiot.

Re:You keep using that word

[nomadic]

The commonly-accepted usage of words is determined by the majority. Whatever "hacker" used to mean, it now means someone who bypasses computer security systems to commit crimes.

Re:You keep using that word

[fisted]

Since the "majority" has not a faint idea what hacking is, or was, i refuse letting them assign new meaning to words they dojn't understand.
IOW your argument is stupid.

Re:

[DaveV1.0]

The definition of a word is defined by usage. You have stated that you don't care what popular usage is, therefore you are stating that you don't care what the actual definition of a word is, you are going to use it how you think it should be used.

Now, who is stupid: the person who is using the word as most of the human race uses it; or you, who is insisting on using the word according to the preference of a small group of people?



P.S. if you say "him and everyone else", you should see a psychologist

Re:

[DaveV1.0]

No offense, but not only are the cows out of the barn on this one, but the barn has pretty much burned down. I remember the attempts to get people to call them crackers, worms, etc. It didn't work. I do agree with your observation on the hat distinction. But, complaining about the use of "hacker" or saying it shouldn't be this way is irrelevant, and refusing to accept the popular convention is just, well, stupid.

Re:

[Anonymous Coward]

Exactly. This ship sailed a long time ago. Time to give it up. The original meaning of "hacker" is dead. If you use it in that sense, you will only be miscommunicating with the vast majority that uses it in the new sense.

Seriously people. Let it go. Words change. Many of the words you use now meant something else entirely a hundred years ago.

Re:You keep using that word

[Aighearach]

The commonly-accepted usage of words is determined by the majority.

While I do agree that whatever "hacker" used to mean is called a "maker" now, you're way off on how word meanings are determined.

It turns out, each word can have multiple meanings, and all the meanings with common published examples are the real meanings! Wow! Blows your mind, right?

How can nerds expect the world to believe in our vocabulary if we can't even read dictionaries?

Re:

[Princeofcups]

The commonly-accepted usage of words is determined by the majority. Whatever "hacker" used to mean, it now means someone who bypasses computer security systems to commit crimes.

Hacker is someone who drives a hack, a horse and buggy or else car for hire. Another term for cab driver.

Re:

[GodfatherofSoul]

You don't get to supplant the definition of a word because you want to embrace it's favorable connotations while rejecting the negatives: I'm assuming you're referring to hacker vs. cracker.

Re:

[Aighearach]

If only we had a time machine, we could go back to the 90s and fight thing battle again. At this point I think it is fair to say, the word means whatever it is used for. Makers are the new hackers.

Re:

[real gumby]

Note to the press: "Hackers" doesn't mean what you think is means.

So true.

Interestingly House of Cards which includes a character who is a cracker and hacker (appears to have good hacking skills which he uses to break into systems). It appeared that the writers had actually made an effort to learn about the culture(s). For example there was a well done attack that combined social engineering and sleight of hand to defeat two factor authentication.

Unfortunately his lines still made it clear that the writers didn’t really understand what those words really meant (so

Re:

[gIobaljustin]

Protip: Words can have multiple meanings.

Time to stop glorifying the NYT Op-Ed

[coldsalmon]

Stop falling for the clickbait, Slashdot.

Re:

[Bacon Bits]

Joke's on them. Nobody at Slashdot actually reads the articles.

Hackers get no RSPECT

[Anonymous Coward]

And yea, that's spelled right. In all 57 states.

Blaming the victim?

[Anonymous Coward]

Next thing you know we'll stop teaching kids to look both ways before crossing the street because we're teaching people not to drive drunk. But this just isn't how the world works.

Re:

[Just Some Guy]

Yeah, I don't know what sane person could get "blame the victim" out of that. Is it "blaming the victim" if my wife takes a self-defense class, or is it acknowledging that there are bad people in the world and it's prudent to learn how to deal with their presence?

Victim blaming

[LocalH]

Why the hell is there a trend nowadays to call it "victim blaming" to give people advice on protecting themselves? Is it really such a bad idea for people to do things to protect their passwords?

I guess telling people to run antivirus is now "victim blaming", too.

Re:Victim blaming

[lagomorpha2]

Don't teach users not to run mysterious .exe files from suspicious people without antivirus software! Teach scammers not to scam!

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Victim blaming

[N1AK]

Careful, I'm not sure you can see over the top of all that hyperbolic. It isn't impossible for most people to hold the view that crime is bad an should be discouraged and that taking moderate steps to moderate your risk of being a victim is sensible; if you haven't already tried it then I'd strongly suggest giving it a go.

Re:

[Jason Levine]

There's a difference between trying to get people to protect themselves and blaming the victim. Telling users "you need to run an anti-virus" is giving advice. Telling users "you were hacked because you're an idiot that runs Microsoft software" is victim blaming. To take this away from the computer world, telling women "you could take a self-defense class or carry Mace with you" is advice. Telling a woman "you were raped because of the way you were dressed - that's just asking for it!" is victim blamin

Re:

[Princeofcups]

Why the hell is there a trend nowadays to call it "victim blaming" to give people advice on protecting themselves? Is it really such a bad idea for people to do things to protect their passwords?

I guess telling people to run antivirus is now "victim blaming", too.

It's just misuse of the term by people who don't understand what it means. See: irony, meme, feminism, communism, fedora, ...

Re:

[gIobaljustin]

If there is a reasonable and effective method that women can use to protect themselves from getting raped, why would they not use it? Sadly, there is no such reasonable or effective method. Becoming a shut-in is not reasonable, and unlikely to be effective. Rapists don't rape because of someone's choice of clothes, so telling them to not wear certain clothing is just idiotic.

Your comparison is bad and you should feel bad. In fact, just think about what you're saying; you're essentially saying that people sh

US blame culture.

[JustNiz]

So she emailed a list of passwords to herself, didn't bother encrypting it, and kept it in her on-line email account for 9 months, then she's actually surprised when she gets hacked?

I look forward to the day when America gets back to the point where people start taking responsibility for their own actions again, instead of always looking for someone else to blame (and sue) for their own stupidity.

Re:

[Princeofcups]

I look forward to the day when America gets back to the point where people start taking responsibility for their own actions again, instead of always looking for someone else to blame (and sue) for their own stupidity.

Judging from the increasing number of brain-dead liberals infesting America, I think you're gonna be waiting a LONG LONG time......

Thank you for a prime example of my "misuse of terms that people don't understand" post above.

Author is s twat

[scorp1us]

He *emailed* himself his own password list then whines when his account gets hacked.
NO SURPRISE HERE.

*She*

[scorp1us]

I corrected it myself.

Re:

[buchner.johannes]

If she used webmail, or TLS/SSL-encryption when sending the email, that should be safe.

Unless the email account is hacked by other means. But usually, that will screw your passwords anyways, as all registrations either sent you passwords, or will allow you to reset them using the email address.

Re:

[scorp1us]

No, it's not "safe". It violates the first three rules of passwords:
1. Do not write passwords down
2. Do not store all of your passwords together.
3. If you do break #1, do not store your password in an un-safe location.

That second rule...

[Ardyvee]

I was not aware of the second rule. Which is broken by all those password manager software, btw.

It's not a bad advice, to be honest, but it also depends on the fact that you are writing (storing) your passwords already.

Diane McWhorter?

[Max Threshold]

Why do I recognize that name? What other stupid shit has she said?

Only NSA can do that !

[jcdr]

All others have to be quiet naive idiots ?

"Victim Blaming"

[gurps_npc]

It's not "Victim Blaming" unless someone attempts to punish the victim. Yelling at an idiot to stop throwing his mone the ground while closing his eyes is not victim blaming.

See Adrienne Brown, who really was victim blamed.

Or the poor woman in the Steubenville Rape case.

In other news...

[slapout]

Author Diane McWhorter identity was stolen 6 times today

disconnect

[Tom]

but what lesson are we to learn from someone who emails lists of passwords to herself?

That real-world security is very disconnected from the clean and nice scenarios in your books and head, because real users think differently than geeks and do different things for different reasons. Some of them we gloat over and call them Lusers and other deragatory terms, but that's mostly to cover up our own insecurity because most of the Lusers out there have had ten times as many and twice as beautiful women and don't live in their mothers basements anymore.

Yes, I know that's also untrue. The point is that different people have different skills and while many of the non-techie people do stuff that we techies consider stupid, they could laugh just as much about us in other areas of expertise. Maybe not women, maybe for them it's sports or marketing or making friends.

So stop gloating and calling people stupid and look at what they can, in fact, teach you. In this case, there's quite a bit to be learned, not the least of which is that passwords are a moronic concept and need to die.

Re:

[wiredlogic]

passwords are a moronic concept and need to die

There are two ways to implement authentication: Provide a unique token that you have possession of or provide an identifier that you have exclusive knowledge of. Things that you possess can be stolen by taking them (credit card, rfid badge, SecureID). Some things that you possess can't be used universally (fingerprints, iris/retina). Things that you know, however, can't be stolen so long as you keep them in your head. Which is more moronic?

Victim Response

[Jharish]

Hacker says it's time to stop listening to authors. Especially if they think hacker=computer criminal. It's got as much integrity as saying white people=bankers.

My takeaway..

[Anonymous Coward]

Things I learned in reading that blabbering op-ed.

Earthlink is still alive. (shocking, but meh...)
Author likely uses same password for multiple publically known email accounts. (lacks even the least amount of personal information security training)
Seems to think Gawker is a respected, um, network. (HAHAHA!)
Thinks pepole hacking celebrity accounts or high-profile public figures is equivalent to what Snowden and similar whistleblowers do, at least as popularity is concerned. (Err...)
Mentions term 'white hat' like it's a mythical unicorn. (turtles all the way down....)

This is like a nail beutician, commenting on the security of a cars CAN bus. I want my 5 minutes back!

Maybe it's time to take away her soapbox

[Akratist]

There seems to be no end to pinheads like this who run around and pontificate about crap they know nothing about. And, oh, hey, nice try impressing us with how sophisticated you are..."Oooh, look at me! I was at the museum of modern art! I'm ever so much better than you!" And, of course, she is part of the media class which spends a considerable amount of time glorifying violence to bring in entertainment dollars. The reality is that dumbshits like her owe most of their modern existence to "hackers" such as the Royal Society and others who refused to accept what they were told as conventional wisdom of the day and began "hacking" science and the natural world, producing great advances and inventions, and so on. I'll stop the rant now, and just say that useless flapjaws like her are the reason I ignore the major media...reading virtual fish wrappers like her column just wastes time I could spend doing more productive stuff which will actually help improve the lives of people instead of just making me look stupid in front of a national audience.

Agreed!

[StripedCow]

It is also time to stop glorifying Googlers and Facebookers.
They should be called voyeurs.

Why is this on slashdot?

[TranceThrust]

A badly written rant containing ill-informed opinions, even when accounting for the author being no `geek', as she puts it.

The problem is not the `glorification' of hackers (seriously?). The problem is that laws remain outdated to cope with this digital age. The problem is that governments rely on badly protected and badly regulated technologies.

The problem is not having enough hackers.

Hire an expert

[seyfarth]

Anyone with a lot of money and little computer security knowledge needs to hire someone to set up their computers and teach them safe practices. It would be worth several thousand dollars to a milliionaire to avoid the sort of problems Ms. McWhorter encountered. Perhaps she is not rich, but she has won a Pulitzer prize for writing. I think she could afford to try harder to be safe. Ideally an operating system should protect the user, but it is practically impossible to write complex software with no errors. People should be suspicious when their operating system comes with a time trial of anti-virus software. The fact that such software exists, makes it pretty obvious that the system is fragile. Ms. McWhorter writes well, but is clearly not a computer security expert. She needs help with her computer and on-line affairs.

Dear Diane...

[stox]

If you want to see what real hackers are about, come on down to H.O.P.E. this year, http://www.hope.net./ [www.hope.net] We're just a short walk away from the New York Times at the Hotel Pennsylvania.

See you there!

Idiots...

[Jawnn]

...should not pontificate about "hackers". OK, I'll spot her the inept use of the term, but aside from that, when it comes to cyber security, Diane McWhorter is clearly an idiot. She uses a public mail server to send her passwords to herself, across the Internet, unecrypted, and it's somebody else's fault when such idiotic stunts result in compromised security?
Ms. McWhorter, It has nothing to do with "glorification". Criminals and miscreants will steal your shit if they can, often just because they can. The motivation doesn't matter. What matters is that they will. What matters even more is that one can, with a few simple steps, drive the likelihood of such a theft down to near zero. So when you fail to take those steps, you are being stupid. Its like never locking your house or your car and then crying foul when someone points out your negligence to you.

Re:

[TangoMargarine]

Have to say, after reading the first two paragraphs (have "paragraph" and "sentence" always been synonymous in news/paper articles?), I've already come to the conclusion that your comment is 100% accurate.

I WAS at the Museum of Modern Art in New York not long ago, soaking in Edward Hopper’s retro downer mystique,

Hmm...elitist art person?

when I got a call that opened up brave new all-night-diners of doom and gloom.

Rather inflammatory and blatantly attention-grabbing.

The editor of thesmokinggun.com, a website that publishes embarrassing documents with headlines like “Man Jailed for Toilet Seat Attack on Disabled Kin,”

Crass...just from the URL I can already tell that I don't want to know anything about the site because it'll probably depress me.

had come into some documents of mine, including my Social Security number with birth date, a photograph of me assailing a moth infestation in an elderly friend’s kitchen

Okay, not that surprising but obviously not fun.

and nearly all my passwords.

Aaaaand this immediately sets off my warning bells t

Author also wants...

[JestersGrind]

everyone to get off her lawn.

hackaday ..

[niks42]

Dayumn .. Somehow they are going to have to change their web site to Makaday

The Song of Their People

[Sponge Bath]

I'm a hacker,
I'm a snacker,
I'm a mid-night wacker.
I get my lovin' on the net.
Ooh, ooh, ooh, ooh

Victims often at "fault", but not their fault

[Dutch Gun]

Ok, we're going to snicker at someone e-mailing password lists, because we all probably understand that e-mail, by default, is sent in the clear, and is therefore not secure. It's hard for tech geeks to properly empathize with "normals" who just want to get some work done, or surf around on the net and not worry about getting their computer taken over by some malware.

Honestly, though, it's hard to blame normal users for this. Should a user have to be a computer expert in order to actually use a computer? Some might argue yes, but that doesn't seem too realistic. The fault lies with software developers who blindly rushed features out the door without giving proper thought to the security implications. Microsoft had a really bad habit of this until they made security a significant corporate priority - it's time for Apple to catch up now, as proven by the recent "goto fail" fiasco. The focus has since shifted to softer targets, first Javascript and browser exploits, and then third party plugins as those closed up, such as Adobe products or browser-based Java exploits, and the good time for hackers (no, I'm not going to call them "crackers") is still rolling on.

Honestly, I'm not sure what the answer is: Probably most casual users should actually move away from fully-powered computers and move toward safer, more locked-down systems like tablets and phones (like they have been). For people not doing serious work or creating actual content, these are more than capable, and are certain safer systems in general. Alternatively, getting set up as a limited account in an operating system with a smaller attack surface like Linux would be fine too. BTW, I don't buy the notion that Linux is inherently safer than Windows (granted, that definitely used to be true) - it's a combination of fewer threats (because it's a less rich target) and configuration options - Windows is also very safe as a limited user account). We've seen plenty of serious security holes in very popular FOSS software, even recently. But people buy computers because they actually want to do computer-like things with them, including running popular software. Limited accounts / locked-down systems are not always feasible.

One thing I'd love to see is the death of standard login-password mechanisms. It's too much of a burden for both a normal user to both create and remember a secure password, and for the website to keep that valuable user information secret. We've demonstrated again and again and again that eventually a crack will be found and the info will leak. That's why I'm hoping that something like SQRL will eventually see widespread adoption. It's biggest strength is that it doesn't require trusting ANY second or third party with secrets of any sort in order to keep your identify secure (granted, associated data can still be compromised, but your identify can't be stolen at least). It's a very promising system, but we'll see if it catches on - it's sort of a long shot. But for the time being, something like LastPass is the next best thing. Someone needs to tell the author of this article about it so she can stop e-mailing herself password lists.

Re:

[Dutch Gun]

Should a user have to be a computer expert in order to actually use a computer?

They don't need to be experts; they just need to not be absolutely retarded. You learn to drive (maybe) before you get your license. Learning a few basic facts before you go off and do a bunch of stupid shit with a computer is something everyone should be able to do, though I don't think there should be a license.

Modern computers essentially have the equivalent of a big red light switch placed out in the open which, if flipped, may accidentally burn your office down. No one would find that acceptable design anywhere outside the computer world. If a user accidentally double-clicks an attachment, it can bring down a corporate network. I don't consider that acceptable or sustainable, and I don't think that someone double-clicking an attachment is retarded, because that's a FEATURE that's been added. Why the hell ca

Re:

[gIobaljustin]

Computer-literate folks like us tend to set the bar too high without realizing how difficult we're making things for others who would just like to use computers to get work done, and not have to spend have their time just in training how not to get hacked.

Strange how people treat cars so differently. Going onto the road with no understanding of how to operate a vehicle or what the rules of the road are would be seen as unacceptable, but if you do something similar (though I think less extreme) with a computer, it's just normal.

Calling non-experts "retarded" is not going to help anything.

I'm not saying that non-experts are retarded. One doesn't have to be an expert to not be retarded; they just have to be a tiny bit competent and learn some *basic facts*.

Comments prove the McWhorter's point

[DaveV1.0]

I don't think I have seen one comment that "Guccifier" did was wrong. But, there are plenty of posts calling McWhorter an idiot, a pinhead, a shithead, etc. and telling her to shut up and that it is her own fault she was hacked.

Most comments on here are verbally abusing the victim while completely ignoring the person who compromised her account and posted her personal details on line. And, I am willing to bet that if that happened to any of those posting said comments, the victim would want to kill the perpetrator.

Re:

[DaveV1.0]

That is a false analogy. They are not "leaving the car running". A more appropriate one would be having a cheap lock on their back door, and in this case having a bowl with copies of all her of keys in the house.

Saying "That car thief was AWSOME! You deserved to get your car stolen, you fucking shithead! Next time turn off your car and lock the door, n00b!" Isn't "suggesting that they not leave their car running and walking away".

Please go read the comments where they are not suggesting she "take reason

Agree with headline...

[meustrus]

Disclaimer: I didn't RTFA, and while I agree with the headline and summary, it's not for the same reasons and I actually have a lot of respect for real hacking.

I agree that it's time to stop glorifying hackers. Not real hackers that find SSL vulnerabilities, or who hack the mainframe, or who embed assembly in their compiled programs. No, those people deserve all the glory they get (which is very, very little). No, I'm talking about the "hackers" that are always stealing peoples' passwords.

A figurative 99% of security breaches happen because a password got stolen. That is not hacking. That is stealing a password. It requires no more technical competence than the average user possesses. If you write your password down and throw it away, the garbage man can find it and log into your email. Does that make him a hacker? No, it makes him an unethical, opportunistic garbage man.

Password security is not equal to computer security. Real hackers compromise computer security, possibly resulting in a stolen password, or possibly resulting in access that renders the stolen password irrelevant. And if someone steals a banker's password and uses it to do things the banker is allowed to do, then there wasn't anything wrong with the computer security.

That's not to say the user is automatically at fault for the password security. I mean, sure, the user could have handled the password better, but if that user understood that in the first place then there never would have been a problem. Password security is a policy detail. That's probably why it's usually the weakest link. Only the geeks understand enough to design an effective policy, but the geeks don't usually design good policies for non-geeks.

Let's get this straight, Diane...

[macraig]

... we don't glorify hackers, we glorify good people doing good things that benefit the common good. It just so happens that some of those people accomplish that goal by hacking.

So says the NY Times.

[davydagger]

We glorify much worse in society.

Our top artist, Jay-Z is a man who made a career spanning over a decade rapping about being a criminal(gangsta rapper), and glorying a life soaked in drugs, loose women, and crime.

On the other hand, we have movies like zero dark thirty which glorify torture.

We glorify politicians who lie, cheat, and steal, and we encourage eachother to lie cheat and steal for them.

When a kid is bullied in school they are generally blamed for being weak, socially unfit, or making themselves a target.

Most celebrities, the people who we all mimick, do drugs, drive under the influence, sleep around, and act without a care for the rest of us. If we admit we don't like them, something is wrong with us. We re-adjust our social values around them.

We glorify the press and the news, and when they get caught lying to us, often to assassinate someones character for either social or political reasons, strut around as if their position makes them nobility, and violate each and every rule they tell us they abide by with enough regularity its safe to say they don't exist, we extoll them as the saviors of democracy.

But yes, its hackers. Hackers are making society a terrible place. If computer break ins where any other field besides computers, it would be socially accetable. If you get take advantage of financially, or make a silly mistake, well its proof the capitalists are smarter than you. If the bank takes advantage of your lack of time to fight them, its because they deserve to prey on the weak. If you break into the bank computers because the same smarty pants bankers are to daft to learn your field, your a terrorist.

Somehow hackers are glorified? Another shitty op-ed from the NY Times, a fine publication with a long history of clueless op-ed writers, and hideously snobbish double standards.

I've said this before, and I'll say it again, the NYT is a fine publication, but the opinion editorials are run by a bunch of smarmy yuppie shitheads without any real vantage point in society.

Re:

[wiredlogic]

In the case of large organizations like Target, IT expenditures are controlled by management ladder climbers who don't have the knowledge to make the proper decisions on matters that require anticipating "unknowns". If a business case can't be made for spending money on security it gets cast aside because these people are only taught about bean counting in their MBA coursework.

Re:

[TangoMargarine]

I'm surprised it took until two thirds of the way down this article for someone to say this. The author seems to be proposing that companies just don't implement security and "trust" hackers to not hack?

I also don't "get" why all these security breaches keep happening where the attacker can download the plaintext of basically all users' passwords...why the hell aren't these companies just storing the password hash? If a user forgets their password, email them a reset link to their listed account email. Wasn

Re:

[ColdWetDog]

It seems to me like a venture into the fearsome territory of pointless and redundant. How is this a worthy discussion point and not promptly-filtered-by-hippocampus blabber from an entitled and technologically uneducated person? Do people now need detailed explanation from "the authorities on the subject" on absolutely *everything* ?

Reading this, to me, feels like reading anti-evolution blogs. Desperately trying to be an edgy and heard voice of a generation. So much so that "logic" is, for the purposes of being perceived as hip, opinionated and ahead of the times as possible, thrown out along with the baby, the bathwater & the bathtube.

"hippocampus blabber' - I like it....

The quality of the prose and logic suggests that the entire article was written after a double skinny natural vanilla flipped cappuccino at the local Starbucks and uploaded to the NYT using the Starbucks WiFi network without any sort of encryption at all.

We'll probably find her new passwords on Gawker next week.

Re:

[TangoMargarine]

If you hire a lawyer or tax consultant to help with tor networks for your taxes

Er...do people actually do this?

I'd rather have them say "white hat hacker" than assume all hackers are evil; wouldn't you?

Re:

[geekoid]

I would rather they say 'A criminal hacked into...