Sysadmin blog Information security and privacy are important. Stop being Oracle-class short-termist assholes. Stop waffling, dodging and procrastinating. Get your heads out of your asses and start doing something to improve things for everyone.
You. Yes, you there reading this article. I don't care who you are, you have the power to be part of the solution.
Our leaders, be they executives of multinational corporations or politicians, are apathetic dunces regarding information security because we allow them to be.
Oh, collectively we're all about "security" when it means murdering brown people to steal their oil. That's all fine and good. But public support is thin on the ground when rich white men don't stand to get richer.
Hundreds of millions of people in first world nations have had their personally identifiable information stolen this year alone! Tens – perhaps hundreds – of millions have had their credit cards stolen this year.
The depth of information pillaged from government and corporate servers through events like the OPM and Sony hacks can and inevitably will be used to ruin lives. Yet we sit around, gazing at our navels and collectively doing fuck all about it.
A politician wants to shut down a coal plant so old it has cave paintings on the side of it and is spewing cancer-causing toxins into the air? The streets fill with gun-toting nutjobs threatening revolution! Protests and e-mail campaigns are organized. Massive campaigns to call politicians are rolled out. People take a stand.
Where are the people working the system to get laws in place to hold executives accountable for Oracle-class infosec stupidity? Where are the boycotts of companies that refuse to invest in proper information security?
Hell, when was the last time you, the information technology experts reading this article, bothered to check if you could update your home routers? These devices are a massive security flaw waiting to happen that many of us can actually do something about.
And what about developers? Seems there's an awful lot of hemming and hawing that proper coding isn't really the developer's responsibility. Blame is passed around and nobody is willing to take a stand against the software-defined moronocalypse.
Information security isn't just an abstraction
Let me ask you this: if the company you worked for made dog food and they were knowingly allowing toxins into their dog food that would inevitably kill millions of people's pets, would you speak up? If the company refused to listen to you, would you quit in protest? Would you leak the information to the press?
Now, I ask you, why won't you take a stand on information security issues? Why do our collective ethics and morality end so sharply? Real people's lives are affected by information security stupidity. In some cases to some very extreme and disturbing degrees.
What is it about technology as the abstraction layer for ruining someone's life that we not only feel morally justified in our overwhelming apathy, but we will actually get on forums and social media and loudly decry any responsibility or need to act at all?
The lies we tell ourselves aren't true. Insurance doesn't cover everyone. Plenty of banks and other institutions make people live with tens, even hundreds, of thousands of dollars of fraud committed in their names. People are put on “no fly” lists, their professional lives ruined for things they didn't do.
The consequences of information security stupidity are very, very real.
Aux keyboards, citoyens!
Unfortunately, these issues will never get solved unless we make them a very real problem for the companies and governments we work for. These issues need to impact the bottom line in order to get through the haze of quarterly thinking. It will never be addressed unless we change our buying habits and take stands at our places of work.
So why do we keep believing it's not our problem? Why do we keep letting the short-termism reign? Why are we constantly willing to defend the rights of the already right to screw us all over with toxins and bombs and terrible wages and yet we won't band together to enforce minimum standards of information security on our employers?
Why are we so almighty important that we should be allowed to sit in our comfort zones and not rock the boat, when we know damned well that really bad decisions are being made that will affect tens or even hundreds of millions of people? Who are we that we feel okay with that?
The problem is only going to get worse until we, the industry professionals who can actually affect this, choose to step up. So when do we, dear reader, choose to employ the only methods of addressing the moronocalypse that will actually work?
There are things we can do. We can refuse to work on projects that, based on our professional opinions and experience are security problems waiting to happen.
Systems administrators can refuse to install hardware and software that they know can't be defended. IT managers can refuse to use services that we know are flawed. Developers can refuse to work on projects where adequate time has not been allocated for QA testing or where no security testing is being discussed or built in.
We can do these things. We should do these things. Even if they cost us our jobs.
We need to agitate internally within our organizations to stop buying from vendors who don't have a strong public – and practical – commitment to security. We need to stop buying consumer gear from companies that refuse to pay more than lip service to security. We need to show that we will use our wallets with purpose, not merely convenience.
Sadly, we also need to agitate for legislation. The market has completely and utterly failed to address the issue. People in positions of decision-making power need to be held accountable for security issues. Even if that means piercing the corporate veil.
Above all, we need professional associations that advocate and enforce ethics requirements... and we need to stop hiring people who aren't a member of these associations.
What's needed is sweeping social change. That always carries a cost to those who stand up for what's right and it often takes generations.
I, for one, am not ready to wait until I find myself surrounded by self-driving cars, automated weapons that can make their own decision about who to kill and $DEITY knows what other robots and computers that will be responsible for keeping me alive... or choosing whether or not to kill me.
I won't wait until we move past counting the cost of our electronic arrogance in billions of dollars and start counting it in bodies. Fix your shit. Make others fix theirs.
Now, if you'll excuse me, I have some long e-mails to write to the owners of various online publications I write for about implementing SSL by default. What stand(s) will you take, dear reader?