Hill-Billies: A Case Study

Monday, August 16, 2010
Cross-Posted from Robert "RSnake" Hansen's Blog: http://ha.ckers.org/blog/20100816/hill-billies-a-case-study/

34 posts until the end… Oh, and happy Monday. It’s time for a little story.

Once upon a time there were some hill-billies living in the deep south. They had virtually nothing. They made their moonshine, and lived the most meager of lifestyles. They were in deep poverty. They made do with their hooch and stories. They worked hard - 8 hours per day at the local sweatshop, but they were happy enough. Then one day, an advocate for minimum wage increase saw what the hill-billies were living in and how they were living their lives. It made the advocate angry and they went to go fight the local sweatshop to increase their wages. The advocate wanted to make sweeping changes and would use the hill-billies as a case study on how much a little extra money can improve someone’s living standard to further the advocate’s cause.

Eventually, after intense scrutiny, the sweatshop realized that they had indeed been paying too little for any decent standard of living and decided to give all their minimum wage workers a rate increase, which included our friends the hill-billies. So now you’re thinking to yourself, the hill-billies got a home-loan or used the money to pay for school or something else productive, right? No… what happened was that the hill billies had always been happy with what they had, and the increase in money allowed them to stop working as much and make the same amount. They continued to make their moonshine and lived happily within their means…

The moral of the story is that about a year ago I reached an inflection point in my career of 15 years in security. I realized that with every major innovation the security community comes up with, the general public and vendors alike figure out a way to abuse that innovation or work around it to do what they originally wanted to do again (think firewalls and tunneling over port 80). It feels like we’ve been battling to protect people, but the people don’t want to be protected if it means changing. They’re happy with the status quo. Of course, there’s always fear of the unknown, and fear of insecurity is a key driver of spending (think anti-virus). One thing’s for sure though, you can’t change the nature of the hill-billies, so why are we trying? Our only path to success is empowering people to do what they want, without getting in the way. The words “No” and “Can’t” have to leave our vocabulary when it comes to what consumers and developers and companies want to do. Now, the trick is: how do we build security that no one notices is there?

Possibly Related Articles:
Vulnerabilities Webappsec->General
Post Rating I Like this!