Jon Evans
More posts from Jon Evans
We live in a cyberpunk novel. Every major nation-state clandestinely develops (and/or purchases) carefully targeted malware, and constantly probes—or penetrates—other nations’ defenses while desperately evaluating their offensive capabilities. Criminal undergrounds ransom ordinary users’ computers for bitcoin. Fortune 500 companies are breached almost monthly.
Are you scared yet? Excellent! The information security industry is in the business of monetizing fear. This means they’re inevitably incentivized to exaggerate it and perpetuate it. Black Hat, which I attended this week, is simultaneously a) a series of eye-opening talks about worrying-to-terrifying technological dangers and vulnerabilities, and b) an impressively dull enterprise software conference. The scarier the revelations, the better the business, in the long run.
Don’t get me wrong — I am not saying all the scary-evil-hacker news you read is unfounded or manufactured. See the first paragraph of this post. But I am saying the security industry has every reason to amplify and hype it … and to hype themselves. It seems to me that the Black Hat’s corporate attendees, and their ilk, increasingly see themselves as the thin black-clad line between civilization and anarchy, a kind of Praetorian Guard of the Internet.
And you know what, our civilization does increasingly rely on the Internet, and GPS signals, and cellular networks, and the other technologies that are ongoing hunting grounds for hackers. We need to guard all these things. We need to be able to, for instance, push software patches and updates to hundreds of millions of computers, or vehicles, or Internet-of-(someone-else’s-)Things devices, when flaws and vulnerabilities are revealed.
But when I look into my crystal ball, and project these trends out only a few years, I grow uneasy. I see a future where, in the almighty name of security, these networks and technologies are increasingly locked down, constricted, restricted, girded with legal barbed wire; a future where the laws and DRM intended to keep out black-hats and thieves also shut out innovators and tinkerers; a future when walls erected in the hallowed name of security become moats to lock out startups and competitors.
That’s why I like Black Hat’s little sister DEF CON much better, for all its many flaws. Its unruly, disreputable, anarchic attitude is roughly 95% empty posturing, but sometimes even empty posturing is important.
Governments and megacorps may think they’re defending civilization, but history teaches us that anyone who thinks that should be considered guilty until proven innocent. Maybe outsourcing our collective online/technological security to them, and letting them build ever larger and more jagged walls in the name of safety, is actually a really bad idea. Maybe technological security is different from military security. Maybe there is a better, more decentralized, more open-source—more anarchic, even—way.
Comment