That's enough about what's been happening - there's a good chance that the saga continues. What I want to bring in to the discussion is that are we pointing fingers to right direction?
I've got the impression that the following parties are blamed and in this order:
- Users who didn't have the skills and wisdom to pick strong password.
- Hacked site business owners who didn't have the insight to require secure implementation from their service providers.
- Service providers who have either failed to manage the site properly or left security holes in to the code.
- Criminals or indiscriminate hackers who either made the breach or agitated clueless wannabes to do the dirty work.
I have few problems with this priority.
Many users fail to pick good password, true, but having separate, strong, memorable password for different web-sites is mission impossible. Although there are lots of good advice around how to pick a good password, how to create rules to memorize different passwords and how to use password management tools. We've seen many analysis made out of leaked passwords and lots of comments about bad password choices. We seem to forget that most of the leaked passwords are considered to be pretty good and what good that did to those users? Password were leaked anyway. The fact is that passwords are obsolete. We need to have better authentication mechanisms, which don't rely so heavily on human behaviour and memory.
Business owners of hacked sites has been found guilty to not understand security and not requiring secure services. Hacked sites are mostly owned by small companies run by tight budget or discussion forums run by volunteers without budget. I agree that owners should think more about security and demand secure services from their providers. I feel the pain, though. Security is complicated. Site owners should be able to trust their service providers to have security skills and responsibility.
Service providers have in some cases proved to be clueless about security. Ignoring security patching? Storing clear-text passwords? You must be kidding me. I understand that competition is killing small providers and prizing the services is an issue. I've heard about software companies who admit having pricing model, where thorough testing and extra security work is plain impossibility. However, service providers should be the trusted ones. They should have skills and understanding to create and run secure services. They should understand and advice customers about security risks.
How about criminals then? Well, they are guilty as hell and we should not forget that. Even when user picks a poor password, site owner doesn't understand security risks, coders don't know SQL-injection and service provider sell you insecure service, breaking the site and publishing innocent users personal data is a crime. Saddest cases are the young hacker wannabes, who want to get peer acceptance and fame. They want to be a part of something and may end up ruining their life.
So, in my mind we need to reverse the focus of the blame.
- Criminals. Hacking is illegal. Leaking users data is illegal. Our focus should be in catching the criminals and make sure not to spread the damage. This should also show to young, skilled wannabes, that it's better to use one's skills for good. Breaking something is usually easy - you need to find just one weak spot. Securing services is what real men do - you need to cover everything.
- Service providers should take more responsibility. Be an advisor. Help customers to build better services. Advice about risks and countermeasures. Play your cards right and you should be able to get more business. Aim to secure enough quality, not to cheap price. Educate your administrators and programmers. Security haven't been an option for a long time, it must be part of your skill set. There are no security supermen, who could come and fix your service afterwards. You are the responsible.
- Business owners need to learn to ask for secure services. You guys must think what you can loose and how that would affect your business. Think about scenario where you would be on the front page because of a dataleak. Are there any business for you after that? Make contracts that force service providers to take responsibility.
- Users - poor users. The Internet is a complicated environment. Simple user interfaces and useful services hide lots of complicated, technical issues. Applications and services tend to delegate risk and decision making to the user. Terms of use agreements are long, confusing documents, which basically takes all the risk off and gives the ownership of all data to the business owner. Users need to understand password quality, cryptic questions about certificates and make decisions if they want to continue to site even though their got some weird message. User awareness efforts are good and necessary, but they are not the final solution. User is not the weakest link. Weakest link is he, who doesn't design and create services for humans.
There's work to do on every level, but lets keep our priorities straight.