I recently saw a tagline for a brief article in a very reputable British newspaper which was “Four easy steps to unhackability”. It did two things to me:
- it made me die a little inside;
- it made me really quite angry.
The latter could be partly related to the fact that it was a Friday evening and I felt that I deserved a beer, and the former to the amount of time I’d spent during the week mastering our new expenses system, but whatever. The problem is that there is no “unhackable”. Just as there is no “secure”.
This, I suppose, is really what made me die a little inside. If journalists are going to write these sorts of articles, then they should know better. And if they don’t, the editor shouldn’t let them write the article. And if they didn’t write the tagline, then whoever did should be contacted, shouted at, and forced to rewrite it. And provide an apology. Preferably a public one.
The article was about good password practice, and though short, contained sensible advice. For a more complete (and, dare I say, wittier) guide, see my article The gift that keeps on giving: passwords. I was happy about the advice, but far, far from happy about the title. Let’s employ that most dangerous of techniques: an analogy. If, say, someone wrote an article on motoring about how to use seat belts with the tagline “Four steps to uninjureability”, anyone who knew anything about cars would be up in arms, because it’s clear that seat belts, useful as they are, and injury-reducing as they are, do not protect you from all injury when driving, even if employed perfectly correctly. This is what made me angry, because the password article seemed to suggest that good passwords would stop you being technologically injured (see: here’s why we don’t let people play with analogies).
Because, although most people might understand about seat belts, fewer people – many fewer people – have a good idea about computer security. Even the people who do understand lots about computer security aren’t immune from being hacked, however well they pursue good practice (and, to reiterate, the advice in the article was good practice). It’s the same with motoring – even people who use their seat belts assiduously, and drive within the speed limit, and follow all the rules of the road, aren’t immune from injury. In fact, no: motoring is better, by at least one measure, which is that (in most cases at least), there aren’t a whole bunch of people whose main aim in life is to injure as many other motorists as they can. As opposed to the world of technology, where there really is a goodly number of not-so-goodly people out there on the Internet whose main aim in life is to hack[1] other people’s computers and do bad things with their data and resources.
As my friend Cathy said, “it gives people a false sense of security”.
Some actual advice
Computer security is about several things, about which the following come immediately to mind:
- layers: the more measures or layers of security that you have in place, the better your chances of not being hacked;
- timeliness: I’m not sure how many times I’ve said this, but you need to keep your systems up-to-date. This may seem like an unnecessary hassle, but the older your software is, the more likely that there are known vulnerabilities, and the more likely that a hacker will be able to compromise your system;
- awareness: sometimes we just need to be aware that emails can be malicious, or that that phone-call purporting to be from your Internet Service Provider may in fact be from someone trying to do bad things to your computer[2];
- reaction: if you realise something’s wrong, don’t keep doing it. It’s usually best to step away from the keyboard and turn off the machine before more damage is done.
There: a set of pieces of advice, with no ridiculous claims about how well they’ll serve you. I’ll save that for another, lazier article (or hopefully not).
1 – mean “crack”, but I’ve pretty much given up on trying to enforce this distinction now. If you’re with me and feel sad about this, nod quietly to yourself and go to enjoy that beer I mentioned at the beginning of the article: you deserve it.
2 – don’t even start me on using random USB drives – I even had an anxiety dream about this last night.
Alice, Eve and Bob - a security blog 
One thought on ““Unhackability” or just poor journalism?”