Thought for the day:Sense and security

Simon Moores believes breaches in IT security have far more to do with sloppy management of people, processes and policy than...

Simon Moores believes breaches in IT security have far more to do with sloppy management of people, processes and policy than with the choice of technology.

Let me see if I have this right. A British hacker, Gary "Solo" McKinnon - not Osama Bin Laden, mind you, and for no other purpose than personal amusement - allegedly managed to wreak havoc among US military systems until he was clobbered by the National Hi-Tech Crime Unit (NHTCU) here in the UK.

Of course, nothing valuable was stolen, say the US authorities - no plans for the latest Stealth fighter or the story of what really happened at Roswell - but they still want to extradite him.

This all leads to a certain jurisdictional fuzziness, as I'm informed that in this country, at least, "information is not capable of theft". While it's an offence to deceive a person, it's not an offence to deceive a machine.

Hold on, you say, what about a cash machine with a stolen pin number? Apparently that's different because theft by deception is involved.

Quite understandably, McKinnon would prefer to avoid being extradited to a country that first tested the electric chair on an innocent elephant, and where this summer Congress approved legislation that could attach a potential life sentence to the crime of hacking.

Most unlike the UK. You may recall last year's case of Welsh teenager Raphael "Curador" Gray. His hacking exploits resulted in an order for three years' court-supervised psychiatric treatment. The judge also commended his "sense of humour" for sending Viagra to Bill Gates, using illicit credit card details for the purchase.

So what does the revelation of McKinnon's activities tell us, other than the need for this government to introduce a new crime of "criminal stupidity" in the next Queen's speech? Last week, I was talking with NHTCU industry liaison officer Tony Neate and he told me that one in five organisations had suffered a security breach.

Security has, increasingly, little to do with your choice of platform, although it's an important factor. I see that Apple's Macintosh OS X has been confirmed as vulnerable to a number of exploits.

It's no longer good enough for the media to lay the broader responsibility for Internet security at Microsoft's feet, because the evidence clearly shows that the different Unix flavours, Linux, Solaris and Mac OS X are suffering too when it comes to published exploits and recorded compromise.

Truly secure computing, whether it's Windows or even Open Source, remains an aspiration and will do for some time.

The US military sites should have been hacker-resistant, but they weren't. I would guess the problem lies more with people, processes and policy than with the choice of technology. In combination and badly managed, they can open a hole in the network infrastructure that offers a skilled hacker such as Solo enough space to drive a truck through.

And if the increasingly paranoid and security-conscious Americans have been caught with their pants down, then God only knows what's been happening closer to home over the past 12 months.

While people still use guessable passwords and administrators fail to apply security patches, the problem isn't going to go away. We can "export" McKinnon to the US for trial, but he's simply one of many thousands who aren't deterred by the prospect of making new "friends" in a Federal penitentiary.

Education remains the answer to better security. Not trustworthy computing but responsible or even commonsense computing is what's needed, and anywhere where a computing device of any kind is connected to the World Wide Web.

What is your view?
Is bad management to blame for security breaches? Tell us in an e-mail >> reserves the right to edit and publish answers on the Web site. Please state if your answer is not for publication.

Free security toolkit
Microsoft's new security toolkit, designed to help medium-sized businesses understand their security needs quickly and effectively is available free from .

Zentelligence Setting the world to rights with the collected thoughts and opinions of the futurist writer, broadcaster and Computer Weekly columnist Simon Moores.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.