I remember being excited when I was asked to use a sledgehammer to tear down a covered garage that wasn't approved by the city. It had been standing beside my girlfriend's house for years. You could tell it was built intelligently and with love. The supporting beams were twice as thick as required by code, and every nail and screw was driven straight. The lumber itself was top shelf, not a knot or bend in it.
I have a hard time driving a nail straight -- yet it took me less than an hour to turn the structure into a crumpled pile of lumber. In the security world, something similar happens every day when hackers tear down whole networks and systems.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
In reality, hacking is easy once you know what you're doing. Defending is hard. If you want to truly impress the world, develop systems and applications that will be used by a lot of people while being resistant to easy hacking. Anyone can knock down a garage. But build one that can't be taken down by a blockhead swinging a heavy sledgehammer, and you've done something.
Hacking is all too easy
Hacking is as easy as 1-2-3: Locate target. Identify software and version. Research possible vulnerabilities. Attack. Compromise. In my nine years as a penetration tester, I broke into every company I was hired to test, all in one hour or less (apart from one project that took three hours). These targets included banks, hospitals, energy companies, media firms, and three-letter government agencies.
I'm not even that good at hacking. On a scale 1 to 10, I'm probably a 5. When I worked at Foundstone and led an Ultimate Hacking class, I taught hundreds of students, in a matter of days, how to break into the average company with minimal effort.
That's not to say all forms of hacking is child's play. I had one buddy, who I rank nearly a 10 on the hackometer; he coded his own BSD drivers and was a hospital IT manager at age 16, but he was so bored with penetration testing that he always came up with little challenges for himself.
For one, he considered the pen test a failure if it resulted in a firewall entry. He coded his own hacking tools because he didn't like the noise the traditional tools created. Whatever the goal, he set his bar higher, and whenever he was paid to hack a company, he proved his mettle by hacking related companies that had b-to-b access to the client. He wanted to demonstrate to all involved parties what a good hacker could do.
That said, the world's best computer security minds try to prevent malicious hacking. Working on the side of good offers an opportunity to work alongside the best and brightest in the industry. Further, the person who is most instrumental in building a more secure computer world will probably be world famous, for doing what so many others have tried to do and failed.
Security heroes today
As it stands, a few people that can churn out very secure code, although even they aren't perfect. Dr. Daniel J. Bernstein quickly comes to mind. He's the sole coder behind the very secure DBJDNS and Qmail, among his many programming projects. He taunts vendors to deliver more secure software, but he also walks the walk. Despite being around for well over a decade, both products have suffered only one discovered vulnerability each -- while all their competitors suffered from dozens.