the mechanic and dynamic of hacking is blurry to typical IT guru…
- Are Hackers ahead of entire IT security industry?
- Why the balance between two parties of has been shifted a long ago?
- What made a big gap when there was not such a huge difference in 90’s?
it’s a false hope believing that sunny side of the cyberspace is controlling the cyber-planet! Malicious hackers are way ahead and that’s why we spend so much time on safety rather than focusing on legitimate needs of cyber-society!
Many factors are involved in Hackers Supremacy: knowledge (original or fake), intelligence, team work with genuine sense of community, nature of operation, goal and its outcome (destructive or constructive), originality of source code… but I have noticed there is only one effective factor as the most significant to matter, something that took hackers’ community to a totally different level of control, and changed the balance between Jedi and Sith forever: Commitment! Hackers are simply more committed to do their job!
We send our top IT talents to learn hands-on hacking techniques, encourage IT administration to deep dive into dark web, and all company crew to learn security essentials, and still it takes one man to bring the entire company technology infrastructure down to knees, all because the mechanic and dynamic of hacking is blurry to typical IT guru. Here is an analogy to human body: consuming more and more vitamins and hope to have a healthier cells physiologically, while body is creating cancerous cells. That is ignoring root cause and going after fixing the issue without considering symptoms! But result would be misleading because even with cancer, still vitamin C has a positive effect on the patient!
focusing on defining more complex firewall rules, versus Not setting up vulnerable nodes with default insecure configuration!
Software with every piece of code is the foundation of any modern computerized system (basic ha?) and that’s where we have problem: creating vulnerable code at the first place, and that’s where “Commitment” comes to equation: software community wants to release, in rush, with limited to zero knowledge of security, dealing with very high-level and complex API, no test, immature or illogical software development process, no code review…but hackers are committed to review developers code for them, and they find those cancerous cells inside body of the software!
Even worse, while hackers are committed to find and Exploit those software flaws, developers are committed to release newer versions with more focus on functionality rather than fixing the foundation. No doubt it is tedious and sometimes impossible, because if the flaw is within the design, there is no time for developer to step back and fix something natively insecure, to the point that sometimes developers prefer to completely leave the insecure code behind and go for a brand new baby code, where they fall into same illogical development process, or even they may use some boilerplate codes from previous practice (more likely insecure artifacts).
focusing on setting up numerous security tools in an environment, versus stop adding insecure nodes to the same environment!
Code Review is the best way to get ahead of hackers and of course that’s software developers’ mission to culturize and popularize the practice in earliest stage of coding, and for IT administration, they need to fully understand the mechanic of software they are using. Remember that today’s IT crew are more like software operators, so it is reasonable to have operators fully aware of the machine they are driving.