If you’ve ever read 2600, you know that the letters usually make up a large part of each issue, and reflect a broad range of ideas and opinions. I recently found that 2600 is publishing a book reprinting letters from their last 25 years. Called Dear Hacker, it is scheduled to be published in July. I wonder how many of them will be from teenagers asking the editor how to hack into their high school?

We all know that very few people read the fine print before clicking the “I accept button”. It turns out that 12% of people do read it. I’m surprised it’s that high.

Bank of America recently discovered that one of its employees had planted malware on some ATMs and had stolen a little over $300,000. Two very obvious countermeasures come to mind – use embedded devices instead of COTS, and whitelisting. There is really no reason that arbitrary code should be run on an ATM, and therefore there’s no reason to allow it.

If you hire a criminal…

Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

Since the terrorist attacks of September 11 2001, a lot of money has been spent on fighting terrorism. People who want money, whether for their department budgets, federal grants, or to fund startups, have been casting themselves as terrorist fighters. It has simply become to word du-jour. In the information security field, one of the outgrowths of this is the complete and utter overuse of the phrase cyber-terrorism. Admittedly I saw a lot more of this when I was in government circles than I do now in the private sector, so I suppose this is a “leftover rant”, but it is also intermittently popular in the media. Let me say loud and clear: cyber-terrorism does not exist – now, or ever. (Cyber-warfare is a more complex issue which I’ll deal with in another post).

I remember one government run conference I was at where almost half the talks focused on cyber-terrorism in some way. About halfway through the conference I cornered an academic friend of mine and asked him if he had ever, in his entire life, heard of even a single case of cyber-terrorism. After a few moments of thought the best he could come up with was that if a terrorist was very good, they would have infiltrated something and would be biding their time and waiting. Although this is a popular story amongst fear-mongers, it is not how terrorists work. The goal of terrorism is to wage a campaign of terror. To do so you take credit for everything you do in order to make your targets feel like you control the situation and not them. In fact, terrorists frequently try to take credit for things they didn’t do, just to assert themselves as being in control. Their goal is to gain attention – not avoid it. A terrorist wants to get on the front page of every newspaper in the world – they don’t even care if they killed anyone or blew anything up. (See for example the fact that Umar Abdulmutallab, better known as the Christmas day bomber, is being hailed as a hero even though his plan failed!) For the terrorists the Abdulmutallab attempt was a success not because it killed people or caused damage, but simply because it got us Americans to panic – they inflicted terror. Computer hacking simply doesn’t elicit the same response. The Chinese-Google hacking case arguably caused more damage, but it did not elicit the same fearful response from the American population. It was also almost certainly a much larger expenditure of resources. Why would any terrorist group expend ten times the resources for one-tenth the result? (Again, using their definition of the word result). Cyber-terrorists may make good movies, but they simply don’t exist in real life.