Baud boy, baud boy, what'cha gonna' do?

Matthew Broderick was l33t* years before Trinity ran Nmap and pulled off an OpenSSH sploit. Seriously, it's not that hard to run a port scanner and download a canned exploit. David Lightman (Broderick's character) put real effort into his gear. Plus, the Matrix sequels were philosophical silliness dolled up with CGI to arouse drowsy neurons. WarGames explored some similar themes with better plot and better acting as summed up in David Lightman's "Is it a game... or is it real?" vs. Neo's "Whoa."

The movie's hacking premise rests on the tools in chapter 18 of AHT3. Wardialers also featured in the non-fiction account of computer espionage, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, by Cliff Stoll.

More recent examples of what can be done with a laptop, modem, and free time can be found in this SCADA presentation. (The author is from New Zealand. If you look closely at some of the photos you can see hobbits.) The presentation also debunks a few myths about the Ultimate Doom (UD) that could be caused by messing with SCADA systems. While UD isn't impossible, the most common examples of potential UD cited in news stories are significantly overblown.

*This is the only time leetspeek will appear on this web site. I promise.

Insecurity is like writing good and what you end sentences with

Pick a programming language. There are good odds that a web application has been written in that language and better odds that the application contains at least one vulnerability. Many vulnerabilities result from simple coding mistakes that look obvious once they're identified, just as incorrect adverbs and sentence-terminating prepositions stand out to anyone who pays attention to English grammar. Secure coding has many parallels with good writing (or writing well). Grammar rules make communication clearer.

Straying from the path of grammar isn't always bad: text messaging, quick e-mails, inside jokes serve specific purposes. Incorrect grammar can even be unintentionally funny. Incorrect coding might lead to funny error messages or logic loops, but it also leads to security vulnerabilities.

In the last two years at my current job I've written roughly 30,000 lines of C++ code. Every once in a while the QA team finds a bug or reports a core discovered in the released code. During my periodic code review and re-factoring I come across even more undiscovered bugs that haven't yet manifested themselves.

Well-written code should be more secure code. (This assertion, like many others made here have anecdotal support, but no empirical support -- beware that common sense can often turn into nonsense if subjected to the scrutiny of testing and validation.) Yet code that can be parsed and compiled correctly doesn't inherently imply secure code. Just as documents can have non sequiturs and lack coherent flow so too can well-written code fall into logic traps or misaligning a variable's time of check with its time of use.

Metaphors for computer security -- cars, onions, castles, moats, cheese (I made up that last one) -- are usually stupid, unhelpful, and break down under the slightest inquisition of relevance. Writing an essay, e-mail, etc. at least shares the same physical process and more closely resembles the good and bad aspects of adhering to a language's rules and the ease with which simple mistakes can be made.