The latest episode talked about how we are manipulated by questionable companies and organizations that seem to sell safety but actually market fear.
Companies profess to want to protect us, the show said, while using fear to manipulate us into doing what they want us to do and buying what they want us to buy. I saw a direct parallel between what they were saying and what we in the IT world have been seeing as of late.
I really dont like being manipulated, and Im getting really tired of security alerts that seem designed primarily to get me to buy a vendors product. I think its time we explore this and do something about it, as the desktop remains one of the most vulnerable both to security exposures and to being exploited in this way.
Security firms, which are exploding right now, make money by increasing your perception of risk. They do this by pointing out potential exposures, so that you feel their services are critical to your survival. If it were up to them, every employee would have personal protection, and an eight-hour day probably wouldnt be long enough to get through their security to do your job.
We get incredibly interested in comparisons between Windows and Linux, but our own Larry Seltzer has concluded that it really doesnt matter what the platform is, and that whether youre secure depends "on the dedication of administrators and a given organization to security."
We simply cannot rely on security firms to accurately assess what the real risks are and what we need to combat them. It is in their best interest that things look worse than they are because they use this to move their products.
An example of this came up on National Public Radio the other day. They were interviewing 22-year-old hacker Adrian Lamo, and I was fortunate enough to run into a transcript of the interview while working on a related project. Lamo is famous for illegally hacking into The New York Times computer network, among other things. One of the things he said really drove this point home.
When NPR asked him why he didnt use his skills legally, he replied that he finds the security industry inherently dishonest and that it preys on the fears of IT managers by pointing out unrealistic exposures and then profiting from the fear created by these largely bogus exposures. He said he thinks the security firms are simply too dishonest to work for.