Tuesday, February 14, 2012

You are ethical ... and Information Security is a blind alley...!

Ethics is a much used word and we know that EVERYONE in the security is ethical, trustworthy with a high level of integrity and will keep all my corporate secrets deep in his/her heart until death do us part (or if you do not pay my bill!)

Well a number of times I have asked some friends how can they say that they are ethical hackers ! I mean you are certifying your own honesty. Simply speaking, if walk around Mumbai or Gurgaon wearing your white hat for less than half an hour and it will become dirty ... lo and behold you are a gray hat. And, if you accidentally bump your car or cycle into someone you will morph into a black hat :)

Earlier I have been thinking about individuals because you do not mistrust security majors. And then this happens.... 
Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishmenthttp://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment
The evolution of the internet, technology and mankind are a fact. Also that concepts of privacy, democracy, freedom, human rights, commerce, economics, crime, war et al are being re-written. Symantec keeps quiet for five years after being hacked, the Arab spring helped overthrow despots, wikileaks has shaken the most powerful nation so badly that they want to get to him anyhow, state or non-state players are not distinguishable.

So who can we trust ? And how is trust proven ? Can the company we trust trust the thousands of persons who contributed to the millions of lines of code or that small widget that was embedded in my cellphone, or pacemaker !

Sinister thoughts in a dark world where we are all walking blind and talk like we know it all. I mean I feel clueless / helpless and what-have-you when I read about Symantec, RSA, Microsoft, Verisign, Diginotar (the CA that was hacked),SONY, Heartland, TJ Max, Citibank etc etc - and other bastions of security that were felled.

Then you read about the suspicion that malware or spyware is embedded in hardware coming out of China, or that Apple and others installed tracking software from Carrier IQ. 

What is ethical, what is not; where do we draw the line. In a zillion lines of code how does anyone know if there is that one line that is keeping tabs on you (and maybe the developer company does not know about it too).