The ethics of writing nefarious security instructions

This week I posted a link to a video showing how to crack a WPS-enabled wifi network, and this week, Ars Technica wrote a firsthand account of cracking a password list. I’m sure this raises questions of ethics in some people’s minds. To be honest, spreading this kind of information makes me a little uncomfortable too, but I also think it’s necessary.

The problem is the idea that many people still have that hacking is hard. And while it’s true that cutting-edge hacking is extremely hard, the tools trickle down to ordinary people very fast. Two years ago there was little reason to worry about WPS security, but now it’s at the point where the tools are automated and available and tutorials are available that make cracking a network no harder than making bread from scratch using a recipe. If you can watch a cooking show and follow along and make the same thing, then you can probably crack your neighbor’s wifi. Or portions of a leaked password database.

I can say it’s easy. John C. Dvorak can say it’s hard. Some percentage of the population will believe Dvorak over me. But if I show you a demo, then you can decide for yourself if it’s hard. What I saw in the video was someone with entry-level Unix skills–based on his not using tab completion and the way he was changing directories–cracking passwords. When I watched it, my reaction was that I could totally do this.

The main thing that stops people from breaking wifi networks at this point is motivation. If they have any motivation at all, they can do it.

Let’s think of another example. Let’s just say there’s a certain make and model of car that’s extremely easy to break into and extremely easy to hotwire. And let’s say that just happens to be a very popular car right now, and the manufacturer isn’t all that interested in fixing it.

So how much of an uproar would there be if a newscaster demonstrated how to break into the car and hotwire it on the air?

There would be some, no doubt. But once that segment aired, the manufacturer would be under much greater pressure to fix it.

Unfortunately, we have companies continuing to sell WPS-enabled equipment, and magazines giving it great reviews because it’s so easy to use, when its security measures are purely security theater. A neighbor with a vendetta against you can easily crack your WPS-enabled network over the course of a weekend.

And people continue to use bad passwords even though they’ve been told repeatedly that it’s not a good idea.

Demonstrations probably won’t get the point across to everyone either, but it’s all we have left.

So that’s why I link to how-to-hack articles and videos and have no problems sleeping at night after doing it. People who are going to misuse the information will get the information regardless, just like anyone who wanted a copy of The Anarchist’s Cookbook when I was a teenager could get it. In the meantime, raising the awareness that these flaws exist will eventually goad people into doing something about it.

It worked on Microsoft. A decade ago, a Windows computer with Office was a ready-made malware developer’s toolkit. Today, Microsoft does a pretty good job on the security front. They still have room to improve, but they’re ahead of Oracle, Adobe and Apple now.

If you found this post informative or helpful, please share it!