There's an old saying I first heard in motorsport -- there's a few nuggets of wisdom in that nexus of passion, energy and engineering -- that goes 'even monkeys fall from trees'. In plain language, the message in that saying is even the most-adapted creature to it's environment: the monkey, can still make a mistake.
In cybersecurity this is a good adage to keep in mind. Phishing attacks are rampant and no AI defense will ever provide security against the superior imagination of even one determined adversary. What prompts me writing this is receiving news that Troy Hunt, a security researcher who does great work, was snared by a phishing email that triggered and exploited the human tendency to become alarmed. A notable contributing factor is that he was fatigued.
Yet the details are kinda boring. It was just a phishing email. It was just some MailChimp account data that got yoinked. This kind of attack happens on a daily basis and ordinarily would be No Big Deal; who got phished is the story here. To reiterate Troy Hunt does excellent work, his project haveibeenpwned.com is an invaluable security resource and likely under-appreciated for what it is, a hobbyist security project born out of individual initiative, which became successful in it's own right by filling a market gap. If you haven't checked your email address(es) against his data breach collection, I recommend doing so.
However, some things have also always bothered me about Mr Hunt. In fairness, I'm certainly not beyond reproach but I make no claim to being a cybersecurity professional: I'm just a filthy hacker. I spent my time in the cyber-pro trenches and basically got PTSD knowing how insecure everything is. It probably contributed to me having a stroke in my 30s. Filing CVE reports is now above my pay grade on the state welfare. I'm in my element when surrounded by cars and computers, the corporate environment has never been my cup of tea.
What bothers me specifically, and I'm not judging and trust he's a great guy otherwise, is his long-time pro-crypto stance which I can not imagine how anyone in his position can reconcile with the objective of taking security seriously. Bitcoin is simply fraud and no cybersecurity professional should be anywhere near it because financial crime is illegal. Posisbly worse than being illegal, the political goals of cyber-anarchy and democratic order simply collide. There is some ignorance I expect people to plead on this subject, maybe reading a book is too old fashioned for some. And if USD$10 is too much there's a good gist in this review.
So I must admit to feeling like a cynic when I heard Mr Hunt got phished. If a person is first deceived into thinking any "blockchain" Pyramid scheme has utility, how damn easy is it to deceive them further, about anything else?
This issue of Bitcoin simply being an illegal Pyramid scheme, but people making excuses for it, or worse, legitimizing it under the guise of security -- by accepting donations in it as Mr Hunt does -- is failing a kind of litmus test. All in all, I value the work Troy has done, but even monkeys fall from trees, and I include myself in the metaphor of the monkey. Maybe it is karma for the climate damage his transactions did, one transaction emits more CO2 than burning a whole tank of gasoline, but Karma is not something I'd try to push, Karma is something that just happens.
Comments