I read, with some interest, Lisa’s article (“Development and design converge… but not completely”). As a software engineer with over 40 years of “software design” experience, I find it disconcerting the “graphical UI designer” community seems to be coopting the phrase “design” (at least as Lisa seems to use it) as if they were somehow specially deserving of the unadjectivized term “design.” They deserve their role, but the tone of the whole article (e.g., “Developer involvement in Design” means “User interface design”) implicitly offends me. UIs are important but not everything, and UI design is not first among equals. Every engineer designs, in his discipline.
Ira D. Baxter
The illusion of security
Please allow me to amend the claim that “Sometimes we don’t even know that a successful attack occurred” (“Zeichick’s Take: Preying on the weaknesses,”). The standard case for some years now has been that we do not know when attacks have succeeded. We find out later, or someone else discovers that one machine in a network has served as a platform for network discovery, surveillance and control, leaving an agent on each machine or just returning to each machine as needed. Sometimes attackers come and go, leaving no trace, but generally they stay on once the breach is exploited. In fact, sometimes multiple attackers occupy a machine, and they may get into disagreements.
I had such a situation, with malicious common criminals exploiting in one case a standard US backdoor, and in another the old Sony rootkit. They jostled one another, and when I blocked network traffic completely, I found the U.S. government on my systems, having forced its way in upon finding the front door locked, leaving the network vulnerable to anyone looking for adventure. Now the FBI, DHS, etc. want Congress to legalize retroactively the horse poo these and other relevant agencies have been doing for the last decade.
With the U.S. government heavily involved in hacking its citizenry, and with other parties (local law enforcement, media companies, computer manufacturers and vendors, industry lobbying groups, Web vigilantes, and, yes, software developers, among others) who feel they have “rights” regarding computing equipment they do not own, some of the evil originates with misguided abusers of power or opportunity. Especially since 2001, we have as a society created—with no broad agreement—a surveillance state that regards effective network defense as a threat. So self-defense for many of us may do more harm than good.
In all cases, those looking to pwn your box prefer that you do not detect their presence. Generally the attackers succeed in not being found. Finding their presence is not a simple thing, and smug confidence that your system is clean impedes discovery. Once entrenched, the toolkits prove difficult to remove, even if you change equipment. To hear experienced administrators talking about wiping disks and reinstalling systems as curative for these issues really saddens me. We have a lot of willful ignorance of the computer-security crisis. Unfortunately as well, the industry has willingly undermined network and machine and software safety with backdoors, among other ways.
None of us cannot afford complacency on this, and we put more than our networks at risk where we descend into complicity.