Jail the Programmersby Colin Berkshire in Telecom
Our jails are stuffed with pot users. For a long time, marijuana was so dangerous we filled our jails up with abusers. Then, we started legalizing it. What a waste of taxpayer money and police services. I think we have discovered that pot wasn’t that big of a threat, after all. (Kind of like the threat of Communism in hindsight: more hysteria than reality.)
So, who should we be putting in jail? The bad guys. Programmers and managers who release code on the internet which is grossly poorly designed. I’m talking about code here that isn’t just hackable, but that is by any definition gross negligence.
It is striking how many websites can be hacked as simply as changing the “?Account=0123456789” parameter in a URL to the number of a different account. This is inexcusable.
Let’s also include system administrators that leave WiFi passwords open, SQL database administrators that don’t encrypt passwords, and credit card company executives who print the 3-digit CVV2 password on the backs of credit cards. All of these folks are a menace to the public.
The purpose for prison is to coerce good behavior through threat, and to rehabilitate. I can assure you that is programmers knew they could go to jail for not even thinking about web security that they would demand of their bosses that time and effort be spent protecting the company’s customers.
Right now, when Home Depot or Target (or any inept company) is hacked through utterly trivial means, the blame is directed at hackers who showed all the sophistication of a Nintendo GameBoy user. Companies are remarkably good at avoiding the real point: Nobody in the company cared in the least about security.
The precedent for this is already established. If an employee of a company dumps toxic waste into a river, that employee will go to jail. Their manager will go to jail. And, the owner of the company will go to jail. These persons are called “PRPs” or “Primary Responsible Parties.” This threat is so real that guess what happened? America cleaned up its environment from the toxic mess of the 1970s and companies became terrified of every improper disposal of toxic materials.
It is time for us to realize as a society that exposing customer’s confidential information is as serious as dumping toxic waste in a river. Significant breaches of security through relatively unsophisticated means should result in punishment of those involved. I’ll bet in a few years that corporate systems suddenly become airtight.