Saturday, June 18, 2005
Security
We're such a bunch of IT posers. :) Recently, having had my 3-day leave from the university run out, I had to attend my usual classes again. Since most of my "on-the-go" materials such as my notebook, flash drive, various snacks, cell phone, writing tools, identification cards and so on were still in large black bag with the PDC '05 logo on it, I decided to just stuff an additional book in there and get going to the university. Not to be outdone, I noticed several other students flashing the technological equivalent of "bling-bling" aka the PDC bags around the university as well.
I must admit there were times during the conference that I was bored stiff, either due to a miscalculation about the contents of a particular seminar or a lecturer who seemed to pause for an eternity every three words and follow up with an "umm". However, I learned a lot about a favorite subject amongst Pakistani amateur IT-enthusiasts (myself included by definition, of course): hacking. Of course the seminars were given politically correct, euphemistic titles like "Secure Code: Threats and Counter Measures" and "Web Development Security Fundamentals" but that didn't fool enthusiasts and curious onlookers alike from sitting in on each of these sessions to get a better concept of "hacking".
The thing about hacking is that, as I sat and watched these security professionals at work demonstrating some common techniques for hacking and how to prevent them, I thought about how many of us know about hacking per se, but when it comes right down to it, we have no idea how its done on a professional level. Sure, we've all tried to hack the hotmail account of someone who crossed us and possibly gave up after a few attempts and contacted someone we had heard from a friend of a friend that was "a hacker", but had no idea how you could hack into a professional website to gain unlawful entry or steal information stored within a database. For obvious reasons, I'll not go into the demonstrations shown to us, but suffice it to say, I walked out of there a great deal wiser and with a whole new respect for the ingenuity of someone who takes hacking seriously. After the demonstrations were done that had us all smiling and clapping enthusiastically, the lecturers informed us about some basic security features and practices that can be used to avoid the more common pitfalls of web security. This was surprisingly informative and I got around to wondering why it is that a Computer Science degree in Pakistan incorporates odds and ends like Pakistan Studies, Islamiat and Statistics and dedicate not a single course to basic practices to secure your software or website?
For my final semester's CS project, my group had created a web-based application. I used to think that once we got it up and running, tested for bugs and submitted a report on it, we were finished and it was ready to possibly even be deployed on the Internet. At the time, we did not give security a single thought, nor were we questioned on security during our VIVA. I'm positive most of my fellow students also take security just as seriously as we do, which would mean that if these kids are the future of the IT industry in Pakistan, they have little to no training about securing their applications from outside attacks. Is this really the way to go when educating the coders and software house owners of tomorrow?
Misha
at Saturday, June 18, 2005
|