I’m not sure it was necessary to actually perform this hack, we all knew that it would work. Before I read Cowan’s blog entry I literally was just explaining to someone how we got into a security mess as complex as we are in today, so I had a really good chuckle when I read Cowan’s hack.
Once the first victim handed me his ticket, the rest were cake. Tickets accumulated in my hand as my victims jabbered on about football games and SAT prep. I collected half a dozen and stopped. A good 5 minutes passed before they wafted over to the hallway, encountering another ticket stand (by then I could have sold the tickets to folks standing in line). Another 2 minutes passed as they tried to figure out which of them had the tickets! As it dawned on them that they had been phished, I returned their assets (and thankfully they didn’t kick mine).
Cowan’s points here and in his Doomsday Hackers and Evildoing Robots post are spot on, the solutions are mostly the responsibility of the system designers. When we tranferred the power to the automators, and I’m not just speaking to Internet user authentication, we increased the probability of accidents by orders of magnitude. I think it was Virilio who said that the invention of ships brought us ship wrecks and the invention of trains brough us train wrecks, in the case of systems the landscape is littered with all types of wrecks and will be for a good while to come. That’s not to say we shouldn’t educate the heck out everyone re social engineering.
