Wednesday, May 6, 2009

"People are always the weakest link."

Jane Wakefield, Technology Reporter for BBC News, ran an interesting study of the current state of the art in data theft in the form of a profile of Colin Greenlees, an independent consultant, who, in many ways, is the real-world version of Robert Redford's Marty Bishop character in the 1992 film Sneakers. Greenlees' mantra embodies the simple precept that, no matter how strong the objective technology deployed to protect data resources may be, malice takes place in the social world; and the most effective strategy in the social world is, as it has always been, the confidence game. Greenlees offers a representative example that Bishop could have pulled off just as effectively:

It is all about confidence. I walked into the building [of the FTSE-listed firm] having an imaginary conversation on my mobile and the swipe-card operated lift was held open for me by what turned out to be the managing director.

I remained there for five days working from a third floor meeting room.

As I have suggested, the game has been around for some time. The only variations arise in where and how it is played.

I have always felt that one of the best players was Howard Morland, who decided to write an article on how easy it was for him to learn classified material about the H-bomb. His article appeared in the May 1979 issue of The Progressive after considerable legal machinery was engaged to halt its publication. Ironically, the case was not resolved in the courts, because a Berkeley student found the same information publicly available in his campus library and disclosed that information (through a letter to the editor of a local newspaper, as I recall). Once the genie was out of the bottle, there was no longer a disclosure case against Morland and The Progressive.

The focus of that case, however, was on whether, by virtue of his article, everyone would now know how the H-bomb worked; and that missed the real point of Morland's research. That point was captured in the subtitle of his article: "Learning it is easy, once you know the handshake." His key point is that one did not even need to use Greenlees-style techniques to breach a restricted area. Once could remain outside the protected premises and apply one simple rule: People like to talk about their work. If, as a listener, you give the right signs of understanding, then the speaker will assume that such a display of understanding is as good as a clearance; and the conversation will proceed under the same "ground rules of discourse" that would apply within the restricted area.

This, of course, is the "dark side" of a key story of the rise of Silicon Valley. This is the story of the Wagon Wheel, where pioneers of semiconductor technology would go for drinks at the end of their long (and frequently frustrating) work days. The Wagon Wheel was a bar like any other, but the conversations were different. Instead of "My wife doesn't understand me," they would revolve around the latest technical problem; and the participants would come from different companies (which may or may not have been competing). The Wagon Wheel was the ultimate example of a rising tide lifting all boats; and all those boats eventually became the Silicon Valley "marina."

My point is that the only difference between the conversations in the Wagon Wheel and those Morland conducted had to do with the devastating power of the product, so to speak. If "information wants to be free," then it exercises its freedom through our human need for conversation, regardless of how it gets secured in heavily protected databases on even more heavily protected servers. Greenlees has become a successful consultant because, unlike all his technology-savvy customers, he has concentrated his own perceptions on the social world. If his customers were less myopic about the social world, they might realize that they could come up with the same insights; but I suppose today's world of work no longer encourages workers to cultivate such general views of what they do and how they do it!

No comments: