Victim Blaming in Security

The Fediverse has just suffered from an all-out spam attack from some script kiddies, and the moralizing tones I've heard from some people tell me that some people have the wrong attitude about cybersecurity, and the internet.

The only right attitude is that of a chess player.

Chess Strategies

Every few decades, someone announces a new strategy in chess. Perhaps people once read chess strategy books about the 'Kaspersky pirate-bate opening' (or whatever), and then the three counter-moves, and so on. Then the new opening comes out, which annihilates the Kespersky pirate-bate opening, forcing check-mate within 15 turns, with near-Mathematical certainty.

At this point, chess players will give a little smile, and think 'interesting', then burn their old books at the chess club for good luck (I don't play chess, but that's not the point here).

This is also the attitude that sysadmins must have (although you can't burn manpages without printing them, which isn't currently possibly on Linux).

The Moralizing Counter

Of course I know what moralizing people would say.

"We're communicating online, not playing some game to defeat an opponent" (while shrieking hysterically).

And that's where they're wrong. Once you're online, you're playing a defensive game. You can talk all you like about how people shouldn't do this, and how they're bad, but you are still on the battlefield, and the opponents are putting down more moves.

Of course, I have some sympathy for the sysadmins who (while recognizing the poor defences they had) wasted two days clearing up the crap left by some kid's shell-script. It's genuinely worse than cleaning up people's crap (this time I speak from experience).

But for anyone who's not a sysadmin, they get to play an easy game, and the worst thing most people endured was seeing a jpeg of a tin of spam, with some Japanese characters.

This place will always be chess-first. The moralizing move - whether it's posting a virtual 'tut', or trying to make laws - fails miserably. And there's nothing as dangerous as a false safety net.

So like the chess players, we shouldn't waste half a thought on moralizing. We should give a little smile, burn the old books, and enjoy the interesting new problem of how we keep things open to humans, without opening the door to script-kiddies.

Because if a kid beats your Kaspersky, it's not the kid's fault, it's yours.