The broomstick at the door: security and privacy in different times
(Text status: the main ideas are here, but the text needs further work)
In old, more secure(?) times, Estonians had the custom of placing a broomstick against the door to denote that nobody is home - the practice still lives in some remote places . Today's situation, however, is different. For most of the second half of the XX century, the Soviet occupation in Estonia kept non-native people off the islands (as they were considered the border zone - and in the USSR, border guard was more busy keeping people in than foreigners out) - one of the few positive aspects of it being the native way of life kept relatively unchanged. But as the freedom finally came, the islands were opened up to outsiders, gradually changing also the security situation.
Something similar can be seen in the world of computing. Steven Levy in his "Hackers" (also seen at the documentary 'Revolution OS') recalls the days of the first hackers in MIT. In this primal hacker paradise, the hacker ethic promoted the culture of sharing, and when the first passwords were introduced to computers, hackers fought them as a means of intrusion and imposing some outside will on them. According to Levy, Richard M. Stallman (today known as "the Father of Free Software", but back then a young promising hacker at MIT) got access to the password file of the MIT system, and sent all users a message like this:
I see you chose the password [such and such]. I suggest that you switch to the password "carriage return". It's much easier to type, and also it stands up to the principle that there should be no passwords.
(Eventually he managed to convince 1/5 of users to use empty passwords. See Levy, p. 417)
The empty password phenomenon
This is probably the best evidence of the shift of paradigm over the times. Stallman felt that the unobstructed flow of information is key issue, and no one should be artificially kept from using the computer. But these were different times:
- computers were rare and expensive, and although the multitude of administrative and bureaucratic barriers surely kept many interested people from using them, it also kept off most of the malicious people (just like it was in Estonian islands)
- the selected few who had access to computers, had much better knowledge on them than today.
Today, a computer is an everyday tool. At least in Western world, nearly everybody can have one (see the blog of a homeless American man), yet the general knowledge on them has drastically decreased. Just as the freedom brought the Estonian islands lots of good-willed tourists as well as quite a number of new criminals, the computer freedom (especially with the ubiquity of fast Internet) has changed the situation remarkably.
Coming back to the empty password - when Microsoft introduced passwords in their ordinary-user systems with Windows 95, most people reacted exactly like Stallman had suggested years ago. The empty password (or in some other cases, one-character or otherwise trivial passwords) became a prevalent way of doing things. The downplay of passwords were further fueled by the fact that in MS Windows 9x series (95, 98, ME) they did not protect anything - the only thing the user could gain by logging in was to keep certain settings (screen background image, desktop icons etc), otherwise it was easier to bypass the login screen just by pressing ESC.
At the same time, the number of malware (malicious software) targetting Microsoft systems was growing very rapidly. The time of near disappearance of non-Microsoft viruses (during the early days of malware at the end of 80s, MS did not stand out among other platforms as target) and proliferation of malware on MS platform falls to the beginning of 90s, the beginning of the reign of Microsoft Windows (see the History of Malware at Viruslist.com). Starting with the Pakistani Brain virus of 1986, Microsoft has been a prime target. Its dominating position in the market is a factor indeed - but not the only one. In its summer report 2006 Sophos, one of the major companies in the anti-malware sector, claims to be able to remove more than 140 000 different kinds of malware (see sophos.com; other companies offer comparable numbers).
When Microsoft started to introduce real, working password security with its Windows NT series (later 2000 and XP), the damage had already been done. A full generation of casual computers had grown up with the idea that passwords were irrelevant. Not for the same idealistic reasons that Stallman had (and even he has been forced to review his initial position - in a 1987 lecture he still advocates "no security", but in a 1997 interview he already confesses the need of using passwords at some places, even if he still is unhappy with them). Rather, the Windows generation has the main arguments that boil down to a range from comfort to incompetence.
So the times have changed indeed.
- Try to imagine a 60s hacker in today's IT world
- Analyse the original hacker imperative "Information wants to be free" in today's world, especially in the aspect of security/privacy
- Discuss Stallman's "no security" position. Why was he able to maintain it for many years - and what made him finally review it?
- History of Computer Security - a collection of historical papers on computer security
- Wikipedia: Computer Security - lacks social aspects somewhat
- Computers:Security @dmoz.org - a big pile of links
- Early Computer Security Papers - some more papers (mostly technical)
- A Short History of Computer Viruses and Attacks @Washington Post - a popular-style story
- A Brief History of Information Security - from the Information Security M.Sc programme at Lewis University
- Firewalls and Internet Security - some history too