- Mike McCormick
Thunder Sticks and Smartphones
Hackers don’t exploit our computers; they exploit our ignorance.
Most of us lack even a basic idea of how our digital gadgets work. They’re magic. And magical thinking makes us vulnerable to threats.
Arthur C. Clarke observed, “Any sufficiently advanced technology is indistinguishable from magic.” But this only holds true for those who don’t know how a technology works. Our ignorance makes it appear supernatural.
A column in this month’s Scientific American argues that Apple, Amazon, Fitbit, and other Silicon Valley “wizards” deliberately make their consumer products appear magical to naïve users. “The awe component is important,” writes David Pogue. “It's the difference between magic and mere convenience. You could say to your butler, “Jeeves, lock all the doors”—and yes, that'd be convenient. But saying, “Alexa, lock all the doors,” and then hearing the deadbolts all over the house click by themselves? Same convenience, but this time it's magical.”
To Aztecs and Incas, Spanish conquistador muskets were “thunder sticks”, feared more for their inexplicable noise and fire than for the minimal damage those clumsy weapons could do. Vastly outnumbered, the conquistadors prevailed through shock and awe. But natives quickly learned guns aren’t supernatural, understanding and using gun technology as effectively as Europeans.
Today’s thunder sticks are smartphones and laptops. Those baffled by them (most of us) vaguely attribute their inner workings to “science”, but this explains nothing. It is magical thinking, with “science” being the new word for “magic”.
Magical thinking manifests in cyber security when a user believes installing an antivirus program protects her from all malware, or a corporation thinks its firewall protects it from all breaches. Security vendors who sell these silver bullets exploit our magical thinking to make a profit.
Hackers exploit magical thinking too. Many see themselves as avengers who punish technology ignorance, teaching ignorant users and institutions a lesson. “If you’re dumb enough to open this email attachment, you deserve to get infected,” says the hacker. “And if you’re stupid enough to leave telnet open on your corporate firewall, you deserve to be breached.”
Much has been written about bragging rights, money, political activism, and cyber warfare as primary motivations of hackers. Not enough attention has been paid to punishing cyber ignorance. Yet hackers of all stripes invoke it to rationalize their behavior. Many see themselves as the good guys spreading tough love. By forcing vendors to fix their products, and users to learn how they really work, they make the world a safer place.
Spanish conquistadors viewed themselves heroically too. At great personal peril, they brought Catholic salvation to ignorant heathens. Cortez would be amazed to learn future historians would cast him as an invader. He and his men saw themselves as courageous deliverers.
As with Cortez’s thunder sticks, the solution is to demystify the technology. When we understand how our gadgets work, we protect them more effectively. Less dependent on vendor snake oil and silver bullets, we can take back the temple from the priests.
How do we do this? Computer literacy has been debated for years. Where a given expert sees the “digital divide” usually determines the solutions they advocate:
College versus high school: College grads are more computer literate than high school grads, even if they didn’t major in a technical field. This may be due to ubiquitous use of laptops and Intranets in universities. Proposed remedies include laptops in public schools or teaching schoolkids how to program.
Rural versus urban: City dwellers tend to be more computer literate than rural and small-town residents. This may be due to greater broadband access in urban metros. A proposed remedy is federally subsidized rural broadband similar to 1930s rural electrification.
Men versus women: Men are more likely to enter technology fields than women. This may be due to societal gender stereotypes or workplace sexism. Proposed remedies include Women in Science and Engineering (WISE) programs on college campuses, diversity and inclusion (D&I) programs in workplaces, and less stereotypical gender roles in media.
Young versus old: Younger people are more likely to be comfortable with cyber technology than their parents or grandparents. This may be due to growing up as “digital natives”. Proposed remedies include education in senior centers and more ergonomic user interfaces.
Poor versus rich: Lower income people are less likely to be computer literate. This may be due to cost barriers, underfunded schools, or subtle class barriers. Proposed remedies include cheap no-frills laptops and school integration.
Each of these perspectives is valid but incomplete. For example, I’m in favor of teaching kids to code. I was lucky enough to attend one of the few high schools in 1970s America that taught BASIC programming. (Thanks Mr. Osterberg!) I also had a cardboard CARDIAC computer from Bell Labs that taught kids how computers work internally. But I recognize that not all kids need or want to learn coding. Teaching certain kids to program is helpful, as are other remedies we’re trying, but we need to dig deeper.
It’s probably not a coincidence the digital divide follows the same fault lines as our nation’s political polarization: geography, education, gender, age, income. But correlation is not causation. Maybe we should view digital and political divisions both as symptoms of a deeper societal schism.
So far cybersecurity has been a rare area of bipartisan cooperation, neither a “red” nor “blue” issue, but that’s largely because the solutions discussed are superficial. Tackling cyber illiteracy and inequality (arguably root causes of insecurity) would require us to debate controversial topics like schools, taxes, diversity, and market regulation.
Tech companies have a market incentive to make our gadgets seem magical, but little incentive to make them secure. Security vendors have a market incentive to make silver bullets that give an illusion of security. Magical thinking users enable both.
Science isn’t magic, and smartphones aren’t thunder sticks. Let’s educate people about technology so hackers don’t feel obliged to do it for us.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.