As a web developer, I am required to build web applications and secure websites. One of the key requirement is to create a secure and well protected system to keep attackers at bay. Although securing the website from malice is important, it is also important to secure the web application from stupidity. Stupidity from the privileged users, administrators, developers, etc. The cost of stupidity is often underestimated. By stupidity I mean lack of average intelligence assumed for a particular task or not thinking through atleast a few worst case scenarios prior to doing something.
Let me give you a few big examples from history and recent times.
1) Data worth 2 billion dollars lost in courier
In 2007, 25 million child benefit records was sent from one government department to another and was lost by the courier company. The discs were sent by a junior staff member unencrypted and unregistered. The discs contained all kinds of personal data, names and ages of children, bank savings account numbers, partners details and even National Insurance Numbers (Equivalent to the Social Security Numbers). The costs that this caused UK is not clear but it did involve high profile resignations, weeks and weeks of political debates, banks monitoring millions of accounts for fraudulent activity, etc. Some estimate the data alone could be worth over $2 billion in criminal hands.
2) The Honda Point Disaster (Off California Coast)
Aerial view showing all seven destroyers
This was the largest peacetime loss of U.S. Navy ships in which seven destroyers were lost. This tragedy was not caused by malice. Twenty-three sailors died in the mishap. Two other destroyers were slightly damaged. The navy court ruled it as a fault of the navigators and the captains of each ship. How did this happen? The flagship was equipped with a radio navigational receiver, but ignored the bearings, believing them to be erroneous. No effort was made to take soundings or depth measurements. These operations were not performed due to the need to slow the ships to take readings. The ships were performing an exercise that simulated wartime conditions, hence the decision not to slow down. In this case, the dead reckoning (method of estimating position) was wrong and the mistake fatal. The need to slow the ship might also reminds us of another disaster, the Titanic!
3) Aviation Accidents
Boeing studied commercial jet accidents (not including hijacking, test flights, etc) between 1959 to 2008. They determined the primary cause of Airline hull loss accidents (aircraft beyond repair) to be the following:
Clearly a lot of these are preventable and a lot of lives could have been saved. Flight crew error and the Air traffic control accounts to about 60% of all hull loss accidents.
In Conclusion
Accidents do and will happen, I would recommend developers to think about stupidity and not just malice when building systems. I have two interesting quotes to leave you with.
Albert Einstein – Two things are infinite: the universe and human stupidity; and I’m not sure about the universe.
Hanlon’s Razor – Never attribute to malice that which can be adequately explained by stupidity.
Do share incidents that you have come across during your career.