A Waste of Potential

How is it that some people, when presented with a computer and Internet access, decide to be bitches and disrespect everyone and everything? Is doing something "for the lulz" really worth sullying one's long-term reputation both online and off? This question has come to mind yet again as I examine odd access and error logs on the servers that I maintain. It seems that a script kiddy got a new computer this past Christmas and wants to put it to use by scanning public sites for software packages that people rarely seem to update and are known to be replete with exploits.

Such a Bloody Waste of Bandwidth

Actions such as these are not done by "white hat hackers" who want to find vulnerable systems and let people know about the potential problems. Actions such as these are not done by real hackers, either, as someone who knows how to break into and hijack systems generally doesn't make it so easy to discover the attempts. The only people in the world who do this are n00bs and wannabes, otherwise known as "script kiddies". They download tools written by smarter people and unleash them on the open web with the hopes of finding insecure systems. Once discovered, they use other tools written by smarter people to do the heavy lifting of exploiting potential security problems. From there, a smaller subset of broken systems are taken over so that the script kiddie can do whatever it is they were hoping to accomplish.

The most common reason a person would try to break into a web server would be to earn some money. This could be done either by taking the site hostage and demanding a ransom, stealing a copy of the database to harvest personal data, injecting crypto-mining Javascript into the web pages, or any number of other imaginative ways to extort cash. Wanting money is not necessarily a bad thing, but why try and get it by being a bastard? A person who is technologically proficient enough to perform all the steps necessary to gain access to someone else's systems is clearly motivated enough to learn some of the underlying principles of modern web infrastructure. Why not turn this energy into something positive like a security consultancy firm? Most of these organisations charge exorbitant fees for their work and the best ones earn millions every year.

What bugs me about these sorts of scans and the various automated penetration attempts isn't so much the threats they may pose to ill-managed servers. An abandoned or mis-configured web service is the fault of the maintainer. My frustration comes from the lack of respect shown by the attacker to themselves. Again, anyone with the requisite technical knowledge to run the scripted tools will already have their foot in the door to becoming an asset to the world. Despite years of warnings, most people and smaller organisations simply do not have any awareness of how to adequately protect themselves online. Turn the desire to make a quick buck into the desire to earn a living doing something beneficial. This, more than anything else, would make the world a better place and act as a positive force of change in people's lives.

Earning a living and maintaining one's skills over the span of an entire career isn't easy, but it's a whole lot more rewarding than a lot of the quick money grabs that seem to be taking place online.