One of my favorite TV shows these days is Person of Interest. For those unfamiliar with the show, it’s the fictional account of a handful of do-gooders working with specialized intelligence. One of the main characters is a genius who built an artificially-intelligent machine capable of analyzing real-time surveillance and predicting catastrophe.
On the one hand, it’s a great study of mass surveillance, the morality behind it, and potential consequences of allowing such a system. On the other hand, it also provides insight into general security as well.
A line by one of the main characters during a flashback to his youth was particularly telling:
If they didn’t want anyone to get in, they should’ve built it better.
As a youth, he took apart machines and electronics, chalking up faulty design to this statement. In later years, he began hacking into various computer systems, again reciting this line as if it was permission for him to breach whatever security presented itself.
Whenever I look at or evaluate a new piece of code, I often find this line repeating in my head as I look at various implementations of security.
If you can get in …
In college, a close friend of mine taught me how to pick locks. I found it an interesting challenge to bypass the various levels of security afforded by a locked door – a locked handle, a deadbolt, both. Once I mastered the skill, it changed the way I looked at the world. Locked doors that used to obstruct me became mere annoyances.
It was a bit of a dangerous revelation.
Learning how to pick locks also taught me a lot about assumptions of security. We put a lock on a door – or a guard at an airport or a password on an application or encryption on private data – and assume that means it will keep people out. The fact is, if you can still get in, then someone will eventually be able to bypass your security.
The tumblers in door locks used to be fairly secure. Then locksmiths figured out how to bypass them for customers and lock pickers figured out how to bypass them on their own. New locks were designed, and subsequently “hacked.” As time goes on, we continue to iterate on lock design in hopes to ‘build it better’ and do a more efficient job of keeping unwanted persons out.
But so long as there’s a legitimate way through, there will exist a bypass – even if it remains undiscovered for years.
Various encryption systems have been developed and subsequently hacked. Different algorithms exist today that are still secure, if only because the computing power required to bypass them is prohibitive. This will not always be the case, though. Again – if you can get through, someone else will eventually devise a way to follow despite your protection.
So long as you retain access to whatever is behind the locked door, password login, or encryption key, there will never be such a thing as perfect security. That said, we can (and will) always endeavor to build it better.