Paymaxx, a payroll services provider, recently confessed to a major
mistake that essentially made public many of their customers'
employees' W-2 forms. My firm uses Paymaxx to run payroll. So, as it
happens, does another Harvard-associated person's small computer firm.
This person, however, has more time (or more curiosity) than I, and
discovered a gaping hole in the system serving W-2 forms, a hole that
made it trivial to retrieve others' forms. This person did not create
the hole or “crack into” the system — just stumbled upon the hole left
open. What happened next was unfortunate.
The discoverer of the hole was in a bind; to confirm the existence
and nature of the hole, he necessarily performed some testing and
experiments. Upon forming a supported theory of the problem, he
contacted the company with his complaint, and a sales pitch for his
services to fix it. Was this morally correct? Certainly, he was
compelled to take action by knowledge that his security and privacy was
threatened; certainly, he was correct to inform the company. Certainly,
he was under no obligation to provide his expertise without
compensation. However, the quandary seems to center on the nature and
specificity of his notice / sales pitch to the company: did he wrongly
withhold information about the problem in a manner as to constitute
(morally, if not legally) a form of extortion?
The response of Paymaxx was less than satisfactory as well. In a letter to its customers, Paymaxx stated:
The hacker, is a 21 year-old Harvard student (or
graduate) with a history of similar stunts. He was a PowerPayroll
customer for nearly four years. In mid- February when we informed him
(and the rest of our customer base) of the availability of 2004 W-2
information on-line, he e-mailed one of our sales reps informing him
that he had found a flaw in the security aspects of our on-line W-2
application and that he would tell us about it if we would hire his
firm. We considered this a sales pitch and dismissed him.
The remainder of the letter is a bunch of hand-waving.
However, it is this paragraph that is most troubling. Why was their
customer referred to as a “21-year old Harvard student?” This seems to
me nothing more than an attempt to excuse their incompetence by
averring that it required an evil genius from Harvard (that spooky and
much-maligned ivory tower of mysterious egghead commies) to get into
their systems. Bad job, Paymaxx — there went your opportunity to own
up to your screw-up, be clear about how and why you screwed up, and
demonstrate the objective steps you've taken to prevent it in future.
Instead, you pled the Harvard defense, and tried to shift the blame
onto someone else. However, rather than inveigh against Paymaxx for
their wounded-animal response, I'd rather look to the systemic reasons
why we can expect this kind of problem throughout corporate America for
the forseeable future. I'll begin with a brief technical description,
and then give my theory on the attitude that leads to this kind of
result.
The problem was, schematically, that the URLs for retrieving W-2 forms were like this:
http://bogus.paymaxx.com/w2form?123456
Where, as you might guess, the next employee's form is 123457. This
is not exactly how the problem manifested, but it's close enough to
illustrate: the engineers who put that into play were either lazy or
stupid, not taking into account that changing digits in the URL is
trivial. Put in the right number, and you get the W-2 form, with name,
address, and earnings.
(Merely to demonstrate that I am not declaiming against their engineers
uninformedly, let me state that what needs to have been done is to 1.
use HTTPS, if they had not, and 2. engineer the sharing of a true,
non-trivially guessable secret (for example by snail-mailing a PIN to
each employee), and 3. putting a guess-number-count limit on the
retrieval dialog to prevent brute-force attacks. In defense of Paymaxx,
they are probably just the first payroll company to get caught with
something like this — I have chosen to stay with them despite, and
somewhat because of, their experience with this problem, since now they
should be more rightly paranoid about security and because I don't
expect any better from other firms.)
I can only speculate at the reasons behind this goof, but it does
fit with a general pattern I have witnessed, of what I term a “consumer
attitude” to data and computing. This attitude is promoted by the false
promises of the software industry to liberate us from the burdensome
task of comprehension — the notion that all software can be
“intuitive” and that humans and computers can interact without the
humans holding up their end of the bargain. Holding this attitude leads
to the implicit adoption of certain maxims;
- All that is displayed visually (representation) is the thing itself
(underlying form) and can only be manipulated thereby, and conversely, - How something can be manipulated via a visual interface is the only means of manipulating it.
- (or, things work as they apparently do, and they don't work in other ways.)
- The visual interface must permit a user with no or cursory
training to access any conceivable functionality (by conceivable, I
mean conceivable by a lay person with experience in the problem domain
and describable in plain language, for example, “move the invoice date
to the first Monday of the month;” I except functionality that lay
persons would not think themselves qualified to describe, such as
certain mathematical wrangling), and therefore, - Any program functionality that is reasonably described in plain
layman's terms by someone familiar with the problem domain should be
simple to implement, by a layman who is made familiar with computing
tools (rather than by a programmer who is made familiar with the
problem domain).
The attitude brings with it the conceit of thinking that others will
share the attitude — an assumption that always proves fatally flawed,
for even imagining a world devoid of legitimate curious “hackers,”
there will always be black-hat “crackers” who shun the maxims of
consumer attitudes in favor of experimenting, breaking things, and
seeking alternative scenarios. The consumer attitude is one of taking
the image on the screen at face value; of seeing the shiny parts of the
system as the important onces. It is also, unfortunately, the reigning
attitude in the business world, because having a “producer” orientation
to data and computing is hard and often unpleasant — much easier to
fire up Excel or Solitaire, than to write code! The consumer attitude
makes one believe that links are something clicked upon and not
manipulated, and dulls one to critical and proactive thinking about
security.
I
am not suggesting that every executive be intimately familiar with Web
application security before leading his company to make use of the Web,
but in the Paymaxx case, it apepars that even their engineers
manifested the consumer attitude, thinking shallowly about their
application's security. Hiring these engineers, therefore was the big problem. If executives have ONE imperative in their relationship to technology, it's responsible vendor selection!
I suggest therefore that executives be made aware
of the existence of the consumer attitude and the problems with it, and
be trained to evaluate solutions and providers with an eye toward
avoiding “consumerist” technology thinking. Those who design, create,
manage, and maintain our technology infrastructure must have a
“producer's” attitude toward technology, understanding what the hard
problems are, and that they are hard, and not shying from depth of
understanding. Inevitably, this will grow to include executives at most
kinds of businesses, as all forms of organization rely increasingly on
information technology.
We are in a unique historical
moment with regard to this problem of attitude. The past century did
not suffer so greatly, for every shipping concern would naturally have
been managed by men who had sailed on ships, and every bridge-building
outfit would have been managed by engineers and architects — because
ship's officers and engineers had existed as professions for
generations. There might be one generation of management-age persons
who have a solid generalist background in computer science as of today,
and these few are a tiny fraction of the number needed to fill the
ranks of executive positions at IT-reliant firms. As a result, we are
stuck with dilettante consumers making critical decisions for
productive firms. Who would hire someone to oversee a pharmaceutical
plant's operations on the basis of his qualification of taking medicine
daily? It is absurd — but every time we put a “consumerist” person in
charge of an IT-reliant operation, we do the same thing.
There was a time when people did not hold a consumer attitude towards IT; indeed, the pendulum was too far in the other direction. People were scared witless about computers, and
they were seen as the domain of “wizards.” Indeed, secretaries became “pseudo-wizards” in their own right,
memorizing WordPerfect macros, and in effect writing their own programs
for routine tasks. This, of course, did not last: while some arcane jobs will always require engineers, for the
most part people got over their computer fears with training.
It was accepted that to use a computer required
training and knowledge, as with using an automobile or a welder's
torch. Then, with the rise of the Gog and Magog of Windows and
Macintosh, we found ourselves in the middle of an apocalyptic war
between two indistinguishable armies — meet the new boss, same as the
old boss. What they fought over was market share, but what they agreed
upon was promising the world that computers should be easy and
effortless. Details of interface were the ideas in dispute,
rather than the underlying metaphors, attitudes, and concepts. And it
was amidst this battle — waged over the turf of the newly discovered
mass-market for computing — that the consumer attitude was
propagandized to the masses as well as the elites.
It made sense, too, in a world where computers were machines for
three families of applications: word processing and spreadsheets,
email, and custom (internal) applications. Word processing — at least
at a casual to moderate use level — is a great candidate for WYSIWYG,
know-nothing interfaces. Spreadsheets had the beautiful characteristic
of direct analog to well-understood ledger books and pocket
calculators, combined with a spatial orientation that paralleled the
WYSIWYG ideal of the word processor. Email was a finite
domain, and it had similar metaphors to familiar tools. And custom
applications, internal to a given organization, were the special
exceptions to the know-nothing rule — staffs were trained on workflow
processes, order entry “screens,” predefined queries written for a
particular purpose. Each internal application was like a special tool
inside the firm, usable for its one purpose, and only by those who were
trained.
And
how well this regime worked for a while! Get familiar with the clicking
and typing bits, and you've got the word processing, spreadsheet, and
email stuff down pat. Watch the training video or read the manual, and
you can use your company's order-tracking system or pull the
quarter-to-date sales figures from the Oracle database. But what
happens as soon as Visual Basic for Applications is embedded in your
word processor? What happens when your Excel model requires a
procedural language routine, or sources data from an external database?
If businesspeople are to operate effectively in the world of
computing, I believe that we must produce a thriving culture of rounded
generalist executives, interacting with honest vendors who make the problems
of computing as simple as possible — but no simpler!
We must expect people to learn some of the underlying ideas behind the
abstractions; just as a freight forwarder must understand the underying
limitations and strengths of various forms of transport, regulations,
etc., an author of a complex data report must understand the
limitations and strengths of his data sources, the concept of the
normalization of data, timeliness and validity, etc.
Future directions: why a
consumerist “know-nothing,” and a technician, “specialized tool” model
are both insufficient ways for businesspeople to approach computing.
Necessity of generalist computing knowledge. Folly of having businesses
driven by IT run by modern-computing-illiterate executives (would one
run an oil company with no chemical engineers or geologists on the
management team?). Folly of expecting interfaces to require a constant
amount of learning (zero) while they expose a geometrically expanding
range of functionality to the user. Uniqueness of the generalist
computing skill set and how it is already as important to an executive
to understand data as it is to understand accounting and bookkeeping —
even if this is not accepted today.