According to the “Great Falls Tribune” (covering Great Falls and northern Montana), Todd Shriber is “a good person who made a real big mistake” – okay, so that’s actually a quote from Erik Iverson, chief of staff to US Representative Denny Rehberg. A more detailed report is here.
What’s the “real big mistake” made by this “good person”? Did he accidentally order a few too many reams of paper for the copy machine? Did he back into a road sign? Did he cross the road without looking both ways first? Did he send in his tax return without signing it? These are all mistakes that good people make.
No, what Todd did is to attempt, over the course of a month, to hire a hacker to break into the computers at Texas Christian University, in order to change Todd’s GPA (that’s “Grade Point Average”, a measure of how well you did on average throughout your college career). The email exchange is here, including signs that the hackers approached by Shriber told him early on that what he was requesting them to do would be a felony.
The cynic in me wonders if “a real big mistake” actually describes the ineptness with which Todd undertook the task of approaching and hiring the two ‘hackers’, and if perhaps the definition of “good person” in the speaker’s mind relates to “good to have should we engage in a campaign of skullduggery and misrepresentation”.
I really can’t stress this highly enough – honesty is one of the bases on which you can build good security and trust.
Hire a hacker to put your GPA up, and you may be exposed as a fraud like this – or, more likely, given the way criminal hackers operate, you may find your GPA is lowered, and the hacker is blackmailing you for more money to raise it, now that he’s proven he can mess with your numbers.
It’s often remarked that “you can’t con an honest man” – and while this isn’t strictly true, it’s a whole lot easier to con someone who’s willing to engage in a little dishonesty to get ahead. If you’ve engaged in dishonesty trying to achieve personal gain, and your ‘partner’ in dishonesty fools you, you’re less likely to seek (or be able to get) legal redress.
To bring this back to the topic of security, start your security policies and practices with a requirement on your users that they do what they believe to be honest and right, and that disciplinary action will be taken as a reaction to dishonesty, whether by omission or commission.
Enjoy the rest of the holidays, and be good next year.