Recently I’ve been bombarded with the Sony hack news. If you have not heard of this, Google it. In case you are reading this way in the future than 2014 (which will makes me really happy), I’m talking about the hack of the United States Sony Pictures Entertainment (Not the Japanese Sony Corporation) by an organization call itself GOP (Guardian of Peace) that got revealed Nov 2014, so I can future Google it more accurately since Sony and its playstation network has been hacked before and who says they won’t be in the future. FBI claims GOP is from North Korea. All I know is it is definitely not from United States since no org from USA would make their abbreviation to collide with the Republican party (Grand Old Party). It is really confusing and when I first heard Sony was hacked by GOP, I’m like what???
The news has been constantly developing for almost a month, I’m getting tired of it but also realizing that all these news has brought a lot of negative images and impressions to the public about “hacking”. Of course here I mean the first hacking in my title which is the act of quickly get prototype or early version of products out using fast but non proper engineering methods due to. This meaning of hacking also extended to hardware and other engineering or even just daily life. This kind of hacking is great for our society. Here is a Catherine Bracy: Why good hackers make good citizens. However, due to the similarity of this type of hacking with the criminal hacking and maybe limitation of English language, the public probably developed a strong negative point of view to both type of hacking.
Now, let me get back to the more narrowed “hacking” in software development and corporate security. As software developer, we are constantly under time pressure and limited resources. Also it is almost impossible to nail the requirement at the beginning, customer changes mind a lot. So more and more we see software development goes to more agile process and pivot a lot along the way. Naturally, we hack a lot because we need it fast and it could be throw away tomorrow. We’ve all done things like put the username and password in the source code, not check user input for potential injection attack. And frankly, what happened in Sony such as have password saved in a password.txt file that everyone can access, I can see it as a “life hack”.
So hack leads to security holes leads to being hacked. In a lot of places, once product is online or once business flow is settled, the developers are pulled to work on the next thing. And the holes are just left there waiting to be hacked. Even without being hacked, a lot of times, simply the increasing of traffic volume, edge case abnormal data could cause disaster to the hacked up product. The proper way to do it in my opinion is to put resource to properly engineer the hacked up product, so that hacking + engineering = success but not hacking + hacking = failure. Unfortunately, a lot of company failed to realize this.