Worrying about magic

Any sufficiently advanced technology is indistinguishable from magic.

That is commonly known as (Aurthur C.) Clark’s third law. Its been further modified several times in popular culture to read more like this from the web comic Freefall:

Any technology, no matter how simple, is magic to those who do not understand it.

icon of magician with hat and caneI have had cause to think about this lately. I mentioned the confusion of some of the audience at the business blogging with regard to feeds. And its important to remember that these things are on a fairly continuous scale. Which is to say, although I work with networking and servers all the time, there is still technology in this sphere that might as well be magic to me.
Since most businesses these days operate somewhere on this spectrum of technology and magic, its important to have some simple rules to guide our everyday actions with. For lack of a better reference I point to the number one item on Microsoft’s list as the the most exploited.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore — Microsoft

And then I remind my readers that JavaScript that is embedded in web pages is by definition a program. And this is in essence what I have been thinking about. The magic aspect of this advanced topic concerns me.
The worst of these self-contained attacks is the ability to generate a PDF or word DOC from a link in a page. Many users have their browsers set to automatically open certain documents and plenty of those same home users run their computer with administrative privileges. There are a few ways to protect against this in the corporate environment, but home users seem unlikely to have content filtering firewalls or turn off javascript in the browser.
It just seems to be one more way that unwary users will have their machines exploited, no matter how much we as security professionals do to isolate them from danger. Short of disconnecting their computers from the Internet there’s not much we can do to really protect them. And without email and the world wide web, what fun are computers?

Leave a Reply