The Future of IT Security in Ecuador
I’m tired. Sleep deprived. Prison is much louder than I could ever imagine. And add to that sleeping on the floor, in a small room with 6 other inmates, getting rest is a significant challenge.
I’ve been thinking about my situation and the case against me – or the lack of case – as is more factual. My current considerations are about what the possible implications for IT security in Ecuador could be and honestly, it looks pretty dark. If you currently work in this field in Ecuador, I would recommend you to move or change profession. Let me explain why.
The basics of my case can be boiled down to one thing: knowing Julian Assange. However, that was not the reason why the judge approved my imprisonment. Instead, the stated reasons based on “evidence” submitted by the prosecution, was the amount of computers, USB drives and technical books I had.
What has been implied in press and stated by high government officials, is that I’m a hacker and that I have hacked public government systems, phones and other devices and stolen or destroyed information. They have not given any specifics nor provided any evidence. There is a simple reason for this: I haven't done anything.
Do I have a lot of technical books about security, privacy, cryptography and computer intrusion? Certainly! It’s my field and it’s part of building stronger and more resilient systems to know how they can be attacked.
So, adding to this, penetration testing is an extremely important part of a full scale security posture. Pen testers are sometimes called “white hat hackers”. They are people that do break into computer systems, but with previous permission from the owner of these systems. This is a crucial part of proper security and it’s also a well-established and respected profession in the industry.
We need these people, without them we can never feel reasonably certain that our systems are secure enough.
What then separates a penetration tester from a criminal computer intruder? Certainly not their knowledge, since the skills needed are the same. No, the only difference is their actions. Thus, saying someone is suspicious purely based on their capabilities but not on their actions will mean you will suspect a lot of innocent people.
As I’ve said before, I’m not a penetration tester. I’m not a person that breaks into computer systems. But I do posses much of the same knowledge – no action – that I’m being investigated, and that should scare security professionals in Ecuador. This could happen to anyone of them.
My predictions, if my case moves forward, is that many people will avoid the pen testing profession in Ecuador and that means the computer systems of Ecuador will be full of holes. By prosecuting this war on knowledge, claiming I break into computer systems, the government of Ecuador is ironically creating a future where they will be the easiest hacking target for 10 or 20 years.
This is what happen when you wage war on knowledge. You encourage people to avoid that knowledge and that’s a really bad idea when this knowledge is crucial for the future of us all.
/O