Who's Afraid of a Big Bad Hacking Story?
It's been a cheerily good spring for FOSS fans here in the Linux blogosphere, so we may perhaps be forgiven for our utter shock and disbelief at the affront recently committed against us by a certain brick-and-mortar purveyor of books and magazines.
Yes, that's right -- it's Barnes & Noble Linux Girl is referring to; specifically, its decision to yank the very excellent Linux Format magazine from its U.S. shelves -- apparently because of a cover story on the topic of "hacking."
"We've just learned that issue 154 of Linux Format, the one with 'Learn to Hack' on the cover, was removed from Barnes and Noble bookstores in the US after a complaint was made," read the announcement last Tuesday on Linux Format's TuxRadar blog.
'Used Predominately by Criminals'
Like a flash, the news jumped over to Slashdot and beyond, drawing the ire of Linux geeks far and wide.
"Good for them!" quipped Anonymous Coward on Slashdot, for example. "That's because Linux is an OS used predominately by criminals to hack machines. I applaud Barnes and Noble for this responsible reaction."
Then again: "And yet they'll happily stock martial arts magazines, full of special features about new and exciting ways to hurt people," noted Alranor.
'An Unfortunate Coincidence'?
Taking a more sinister perspective, "could it be that the buyout of B&N by Microsoft has produced the first victim?" suggested jbernardo. "Or just an 'unfortunate coincidence' that the magazine censured over a word is a Linux magazine?"
In any case, "odds are that Linux Format magazine is about to see an increase in circulation," predicted Anonymous Coward.
Head spinning from all the possible explanations, Linux Girl sought refuge on her favorite barstool down at the blogosphere's Punchy Penguin Saloon, where bloggers never have a shortage of things to say.
'Just Plain Common Sense'
"To be truly secure, you have to understand the methods employed by people that are trying to attack you," opined Google+ blogger Linux Rants over a fresh Tequila Tux, for example. "That's just plain common sense.
"If the methods used are kept secret, the victims of these attacks will be unprepared and easily taken advantage of," Linux Rants added. "Objecting to informing people of their vulnerabilities is completely backwards."
Indeed, "I'm firmly convinced that the public does not know enough about hacking," agreed consultant and Slashdot blogger Gerhard Mack. "If they did, people would believe a lot fewer hacker myths going around, such as the myth of hackers being able to break into computers by whistling over the phone."
An informed public "would also be a lot less forgiving of vendors with bad security practices," Mack added. "B&N need to stop being so clueless."
Similarly, "Barnes and Noble, a longtime favorite of mine, goofs here," concurred Slashdot blogger yagu. "The magazine headline is a hook, and while BN may find it offensive or distasteful, they've just given extra free publicity to an issue they ostensibly wanted to 'silence.'
"I'd guess the net sales increase for this issue," yagu added.
Either way, "from personal experience, I've not found these magazines to deliver much steak to back the sizzle," yagu asserted. "The magazine and its contents doubtfully provide much useful true hacking material.
"Hackers will hack, and they don't get their expertise from magazines," he concluded. "Kiddies will kiddy-script with helpful hints from magazines on 'hacking,' but the magazine is hardly a threat. BN goofed."
'It Won't Affect Me Directly'
Google+ blogger Kevin O'Brien is a Barnes & Noble member, and he owns a Nook Color, he told Linux Girl.
"Now I feel like Barnes & Noble is making me regret the relationship," he said. "What's next, refusing to sell Steven Levy's book 'Hackers'?
"Fortunately I subscribe to Linux Format, so it won't affect me directly," O'Brien added.
'Now It's All Over the Web'
"The Streisand Effect strikes again!" exclaimed Barbara Hudson, a blogger on Slashdot who goes by "Tom" on the site.
"Whereas the article would have been limited to the print edition, now it's all over the web for the whole world to read for free," she explained. "Not only that, but the 'click to hack' BackTrack Linux Penetration Testing Distro mentioned in the article is getting wide exposure."
Meanwhile, "the tin-foil-hat brigade is explaining how this is all just a plot to detract attention from their recent deal with Microsoft," Hudson added.
"I swear, the software industry is becoming more like a badly written soap opera every week," she concluded.
'Knowledge Is the Key'
"Security by obscurity does not work, and the more people who know about means of attack/vulnerability, the more secure our IT will be," opined blogger Robert Pogson. "Most people are good and decent and should be empowered to defend their computers and networks. Knowledge is the key."
Censoring "publications that describe vulnerabilities/exploits is akin to banning nmap or ping because they can inform you about your network," Pogson suggested. "I've worked for places that technically could fire IT people just for doing their jobs because the tools for system administration overlap with tools for attacking systems."
Bottom line: "Don't punish innocent people. Punish criminals," he concluded.
The 'Confused Deputy' Problem
And again: "This is unfortunate," opined Chris Travers, a Slashdot blogger who works on the LedgerSMB project. "People need to learn how to break into computers in an open manner. This is especially true of sysadmins and software developers."
While it is true that "some security problems (double free bugs, overflows) can be avoided through good programming practices, others require being able to think about how a program can be abused to avoid," Travers explained.
For example, "consider the so-called 'confused deputy' problem, where a program follows exact user instructions, but the user gives instructions which lead to a program misbehaving in ways that can compromise security," he suggested. "Cross-site scripting and cross-site request forgery are two examples of confused deputy problems, but it is a mistake to focus only on these areas."
The fact is that "any program that can be made to misbehave in ways that compromise its own security provides such an opportunity," he pointed out. "These sorts of attacks are not necessarily limited to recognized subcategories, and so it requires thinking like an attacker in order to predict what behavior is dangerous."
'DIY Is on Life Support'
Slashdot blogger hairyfeet saw the move as a sign of the times.
"Welcome to the post-PATRIOT consumer driven world, folks," he said. "Devices WILL be locked down, DMCA'd up the rear, and words like 'hacker' are now on the same watch list as 'bomb' and 'terrorist.'"
Hairyfeet believes it's part of a larger trend -- namely, "the death of DIY and hacking as a whole," he explained. "Oh sure, you'll be able to still hack, but only with pre-approved hack designed devices like Arduino and the Pi.
"Everything else will be locked down so tightly by laws, refusal to sell parts, and a general not caring by the corps that DIY is on life support and will soon be all but dead," he predicted.
'BN Did the Right Thing'
Roberto Lim, a lawyer and blogger on Mobile Raptor, had a different perspective.
"Hacking is illegal in my country and punished with imprisonment, so I would think a book that teaches you how to do it would probably be considered objectionable," Lim told Linux Girl. "Would free speech allow for the publication of a book that teaches you how to do something illegal? Interesting issue for a Constitutional Law expert (which I am not)."
In any case, Barnes and Noble "did the right thing," he opined.
Power vs. Responsibility
"Should books be sold that teach you how to make a bomb, a lethal poison or break into cars?" he mused. "Granted, if you read engineering or chemistry materials, you will eventually figure out how to make a bomb or a poison.
"In the same way, someone who learns programming can probably figure out how to hack a computer system," he added. "Still, publications that directly teach you how to do these things should not be allowed, in my opinion."
Knowledge is power, and "some forms of power have to be tempered with responsibility," Lim concluded.