Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Why the Techno - Arrogance ?

A behaviour pattern that many have had the unfortunate luck to experience first hand is that of techno-arrogance, usually from those who are believed to be more skilled with Information Technology. For a mix of reasons, people with Information Technology knowledge and skill often come across as arrogant, and in possession of several anti-social traits which makes them difficult to relate to, including poor personal hygiene and defensiveness. In many cases, it appears that the newest appointed Information Technology professionals are the worst offenders for displaying the arrogance.

It is more difficult when they view themselves as Subject Matter Experts, and are unwilling to admit the gaps in their knowledge, and lack of overall understanding of technology. Information Technology Certificate mills (e.g. guaranteed MCSE, CCNA, RHCE) are notorious for producing these arrogant people, who see their little piece of paper as the ticket to financial success, and consider a 3 month course enough to become the global expert on the matter.

On the other hand, people who are drawn to Information Technology from a young age may have done so due to underdeveloped social skills which perpetuate into adulthood. The introverted nature of those who are generally drawn to the technology at a young age provides a natural barrier to future social interaction, which makes effective distribution of their knowledge difficult, particularly in a work environment where key decision makers do not necessarily understand the technology.

The fixation by the techno-arrogant on a certain platform, software choice, or particular technology can lead to online 'flame wars' - arguments which are risky for non-technical people to interrupt, and can led to them forgetting what it is like to not know about technology. This forgetfulness leads them to be dismissive of requests and queries from non-technical people, oftentimes shooting back a terse response such as 'RTFM', and leaving it there.

One of the most common interactions with techno-arrogance that most people find, is with helpdesk staff that are uniformly unhelpful - refusing to deviate from planned scripts, even after the customer has waited on the telephone for extended periods and demonstrated that the problem is not a basic one. This builds the impression that helpdesk personnel are arrogant. However, the helpdesk staff will then complain privately about the arrogance of customers who think that they know more about the system than the people they have called for help, when the solution is the first or second item in the script, or on the first page of the manual that the user has conveniently ignored.

Unfortunately, this sets a baseline of incompetence, which is viewed by non-technical people as the standard for Information Technology people (whether or not that is a fair assessment). Because Information Technology is such a broad field, with an immense level of detail required in order to just remain current with knowledge and the technology, it creates traps for the unwary. Having learned one way that works, it becomes the only way to do things for many people, which creates problems when they are hit with problems such as infection by worms or viruses, which are designed to sidestep the common methods to protect them.

It is this same problem which results in technology advice from the random 12 year old appearing to be as valuable as that from the technology professional (and frustrating when it is selected over that of the professional). This trap leads to the non-technical person underestimating the value of accurate advice, considering a several thousand dollar analysis and consult to be on a par with a 30 second sound bite from the neighbour's 12 year old. The fact that many of the multi-thousand dollar solutions are actually on a par with the 12 year old suggests that there is more snake oil than substance in a lot of the offerings on the market, which is an argument for another day.

This assumption of incompetence from the non-technical person creates a real problem as it means that any dialogue with a technical person has already been discounted due to this assumption. For the technical person this constant denigration will eventually lead to frustration and responses in kind (which only further reinforces for the non-technical person the arrogance of the technical person).

When the advice of the technical person is ignored continually, and they are blamed for the problems even after warning that certain actions will result in problems, they will eventually respond with frustration.

A certain 'covered' vocabulary eventually evolves amongst technical people in order to express these frustrations in a manner which appears to be non-confrontational, but still provides some relief. Terms such as 'PEBKAC', 'PICNIC', 'CKI' and 'One Delta Ten Tango' may be used occasionally to express this, and all Information Technology users are liable to be labeled with one or more of these terms from time to time (including the supergeeks themselves).

The presentation of new technology, or new inventions, is a threat to the techno-arrogant as it threatens their position as the alpha Geek, and they will go out of their way to belittle the new products or technology in order to maintain their superiority. Information Security is probably the field where this is most apparent, with new advancements being dismissed as unworthy by those who probably most need to make use of the protection offered by them. When major worms and viruses hit, those who have risked their reputations to provide early warning are accused of not doing more to help, when the information they were presenting was being uniformly ignored.

Similar trends can be seen amongst those who notify website administrators that their sites have been hacked. Probably two thirds of notifications are ignored, with probably ninety percent of the remainder (i.e almost a third of the original number) accusing the notifier of having hacked the site, including verbally abusing them and accusing them of impropriety. Distressingly, a number of these verbal attacks come from major companies who are responsible for hundreds of professional websites, and who should have a better understanding of the technology they are responsible for. The remaining administrators, who haven't ignored the alert, and aren't abusing the notifier, are glad to receive the notification, and work towards improving their services.

Techno-arrogance is not just limited to local support staff, with some fairly significant online arguments in the last several days taking place over responsible vulnerability disclosure.

Internet browsers derived from the Mozilla codebase, including the Mozilla suite, FireFox, and Netscape, were disclosed to have a vulnerability which could be remotely exploited to execute code of choice on the system. This particular vulnerability could be exploited across all platforms that the browsers ran on (Windows, Linux, OS X), and required a simple URL link (no more than 12 characters) to exploit.

The researcher who claimed discovery of the vulnerability, and who disclosed it publicly, has been accused of arrogance and irresponsibility in his disclosure method. The open source browsers have a fairly well known vulnerability reporting method (Bugzilla), which the researcher failed to utilise, claiming instead that the companies refused to acknowledge existence of the vulnerability. Leaking of the vulnerability to a major IT news website at the same time that it was released to security mailing lists, before it had been entered into the vulnerability database for the browsers, was widely condemned as irresponsible. The researcher then went on to release exploitation code which was copied from the eventual Bugzilla entry, which had been created by another person, and refused to cite the source - claiming responsibility for the code himself.

Once the bug had been fixed (within 6 hours of disclosure), the researcher claimed that the fix did not correct the issue which he had reported on. To back this claim, he released another advisory a few days later, which detailed a slight variation to the original vulnerability, and which would work against versions of the browser which had the previous fix applied.

The researcher in question has a fairly good track record of discovering vulnerabilities, including one unidentified vulnerability in Internet Explorer, but his differential approach to disclosure for Microsoft products, and the open source developed products, drew sharp criticism from others in the security community.

An excellent solution for resolving techno-arrogance is personal responsibility. If people take responsibility for their actions, and admit the shortcomings in their own knowledge, it will go a long way to ensuring that problems can be resolved, and advice sought, without the need for frustration and tension. While this will not overcome those where the aggression comes from a personality defect, it will mean that people will have less reason to antagonise them. It might even show non-technical people the value of the advice being provided by technical people, and show technical people the importance of the requests coming from the non-technical people.

While this would be the case in a perfect world, there is no reason not to at least make an effort. Who knows, it might even result in a better working relationship between people.

19 September 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.