This conversation did not happen. But it could have.
Maker: A work mate was talking about how his bike got stolen. I thought to myself, wouldn’t it be cool to have a way for people to be able to locate their bikes using GPS? So I stayed up all night and coded a Rails app. Put a chip on the bike and the owner can log in to the website to locate it.
Security Tester: That’s great. What else does the program do?
Maker: There are so many possibilities. Maybe track where they’ve gone or the distance. And once I have time, I’ll develop an Android app too. This thing has a lot of potential. I put up a beta version and more than 500 people have already signed up.
Security Tester: Cool. I had a look and found that your program has lots of holes. You need to fix these. In fact, you should have done a security test before putting it out.
Maker: Don’t worry, it’s just a beta release. What holes did you find?
Security Tester: The most obvious one is that it’s really easy to do XSS (cross-site scripting) attacks. This could allow the owner’s personal information to be stolen as well as hijack the session.
Maker: You security testers are all so negative. Don’t you get it? It’s a brilliant idea. I’ve spent a lot of time and effort to develop a superb app. And I’m giving it away for free right now. All you do is look for minor flaws. Everything has flaws but you’re missing the point here. This is a great app. Most people don’t think like you and focus on what isn’t working rather than what is. I’ve already got 500 people signed up and can always fix minor flaws later.
Security Tester: No dude, you’re missing the point. It doesn’t matter how great your app is if it has flaws that allows personal information to be stolen. My “negative” thinking is only ‘cause I want to help you. I’m doing it for your own good.
Hacker: Funny thing is, neither of you get it. It doesn’t matter what you want the app to do or that it has security flaws. The only important thing is what I want to do with it.
Maker: It’s my app. It works great. Why do you want to muck around with it?
Hacker: Because I can. I’m not interested in tracking bikes, how stupid is that? Just hear yourself talk, as if you’ve got some sort of control over what people can do with the app. “Your app”? Yeah, right.
Maker: Like I said, it’s my app. Leave it alone. If you’re so interested, why don’t you fix those damn security flaws instead?
Hacker: No way. I’ve already hacked the app to keep track of my trekkie treasures. At least the app does something useful now. How boring and lame to track bikes. And I put my hack on #hacker IRC so others can do cool stuff with it too. Boosted my cred too, thanks mate.
Crack3r: #*$@ers. I’ve pwned the app. Wanna buy 500 email addresses? Cheap.