Changing the way we think about security

[As ever, read this on the BBC News website if you prefer]

The long-term viability of the iPhone is unlikely to be seriously damaged by reports of a serious security vulnerability that allows hackers to take over the device.

Most early iPhone adopters have bought into the Apple mythology which convinces them that anything blessed by Steve Jobs is automatically desirable, so we won’t see a mass return of the shiny devices with their slick interface.

And we’ve all learned to live with bugs, crashes, malicious software and the many other hassles that come with modern computers.  An insecure phone is just another thing to add to the list of things that can go wrong, and Apple will soon release a patch to fix the problem, because the iPhone, gets regular updates to its operating software just like Mac OS X, Windows and Linux,

The iPhone problem, which was discovered by the researchers at Independent Security Evaluators, involves persuading a user to visit a malicious web page using the built-in Safari browser.

The page contains a program that runs on the phone and has unrestricted access to its functions, so it can send texts, call up applications or simply steal copies of contacts, calls made or texts received.

Because the attack can be launched from a public wireless access point under the control of a data thief iPhone users may be forced to use the slower and more expensive cellular network connection instead of wifi until the problem is fixed, which will not please them.

But the realisation that today’s smartphones really are computers, subject to the vulnerabilities and problems that beset all computers, is probably a healthy thing for anyone considering upgrading from an old-fashioned voice and text mobile..

Phone vulnerabilities are relatively novel, so they get attention and coverage, raising our awareness of the problems that come when complex software and open networks get together.  Yet overall we seem remarkably relaxed about the security and stability of our gadgets, and unwilling to take seriously the potential problems created by  our increasing reliance on online services.

As a result we are not thinking carefully enough about the effect that new technologies are having on the assumptions we make in daily life, or about the implications for areas that may be indirectly affected by these new technologies, like banking, politics or the law.

For example, I doubt that anyone would successfully be able to sue Apple, even in the US courts, if the text messages leaked from their iPhone caused them financial damage or lead to the breakup of their marriage or loss of employment, because the contract you agree to when you buy the phone excludes them from liability.

The complexity of the interaction between online and offline worlds has been highlighted recently by a spate of warnings about how we are exposing ourselves on social network sites.

Unruly Oxford students have been tracked down by the university authorities, a beauty queen in the USA has been blackmailed over supposedly private photos, and employees have been told that their employers may own any profiles or contacts lists they create using work computers.

Now Facebook users have been warned of the danger of identify theft that comes from posting personal information on the site.

The problem is apparently that we are all giving away too much information that should remain secret, like our date of birth, address and even details of which schools we have attended or where we have worked. This information should apparently be carefully protected because criminals can use it to fill in applications for credit cards or loans, stealing our identities and causing all sorts of problems.

This seems to be entirely the wrong way around.  I have never kept my birthday secret from my friends, partly because I like to get cards and presents, and I do not see why I should have to keep it secret from my online friends.   If that means that other people can find out about it then the systems that assume my date of birth is somehow ‘secret’ need to adapt, not me.

Some things really are private and should be kept confidential.  Having a phone that will hand over all my text messages to any hacker who can be bothered to ask for them is a problem, and so is a laptop that will let a malicious site install a key logger that can squirrel away login details for my bank accounts or work networks.

But when it comes to loans, credit cards and other financial services it really is up to the banks to adapt to the networked world, not us.  I do not want to make October 6, 1960 a secret date. Nor do I want to have to remember who knows that my mum’s maiden name was Clubbs or that I went to Southwood Comprehensive School.

In the networked world people can find out these things about me, and so anyone who wants to verify my identity should realise that they can no longer rely on them in any way.  If they continue to do so then they should be responsible for the consequences, not me.

And if identity theft is becoming easier because of our widespread use of the internet then the ways in which identity is established have to shift to reflect that. We cannot rely on assumptions that served the Victorians [see below] and limit our use of these new tools just because profit-starved credit card issuers are unwilling to improve their inadequate procedures.

The problem here is not Facebook, it is the antiquated thinking of lazy companies.

Bill’s Links
iPhone hacks:
Facebook identity theft

The Victorians: an apology

Alan Cox wrote to say

The victorians didn’t usually rely on silly things like mothers maiden names. They relied for a large part on letters of reference and introductions from existing trusted users. Credit depended upon the bank manager who actually *knew* the business and people.

They also relied on the fact that the legal system and media hadn’t beeen duped into blaming the victim for “identity theft” rather than the idiot who was tricked for negligence.

The truth is – going back to a more victorian approach might actually be a very good thing to do.

He’s got a good point – it’s the mid-20th century corporations that are to blame!

One Reply to “Changing the way we think about security”

  1. Banks do need to change their idea of what is secret information.

    But we can also change the information we give them.

    For those questions that are only for security authorisation simply never give out the right answer.

    i.e.
    Q. What is your mothers maiden name?
    A. Purple or better still 123FGa.

    Q. what is your favourite colour?
    A. England or better still A5674trhe

    Q. Where was your first school?
    A. Jupiter or better still heiu35x$g

    The computer systems dont care what answer you give and the banks dont independently verify this information.

    You can now tell all your online friends that you really love red, and your Mum who used be called Smith would wait for you coming home from Winchester primary with a cup of hot chocholate without fearing that it was compromising your security.

    i.e. treat all security requests as a request for a strong password. Treat all social requests as an atempt to know you better.

    The user has the power to keep the two deistinct even if the system providers dont seem to want to.

    David

Comments are closed.