Tag Archives: Pervasive Computing

I’m a Doctor, Not a Security Expert!

While I don’t completely agree with the Rob Ragan’s sentiments in a recent article in Dark Reading on the limitations of security awareness training, I think the writer makes some good points, especially regarding the appropriate use of technical controls in combination with training to mitigate risk. I love the quote he includes from Adrienne Porter Felt from the Google Chrome Security Team:

 “…users are neither stupid nor lazy. They are musicians, parents, journalists, firefighters — it isn’t fair to also expect them to become security experts too. And they have other, important things to do besides read our lovingly crafted explanations of SSL. But they still deserve to use the web safely, and it’s on us to figure out that riddle.”
This was prevalent in my mind as I assisted my Luddite physical therapist last night in resetting her AOL password. She couldn’t get into her account for an entire day, all because a “security feature” locked her account for suspicious activity. Basically, she bought a new iPad and entered her complex password incorrectly multiple times. But because she used IMAP to connect to her account from her laptop, she had no way of knowing that the account had been locked and didn’t understand how to use the UI. So I did the unthinkable: I requested an account reset, then logged into the Gmail account she uses for account recovery and gave her the new password I created for her AOL account. She thanked me and told me how much harder my job was than hers, and that she would never do it. And this admiration was all predicated upon my resetting her password. Supposedly, one of the most trivial activities in IT. Any user should be able to do this, right?
Earlier this week, my team received a request to allow a user to install the Fitbit application on her company-owned system. It prompted an esoteric discussion on the security of the Internet of Things and the Quantified Self. I recommended that we approve the request and said, “Why are we even having this discussion? We’re an organization that has an employee wellness program and we’re wasting precious resources discussing whether or not this application increases organizational risk? We have approved applications that are more dangerous, such as Java, Adobe Flash and Internet Explorer.”
Why are we still so disconnected from our users, making user interfaces that are too complex, byzantine security procedures and arcane policies?
I'm a doctor, not a security expert!
Tagged , , , ,

BYOD: Pervasive Computing Has Arrived

A good tool is an invisible tool. By invisible, I mean that the tool does not intrude on your consciousness; you focus on the task, not the tool. Eyeglasses are a good tool — you look at the world, not the eyeglasses. The blind man tapping the cane feels the street, not the cane. Of course, tools are not invisible in themselves, but as part of a context of use. With enough practice we can make many apparently difficult things disappear: my fingers know vi editing commands that my conscious mind has long forgotten. But good tools enhance invisibility. – Mark Weiser, August 16, 1993

Often, I’m at odds with others in the security community over some of the positions I espouse.  My support of BYOD is one of them. While I see the risk in allowing users to bring their own devices to work, my experience in the enterprise has convinced me they’re already doing it, whether or not the IT department officially supports it. So we might as well accept the inevitable and start to work out the ground rules with each other.

Besides, isn’t this a good thing for information technology and society? We are seeing the fruition of Mark Weiser’s work in Ubiquitous or Pervasive Computing at Xerox PARC with the Internet of Things and a flourishing mobile device marketplace. I was drawn to IT in order to solve problems, not drown in the minutia of attack scenarios. Unfortunately, many security professionals can’t see beyond the vulnerabilities and spend most of their time pissing on everyone’s parade.

Regardless, I’ll continue to write and teach on the topic, because I think it’s important to collaborate with the business and the other sectors of IT to find solutions. Towards that end, I’ve written a piece for Dark Reading about tackling that difficult beast, BYOD.Spock does BYOD

Tagged , , , , , , ,
%d bloggers like this: