Tag Archives: Ubiquitous Computing

Security’s Bad Boys

This week’s latest stunt hacking episode seemed to cement the security community’s reputation as the industry bad boy. The Wired car hacking story demonstrated an absence of the responsible disclosure most security researchers strive to follow. While the story indicated that Miller and Valasek have been working with Chrysler for nine months and that they’re leaving out a key element of the published exploit, there’s still going to be enough left to cause some mayhem when released at Black Hat USA next month. Moreover, the story’s writer and innocent bystanders were often in harm’s way during the demonstration on a major highway in St. Louis.

The annual Black Hat conference in Vegas is an adult version of “look what I can do” for the security set, perfectly placed in the city’s carnival atmosphere. A grand spectacle where every breaker competes to get Daddy’s attention by taking apart the toaster, or car in this case. The media loves this stuff and floods outlets with paranoia-inducing stories the few weeks before and during the conference.  What’s so disturbing about these events isn’t the frailty of our technology-enabled stuff aka “Internet of Things,” but the need for a subset of people to focus on its faults. The typical rationale from many of these researchers for their theatrical, hype-infested releases during Black Hat and other security conferences, is that they can’t get any attention from manufacturers when going the path of responsible disclosure. I would argue that this behavior is more about ego than concern for the safety of consumers, because there are plenty of principled researchers, quiet heroes who slog along filing bugs with vendors, unknown and overlooked by the general public.

Most idiots can blow up a cathedral with enough C-4. But it takes a Bernini or Michelangelo with hundreds of talented, dedicated artisans, to design and build one. People who will never be remembered by tourists standing in the middle St. Peter’s, glorying in the majesty of such an achievement.

St. Peter's

Tagged , , , , , , ,

I’m a Doctor, Not a Security Expert!

While I don’t completely agree with the Rob Ragan’s sentiments in a recent article in Dark Reading on the limitations of security awareness training, I think the writer makes some good points, especially regarding the appropriate use of technical controls in combination with training to mitigate risk. I love the quote he includes from Adrienne Porter Felt from the Google Chrome Security Team:

 “…users are neither stupid nor lazy. They are musicians, parents, journalists, firefighters — it isn’t fair to also expect them to become security experts too. And they have other, important things to do besides read our lovingly crafted explanations of SSL. But they still deserve to use the web safely, and it’s on us to figure out that riddle.”
This was prevalent in my mind as I assisted my Luddite physical therapist last night in resetting her AOL password. She couldn’t get into her account for an entire day, all because a “security feature” locked her account for suspicious activity. Basically, she bought a new iPad and entered her complex password incorrectly multiple times. But because she used IMAP to connect to her account from her laptop, she had no way of knowing that the account had been locked and didn’t understand how to use the UI. So I did the unthinkable: I requested an account reset, then logged into the Gmail account she uses for account recovery and gave her the new password I created for her AOL account. She thanked me and told me how much harder my job was than hers, and that she would never do it. And this admiration was all predicated upon my resetting her password. Supposedly, one of the most trivial activities in IT. Any user should be able to do this, right?
Earlier this week, my team received a request to allow a user to install the Fitbit application on her company-owned system. It prompted an esoteric discussion on the security of the Internet of Things and the Quantified Self. I recommended that we approve the request and said, “Why are we even having this discussion? We’re an organization that has an employee wellness program and we’re wasting precious resources discussing whether or not this application increases organizational risk? We have approved applications that are more dangerous, such as Java, Adobe Flash and Internet Explorer.”
Why are we still so disconnected from our users, making user interfaces that are too complex, byzantine security procedures and arcane policies?
I'm a doctor, not a security expert!
Tagged , , , ,

BYOD: Pervasive Computing Has Arrived

A good tool is an invisible tool. By invisible, I mean that the tool does not intrude on your consciousness; you focus on the task, not the tool. Eyeglasses are a good tool — you look at the world, not the eyeglasses. The blind man tapping the cane feels the street, not the cane. Of course, tools are not invisible in themselves, but as part of a context of use. With enough practice we can make many apparently difficult things disappear: my fingers know vi editing commands that my conscious mind has long forgotten. But good tools enhance invisibility. – Mark Weiser, August 16, 1993

Often, I’m at odds with others in the security community over some of the positions I espouse.  My support of BYOD is one of them. While I see the risk in allowing users to bring their own devices to work, my experience in the enterprise has convinced me they’re already doing it, whether or not the IT department officially supports it. So we might as well accept the inevitable and start to work out the ground rules with each other.

Besides, isn’t this a good thing for information technology and society? We are seeing the fruition of Mark Weiser’s work in Ubiquitous or Pervasive Computing at Xerox PARC with the Internet of Things and a flourishing mobile device marketplace. I was drawn to IT in order to solve problems, not drown in the minutia of attack scenarios. Unfortunately, many security professionals can’t see beyond the vulnerabilities and spend most of their time pissing on everyone’s parade.

Regardless, I’ll continue to write and teach on the topic, because I think it’s important to collaborate with the business and the other sectors of IT to find solutions. Towards that end, I’ve written a piece for Dark Reading about tackling that difficult beast, BYOD.Spock does BYOD

Tagged , , , , , , ,
%d bloggers like this: