I don't know about you but I get a fair amount of email and reports from security vendors advising me on the current state of PC/internet security and how users of PC's are being attacked, infected, hard-done-by etc etc etc. They of course want to convince me that by using their products all will be safe in the world of the internet and the humble use of the PC – citizens need not fear anymore, that's of course if they do fear at all. So I was interested to see on the BBC website a few days ago the 'US man 'stole 130m card numbers' article the gist of which a technique known as an "SQL injection attack" (a method that involves exploiting errors in programming to access data ) was used to access the databases and steal information.
This got me thinking about a presentation I did earlier in the year to security experts.
As many people will know I tend to "plan" some of my conference presentations 5 minutes before I go on stage as this gives me the ability to judge the mood of the audience and pitch accordingly. I try not to use notes and avoid slides, especially if I am late on through the event...
I thought it would be a good idea, as I was amongst experts, to put myself in the shoes of an average PC consumer who doesn't know all the ins and outs of technology and ask for 3 volunteers from the audience to help me buy a PC from a security perspective – easy.
It was not even easy to get three people to come on stage; strangely they thought it might be a setup. Still the pitch, pause and pounce model worked well. It went something like this:
- [js] "I want to buy a PC, what do I need to do to keep myself really safe if I go online?"
- [a] "Don't turn it on"
- [js] "Where does it say that on the box... you know smoking can damage your health...?"
- [a] "It doesn't"
- [js] "Humour me, I want to go online, I like the additional light coming off the monitor in winter, what would I need to do?"
- [a] "Buy some more stuff"
- [js] "Give me a clue, where does it tell me what else I need to buy?"
- [a] "It's probably in the instructions, or you will need to go online"
- [js] "Let's assume I am online, what else do I need to do to be as safe as I can be?"
- [a] "Buy some more stuff"
- [js] "Such as?"
- [a] "Antivirus, a firewall, anti malware"
- [js] "And how do I know which one to buy?"
- [a] "You need to search, or you might get some preloaded as a trial version"
- [js] "Is there an approved standard that tells me which one is best and which one will stop most of the bad guys?"
- [a] "No, pick the one you best like the look of"
- [js] "So if I have all this working am I now safe from country pursuits such as phishing and pharming?"
- [a] "Safer, as your machine might not be patched"
- [js] "But I have this live update thingy going, so I must be safe, mustn't I?"
- [a] "not necessarily so, as live update doesn't cover all software"
- [js] "How would I know what was still unsafe?"
[a] "you would need to get more stuff"
It went on for a little while longer and our basic conclusion was that we might have lost sight of some of the basics as we can get so immersed in the crypto space and the high tech end of the debate. When many people buy things they expect them to work after all they don't normally buy a car and then have to add all the safety features on themselves – thank heavens, so shouldn't we be getting to this position with the basics of technology?
But of course it isn't just about the PC, the PC is just a simple manifestation of a complex problem. A problem, in part, stimulated by the consumerism and commoditisation of personal technology where the internal workings hold little more interest than how the electricity grid works.
This challenge was reinforced when I was talking to a group of people who run a business helping organisations security test their systems, through ethical hacking (penetration testers) and also spend time testing new hardware and software for known vulnerabilities. They were saying that whilst the computer code they see is superb, and clearly written by well trained programmers, they seem to lack the knowledge of history – that is experience. A new widget they were testing they hacked in 5 minutes by using one of the first known vulnerabilities found some 20 years ago...
As an industry we have come a very long way but there is still more to do to make the technology we produce "human proof".
But all is not lost, technology is hugely sophisticated. I found this as proof, clearly a true storyJ
"At a recent Sacramento PC User's Group meeting, a company was demonstrating its latest speech-recognition software. A representative from the company was just about ready to start the demonstration and asked everyone in the room to quiet down. Just then someone in the back of the room yelled, "Format C: Return.". Someone else chimed in: "Yes, return!"
Unfortunately, the software worked