I don't know about you but I get a fair amount of email and reports from security vendors advising me on the current state of PC/internet security and how users of PC's are being attacked, infected, hard-done-by etc etc etc. They of course want to convince me that by using their products all will be safe in the world of the internet and the humble use of the PC – citizens need not fear anymore, that's of course if they do fear at all. So I was interested to see on the BBC website a few days ago the 'US man 'stole 130m card numbers' article the gist of which a technique known as an "SQL injection attack" (a method that involves exploiting errors in programming to access data ) was used to access the databases and steal information.
This got me thinking about a presentation I did earlier in the year to security experts.
As many people will know I tend to "plan" some of my conference presentations 5 minutes before I go on stage as this gives me the ability to judge the mood of the audience and pitch accordingly. I try not to use notes and avoid slides, especially if I am late on through the event...
I thought it would be a good idea, as I was amongst experts, to put myself in the shoes of an average PC consumer who doesn't know all the ins and outs of technology and ask for 3 volunteers from the audience to help me buy a PC from a security perspective – easy.
It was not even easy to get three people to come on stage; strangely they thought it might be a setup. Still the pitch, pause and pounce model worked well. It went something like this:
- [js] "I want to buy a PC, what do I need to do to keep myself really safe if I go online?"
- [a] "Don't turn it on"
- [js] "Where does it say that on the box... you know smoking can damage your health...?"
- [a] "It doesn't"
- [js] "Humour me, I want to go online, I like the additional light coming off the monitor in winter, what would I need to do?"
- [a] "Buy some more stuff"
- [js] "Give me a clue, where does it tell me what else I need to buy?"
- [a] "It's probably in the instructions, or you will need to go online"
- [js] "Let's assume I am online, what else do I need to do to be as safe as I can be?"
- [a] "Buy some more stuff"
- [js] "Such as?"
- [a] "Antivirus, a firewall, anti malware"
- [js] "And how do I know which one to buy?"
- [a] "You need to search, or you might get some preloaded as a trial version"
- [js] "Is there an approved standard that tells me which one is best and which one will stop most of the bad guys?"
- [a] "No, pick the one you best like the look of"
- [js] "So if I have all this working am I now safe from country pursuits such as phishing and pharming?"
- [a] "Safer, as your machine might not be patched"
- [js] "But I have this live update thingy going, so I must be safe, mustn't I?"
- [a] "not necessarily so, as live update doesn't cover all software"
- [js] "How would I know what was still unsafe?"
-
[a] "you would need to get more stuff"
It went on for a little while longer and our basic conclusion was that we might have lost sight of some of the basics as we can get so immersed in the crypto space and the high tech end of the debate. When many people buy things they expect them to work after all they don't normally buy a car and then have to add all the safety features on themselves – thank heavens, so shouldn't we be getting to this position with the basics of technology?
But of course it isn't just about the PC, the PC is just a simple manifestation of a complex problem. A problem, in part, stimulated by the consumerism and commoditisation of personal technology where the internal workings hold little more interest than how the electricity grid works.
This challenge was reinforced when I was talking to a group of people who run a business helping organisations security test their systems, through ethical hacking (penetration testers) and also spend time testing new hardware and software for known vulnerabilities. They were saying that whilst the computer code they see is superb, and clearly written by well trained programmers, they seem to lack the knowledge of history – that is experience. A new widget they were testing they hacked in 5 minutes by using one of the first known vulnerabilities found some 20 years ago...
As an industry we have come a very long way but there is still more to do to make the technology we produce "human proof".
But all is not lost, technology is hugely sophisticated. I found this as proof, clearly a true storyJ
"At a recent Sacramento PC User's Group meeting, a company was demonstrating its latest speech-recognition software. A representative from the company was just about ready to start the demonstration and asked everyone in the room to quiet down. Just then someone in the back of the room yelled, "Format C: Return.". Someone else chimed in: "Yes, return!"
Unfortunately, the software worked
Nigel/ Peter/ William, as ever thank you for your comments.
William, you are right plain fact is that there is enormous power and capability in the hands of users and it is something we should celebrate. My point was less about design and usability as I think industry is getting so much better at this. The point I was trying to make was as we add more capability to make the design and usability good we tend to hide the complexity... quite right too. The reality is that not all the technology in the hands of users (individuals or business) is as secure as we would wish it to be - both an industry issue and a user issue. We must not close our eyes to this, but work hard to do what we can to fix it.
Peter what you suggest is right, but the harsh reality is that even though the security parameters might be set to the most optimum automatically, a very good step forward, it still does not mean that it is secure. The reality is we still write poor code, and we don't always write code from the position of "how do I make this safe". I lead on IA for Government and I am implementing the Hannigan recommendations (known as Data Handling Review - DHR). We are looking to standardise and simplify a whole lot of processes and technology, but even after that, it still will not solve all of the issues given just how big the IT and user base is. This has to be a continuous programme of awareness, education and improvement.
Posted by: John Suffolk | 28/08/2009 at 02:40 PM
Isn't that the point that John is making concerning being human proof? The reality is the average person cannot keep up with all the tech changes and nor should we expect them to. So we in the tech industry have to make this as safe and easy as possible. Just go to any security site such as this one http://www.securecomputing.net.au/ to get a sense of the issues. They are substantial to get to the utopia William was talking about.
The post from William seems to be answering another question. Surely William you must be concerned about any powerful piece of technology in the hands or inexperienced users?
I do agree with your question though Peter to John
Posted by: NigelP | 20/08/2009 at 11:23 AM
Why is it up to the user to answer the question 'is it safe'? The answer is provided by a set of parameters in policy and technology that takes a lot of thought and time to resolve. Most people don't have the time, or useful prior experience. The efficient (and more secure) approach is to automate the answer, even if it means accepting some simplifications.
For business this is already happening. I work at Getronics, which provides this as part of its infrastructure services to its customers - and its staff. When I got a PDA and plugged it into my laptop, a network control gave me a choice: allow it to check and set security values on the PDA or the network would not accept the connection.
For people at home and in small businesses, the same experience might be around the corner, as 'going online' turns into not just connectivity but access to applications and storage, too.
For government, the security parameters of technology and policy are being renovated (post-Hannigan), and gradually implemented. A question for John Suffolk - maybe in another post - is there a way to simplify and standardize the technology needed for security by public authorities? In particular, can the policy and technology requirements be codified so their implementation can be automated?
Posted by: Peter Kibby | 20/08/2009 at 10:20 AM
Plain fact is people have powerful PCs and Macs and phones and access to the Internet and do loads of stuff with it. So I'd question your language about making it "human-proof" It could always be better designed, for sure, and easier to use.
But the question is how can we get organisations, including service-providing government departments, to trust the individual's technology and to trust and act on the will of the individual as expressed through their tech.
That's where the greatest opportunity for utility, savings and avoiding waste reside, I think, as well as restoration of trust in the "relationship" between individual and state.
Posted by: William | 19/08/2009 at 03:14 PM