Insecurity by the dozen
At a security seminar today a number of highly skilled professionals voiced their various frustrations: senior managers don't understand the problem; they can't get the budgets, people, and time they need; the industry keeps making the same mistakes over and over; and meantime the threat keeps getting worse. At some point, the conversation veered onto consumers: how responsible should they have to be? How much should they have to know? And why are they still running XP?
At this point it occurred to me that there's a whole load of impediments to security that are rarely discussed because we're too busy thinking about technology, knowledge, and awareness. Herewith, a bunch more reasons why these problems are going to keep getting worse - and I'm limiting the list to things the consumers can control. "Don't shop at Home Depot or Target" is not much help when the next breach is elsewhere.
- Function creep. People do not buy insecure devices. Instead, they buy a phone to make calls, or a car to get them to work and their kids to school without necessarily realizing how the new device is different from the old one. Then someone hacks the car's diagnostic port. *Now* they know.
- Marketing. Banking person says, "Use our safe, secure mobile platform!" Banking person does not say, "But first, you should check that your phone is patched, and take these three precautions." Then, when their work hours are cut a few months later, they're surprised.
- Time. People don't have it, working women especially.
- Good-enough technology. It used to be that you upgraded your desktop PC every couple of years because the new stuff was vastly much better. Now you only upgrade if the machine is really badly broken. Tablets and smartphones will soon enter this phase of their development. Is the Galaxy Note 4 really that much better than the Note 2?
- The learning curve of interface changes. Doesn't matter whether it's an operating system, a browser, or an online site such as Facebook. When they roll out a new version there is always a percentage who can't cope and who either refuse to update or botch the new settings.
- Vendor business models. It is in the interest of Facebook, Google, and other large, data-driven companies to convince users that their services provide private spaces in which users should feel safe about sharing information with each other, even when they shouldn't.
- Vendor marketing. As privacy and surveillance-as-a-service become bigger concerns, security becomes a selling point. But security - as Bruce Schneier has so often said - is a process not a product, and it's an ecosystem not a single solution. So your phone's secure! Great! Unfortunately, you've downloaded a malicious app that's made it not-so-secure, but you don't know this and you've used it to access your bank account, which is now cleaned out. You feel aggrieved, and rightly so. This is similar to the early 1990s, when manufacturers marketed their systems as "easy-to-use", causing much frustration and anger because overall, they weren't so much easy as just slightly easi*er* than the last version.
- Human cognitive limitations. I believe we have hit the theoretical maximum number of passwords that humans can remember. But we have password safes to generate random strings and remember them for us. Only loads of Web sites reject these passwords for not complying with *their* rules for "good" passwords. Some - most egregiously Paypal - bar copy and paste, rendering anything that isn't easily typed impossible. The painful typing on mobile phones does not help this situation.
- Network externalities. Besides the issue of triangulating data, every Web site, every bank, every retailer, every employer sets their security policies and rules in isolation. Blocking copy-and-paste for passwords as above is a good example of not seeing the bigger context. When users are caught between conflicting policies, someone's has to lose.
- Mobility. I can opt out of doing online banking on my mobile phone in favor of my more secure desktop or my physical local functioning bank. Increasing numbers of people do not have these choices, because...
- The 99 percent. As the economic divide increases, more and more people will not be able to afford to upgrade anything and will be forced to rely on a single, increasingly ancient device for the only services available to them, which will be largely digital. When vendors stop patching those systems, we will all suffer the consequences. The 1 percent can avoid those nasty economy class passengers with colds by flying on a private jet. The digital equivalent isn't so easy in a connected world.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.