« The analog hole | Main | Barbershop quartet »

The gunpowder tea party

For several years in the mid-2000s, Privacy International ran annual Stupid Security Awards. The situation has not improved since.

Item: last week I took a small (under 100 grams) package destined for elsewhere within the UK to the post office. "What's in it?" the postmaster asked. I genuinely couldn't remember beyond that it was an item I'd found on my desk that I thought the recipient should have. "I can't send it if you don't tell me what's in it." He could, however, sell me stamps to put on the package so I could drop it in the post box outside.

Item: an absurd exchange with the now-departed-from-my-life Vodafone. On February 2, my number ported to the new supplier. As that was the day my bill was due, I thought I'd check the website to see if I had anything to pay and discovered porting the number had simultaneously shut down web access to my billing information - I say "my" billing information, but that's like "my library book". I initiated a web chat. All I wanted to know: would they send me a final bill?

"Dylan" (who I thought was a robot until he? started misspelling things, which, who knows, may be deliberate to make a bot look human) said he had to take me through security. Name, address, phone number, amount of my last bill. I gave the amount of the January bill and said I didn't have February. Dylan responded with a little encomium about how security is important and that's why he has to ask these questions. He did *not* indicate whether he'd accepted the January amount.

Which may be why his next question - "what is the IMEI number of your handset" - made me feel less confident that I was really chatting with someone from Vodafone. I know: I contacted them via their HTTPS-protected website. But malware...hacking...social engineering...someone asking a string of questions and providing no feedback...and I could see no logical reason why they needed this level of certainty in order to send a bill to an email address they already had on file. At that point my New York personality - impatience and distrust - kicked in and I said if they wanted payment they could let me know. end of conversation.

People confronted with situations like these do not conclude that there are terrible risks we must all work together to protect ourselves against. Instead, they conclude that security is stupid, inflexible, and a waste of their time, a result that makes solving the society-wide security problems we actually face even harder.

To be sure, a lot of the issue was a design problem. Vodafone did the right thing in telling me how long I would have to wait before my chat approach was answered - but it then did the wrong thing by not telling me how many questions I might have to answer or how long the security process might take. This is a mismatch between their perception of the task and mine. I want an answer to my question and anything leading up to that is "waiting". They think once they have connected to me I am no longer "waiting" and am now being served. Answering security questions is not being served; to the customer it's still waiting. "Being served" is: I'm looking for the answer to your question and here it is.

The other really significant thing Vodafone did wrong is to fail to offer any acknowledgment that we were making progress toward a defined goal. I understand that security people do not want to give a miscreant clues that might help them game the system. I get that. I also get that the procedure and number of questions may vary. But there still needs to be some feedback. I'm still *waiting* here. The even more significant failing was the depressingly standard behavior of not offering any information to confirm itself. If all organizations handling sensitive information had made two-way authentication (not two-*factor*) authentication when telephone banking began and made it standard practice that grew up alongside the internet, there would be few phishing problems now.

That's becoming an increasing issue because the other side of stupid security is that the people in charge of important building blocks are making the kinds of stupid decisions that make it impossible for us to make good ones. Just this week:

Item: Lenovo has been shipping PCs with adware that intercepts HTTPS connections in the interests of inserting ads. In the US, many companies do this, presumably with some idea that in-depth monitoring of their employees' web use will yield at least legal compliance, at best some ability to catch wrongdoing.

Item: Samsung has been shipping smart TVs that capture what's said in front of them and uploads it unencrypted. Yes, Samsung will fix it, but here is the future: updating myriad "smart" inanimate objects because their makers have no...let's call it street smarts.

Item: GCHQ and the NSA hacked Gemalto's network to steal the encryption keys that protect many of the world's mobile phone conversations. What they failed to win legally when key escrow was defeated, they went ahead and stole.Simon Davies.jpg

Every part of this ecosystem matters, from bad design decisions to deliberate undermining. As Privacy International founder Simon Davies said in 2003: a global menace.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)