I was paying for my parking at a ticket machine the other day. As I patiently followed the sequence instructed by the machine, I thought about how machines and software are increasingly training humans. And we’re just letting it happen. That same weekend I observed several headlines about Samsung Smart TV exceptional eavesdropping capability. From Samsung: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” This isn’t new news, but it got me thinking. It is another example of how we have to change our behavior to work around devices and software. Again.
We can’t live without our multi-sensor devices we still call “phones.” We trust software is doing its job and enabling these cameras and microphones only at our request. We also trust that there are no back doors or malware on the device that enable these eavesdropping features without our knowledge. But it comes down to well-behaved software to not facilitate eavesdropping. The hardware is always ready.
I propose getting back to basics. There should be physically controls in place to disable these cameras and microphones. Similar to the plastic tab you pull out of a newly-purchased device to enable battery contact, or the plastic key you can yank out of a treadmill if the speed of its ad infinitum path gets too much for you. With this would be the manufacturer’s certification that these keys, tabs, lens covers…whatever form they take…absolutely block or allow these sensors from being accessible by any software running on the device.
Software has gotten to be too complicated. It’s time to reintroduce physical controls. For now there is electrical tape.
I read an interesting article pn Computerworld.com titled “Worm may create an Internet of Harmful Things.” It discusses how, as our world becomes filled with Internet-connected devices, concerns over security grow. There is one quote from the article that stands out for me: “Security expert Bruce Schneier…is concerned about the broader risks to the Internet of Things. In many cases, IoT connected systems are using firmware that can be hard to patch. In fact, ‘in many cases, [it’s] unpatchable,’ he said.” Unpatchable.
When it comes to software security, if it cannot be updated, it should not be used.
This reminds me of an interesting (perhaps unrealistic) software development methodology called “cleanroom engineering”. With this approach the focus is on preventing bugs or vulnerabilities from ever making it into production code. The SDLC is heavily weighted on all phases before actual coding begins, because (per this methodology) all you have to do is code to the design, since it should be defect free.
This approach to software development seems like an analogy for vendors who release products that cannot be updated. There three reasonings that I can see for this. The vendor
- assumes its product is truly 100% secure, and no vulnerabilities will ever be discovered
- hopes that significant security issues with its product will not be discovered within a reasonable (or obligatory) timeframe
- does not offer patchable products, but offers to sell replacement products that address the security vulnerabilities found in “last year’s model.”
Replacing products used in production is costly and disruptive, and I can’t see the news of any unpatchable security vulnerability endearing a vendor to a customer. In our rush to Internet-ize everything, security may take a back seat again, just like the early days of the Internet or smart phones. As a result, weaknesses will be exposed that attackers the opportunity to do embarrassing, destructive or even dangerous things.
Vendors should operate under the assumption that something will not go according to plan. At some point, a security vulnerability will be discovered in a product even if the vendor did not find it pre-release. And when that vulnerability is found, the vendor should be able to fix (patch) that vulnerability ASAP. Any other approach, such as selling software products that cannot be patched, is downright irresponsible.
Finally taking the time to figure out how to properly sell the book Cyber Security Basics. I have updated the pricing and updated the Kindle version, and started paying attention to the sales dashboard. To date I’ve sold 215 copies of the physical books and 58 of the Kindle ones.
Kindle Sales for 2016
There has recently been an upward trend that I hope will continue as I dig more into the as-of-yet untapped marketing options available to self-published authors. And there are a lot!
Thank you to everyone who has purchased a copy. Please review it in Amazon if you have a spare minute–it would be a huge help.
Do we have a moral obligation to respond if we see someone using a clearly outdated operating system like Windows XP? Is it along the same lines as “if you see something, say something?” I guess it comes down to risk management. If the deprecated OS is observed using sensitive or personal data (such as in a doctor’s office), the need to do something is elevated. If you see it driving an electronic billboard, well maybe not so much.