Monday, October 14, 2013

Robert's Law of security and technology progress

Robert's law of privacy & security.

"The number of advances in capabilities within the online world is proportional to the number of issues with privacy and security."

 A strong statement, some would gather, and something that would seem counterintuative. Would not technology improve security, or as some would say build a better mouse trap?

Let’s delve into this a little further.

We now have a number of cloud computing capabilities that improve the ability to share resources, DropBox, Google Drive, Dump Truck to name but three. These types of software/hardware allows us to share files among our peers within the 'Cloud', thus allowing a more seamless experience when trying to share presentations, school projects etc. Yet this year alone Drop Box (and I only use this as an example as some other cloud suppliers have had security concerns expressed about them as well) had a security issue. In a four(4) hour period, accounts were unlocked and accessible to the general public.

Let’s take another example.

Social media. It is in the forefront of most peoples minds right now. And, as we see, a lot of companies are embracing this new market place with vigor. It is seen, by some, to better connect or re-connect, with friends and family. I for one, keep in touch with relatives from Australia, Hungary and Michigan using a combination of Twitter, Facebook and LinkedIn. Companies are jumping on board as well,  seeing the opportunity to have another marketing vehicle in their arsenal,  providing enhanced customer service and differentiating themselves from the competition. Yet there have been a multitude of security and privacy issues with the social media suppliers. For example, there was the time a that a certain number of users  potentially exposed their personal identifiable information within Facebook. Twitter, another social media darling  had a number of issues concerning security as well.

And another

RFID = Radio Frequency IDentification.. We all use it. But what is it? It actually encompasses a lot of different devices and uses. They include the NEXIS card, issued by the US and Canadian governments to allow pre-screened passengers, speedier border crossings. It allows Jane Smith to tap her credit card on the gas pump reader to pay. it can be used to track merchandise in warehouses etc. Yet within a very short period of time after general deployment in the public arena security issues started to be asked/exploited in both the public as well as informed experts hands.

And finally within the last month (as of this is being written) the fingerprint recognition capability within the new iOS 7 had it’s security questioned. The new capability allows anyone with a new Iphone 5Sc  to buy songs etc., using their fingerprint, in the ITUNE store (more to follow I am sure). Yet within a very short period of time, concerns about the security of this capability surfaced.

So what does this all mean? Should we ban all new technology? While I am sure there maybe some people who would say yes (as there are still some people who believe the world is flat and Elvis is alive) that is not going to happen. If we would have banned technology then, no computers? Or if we waited and implemented the ban when transistors came about. or when the Arpnet/Internet was created, or when the WWW (world wide web) etc. where would we be now?

In reality as the human race continues to explore and innovate, technology will move forward.

So Am I advocating we just plow ahead full steam? Well.....

I think we need to recognize that with each innovation, invention etc the security privacy landscape changes. That when we embrace the new mouse trap, we should also realize that it brings with it potential security privacy issues that need to be addressed.

Let’s take the last example I used.  Apple introduced the new capability stating that Iphone 5S is an innovative way to simply and securely unlock your iPhone with just the touch of a finger. However, noticeably absent was any further discussion about the security component.  While I don't expect a detailed discussion, I do expect a phrase or two addressing the obvious concerns.

Why is it that security (and indirectly privacy) is such  an afterthought.  We introduce new ways to build a better mouse trap1 yet we do not look at what the implications for this new technology are and what changes need to be so it is implemented safely and securely. Companies jump on bandwagons all the time without fully engaging in a analysis of the various issues of concern. Apple introduces a finger scanner, yet a hack was published within the month. Banks introduced 'chip and pin' credit cards and then tried to deny any reimbursement for fraudulently used cards.

So what does this all mean? In all our dealings, whether it is building a new web site (Privacy by Design) or a new technology, we should be advocating Security by Design in what ever we do. It should not be an afterthought. We should expect that there will be issues and not wait for some smart hacker to point out the problems. We should take the bull by the tail and face the situation. Be proactive rather then reactive as we seem to be most of the time. If we do this, then we will hear less and less press releases on how some new technology was hacked and broken. And as a result, a fix had to be  developed and deployed. Never mind the PR issues that raise their head during this event.


1 The actual saying goes like this 'If a man has good corn or wood, or boards, or pigs, to sell, or can make better chairs or knives, crucibles or church organs, than anybody else, you will find a broad hard-beaten road to his house, though it be in the woods' Ralph Waldo Emerson. I prefer the modern version for brevity, if for no other reason.

No comments:

Post a Comment