Security is a Myth
If you own a printer or a smartphone, you’ve probably done some rethinking about a few things over the past week or two. The recent rash of headlines to hit the mainstream media have produced much speculation, misinformation and meetings with Congress, but they have been successful in reaffirming one thing:
Security is a myth.
On the surface, the act of collecting semi-personal information about our calling habits and surreptitiously shipping this data off to mobile phone carriers is bad. At a minimum, having 140 million printers and multifunction scanners and faxes on our networks that are vulnerable to attack is bad.
But the real problems go much deeper.
Consider that our mobile phone carrier told us all about CarrerIQ, but we didn’t care. Yes, it’s right there in the fine print. Very fine. Our End User License Agreement told us that they were going to steal our personal information and use it to analyze our usage habits, and then we happily signed the paperwork. We had a chance to say no, but we either didn’t care, didn’t take the time to understand the security implications, or made the decision to trade our personal data for convenience.
We do it every day.
We should also consider that Angry Birds isn’t much different than CarrierIQ, and the information is going to a pretty-much-unknown-third-party. Our names, addresses, possibly even our GPS coordinates given the appropriate permissions. Yet we happily trade that information for a few minutes of enjoyment.
It’s bad that smartphones are shipping off our personal information, but it’s much worse that we said it’s OK.
And we introduce hardware and software to our work environments in the same manner. Hardware and software that was never designed to be secure. Sophisticated multifunction devices that host web servers and command shells that accept software updates and connections from anyone. These devices are like hacker outposts.
It may be bad that these devices are vulnerable, but it’s much worse that they have access to all of the other assets on our networks.
If you want to know what it’s like to attempt security in today’s world, try jumping into a pool without getting wet. The odds are the same. Everything around us is vulnerable, from our resumes to our Facebook walls, from our mailboxes to our personal interactions. The true saving graces are that there are always less secure entities than you and there are only 24 hours in a day.
Now if this sounds a bit cynical, please don’t misinterpret: I believe that good will always prevail over evil.
We just might get a little wet along the way.