IT Security... Food for Thought.

I don't know if this is precisely the right forum... But I'm reading it as the "Science and Technology"
forum, based on the posts and other forums.
I apologies to anyone who thinks this is the wrong forum.

This is a story I came across from reading this blog: https://www.schneier.com/
which I read regularly [and highly recommend].

http://web.archive.org/web/20150114220658/https://medium.com/@SwiftOnSecurity/a-story-about-jessica-and-her-computer-e400fa9fd4e

The 'fictional' story in the post is about an average person and their experience of computer security.
As someone who has spent years on the business-end of average computer users security issues
this rang completely true for me.

Here is how it concludes...

What was Jessica’s sin in this story? Was it not educating herself on the benefits of Open Source philosophy and running Linux, software which is free? Was it not having friends or family that knew about computers, whom she could ask for advice? Was it not befriending Josh? Was it being someone who had other priorities in life? Was it not knowing that the companies providing her software updates also try to trick her into installing junkware, and she needs to uncheck “Install Ask Toolbar” every time? Was it stupidly not knowing the era that SMTP was designed in and that it doesn’t provide any authentication? Why didn’t she put tape over the webcam? Why didn’t she take apart the laptop to remove the microphone?

Maybe this isn’t her fault. Maybe computer security for the average person isn’t a series of easy steps and absolutes they discard from our golden mouths of wise truths in order to spite the nerd underclass.

Perhaps it’s the very design of General Purpose Computing. And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did.

So whose fault is it.

Originally posted by googlefudge
So whose fault is it.

Maybe there are some things for which you cannot lay blame.

I'm thinking this belongs in spirituality or debates as assigning fault really has nothing to do with IT.

Similar questions could be asked of a car accident where say a driver wasn't wearing their seatbelt. Was it the manufacturers fault for allowing you to drive without a seatbelt? Was it the fault of the driver? Was it the fault of the government for not properly training the driver?
In many areas of car safety we have found ways to assign blame and taken extra precautions at all stages because lives are at stake. But when you are designing a laptop or an OS, you are not thinking 'will this kill someone if I don't include an antivirus?'. Similarly government doesn't mandate the need for a 'basic security licence' before being allowed to 'drive' a laptop.

I read the article. An entirely plausible scenario, I must say. This sort of thing is right up my alley: I teach, among other things, professional network security admins how to run Wireshark (that's a protocol analyzer, or "sniffer" ); it tells you what's going over the wire.

We (collectively) in the technologized world have become dependent upon technologies which most people no longer understand. This applies across the board, not only to computers. 50 years ago, cars were simple enough that somebody on your street almost certainly knew how to take out an engine, fix it, and put it back in again (I remember watching my dad take the engine out of a VW van, fix it, and put it back in). I remember when you had to build your own computer (that meant going to Radio Shack and buying separate motherboard, processor, fans, hard disk, box to put it all in etc.--mouse?? wasn't no such thing then). Technology was simpler than and the people who used it were more aware of what was going on 'under the hood' (that's "bonnet" in British English). But technology has become more complicated in the last 50 years; so much so, that most of the people who use it no longer know what is going on 'under the bonnet'. This applies across the board: to cars and computers and telephones and almost everything. Shucks, even the oven the kitchen has a 'chip' on board these days and is fully programmable to turn itself on and start basting the roast while no one is home.

So, back to imaginary Jessica who knows enough about computers to use one, but not enough about IT in general to assess a) what the real dangers are and b) the effectiveness of proposed protective measures. I think this is probably a very widespread concern.

Whose fault is it that technology is now so complicated that a vast majority of computer users are simply reduced to downloading a mass-market freeware AV and hoping that will be sufficient? There is a parallel case. Maybe someone here is old enough to remember the infamous Tylenol extortion case.

http://content.time.com/time/nation/article/0,8599,1878063,00.html

A crazed murder-extortionist laced a commercially available pain killer with poison. People died. The manufacturer received threats of more killings if they did not pay a huge sum of money. There soon followed copy-cat incidents. The upshot was that manufacturers developed tamper-proof seals on all products; we have lived with improved product safety-packaging for so long that probably generations have grown up not knowing why they were necessary.

All this tamper-proofing makes us safe, but it leaves a huge amount of trash to be disposed of. So whose fault is it that there is so much packaging trash? That bastard who poisoned the Tylenol in Chicago in 1982, that's who.

So what's the parallel with IT? Back when the Internet was invented (it was called the ARPANET then, Advanced Research Projects Agency net), we were living in a pre-poisoned age. There was no product safety-packaging. Our pain killers and our computes were not under threat, so they needed no protection. That changed in the IT world when criminals discovered how to make money out of threatening corporations (there were similar extortion crimes committed against major Internet corporations, such as Sony).

As corporations became more and more savvy about protecting their interests, the criminals moved to softer targets, and that's when the Jessicas of this world got involved, unwittingly. Too bad, really.

So, what's the take-home message here? Don't worry too much about what gets into your computer; what matters is what goes out of it! It doesn't much matter what virus a hacker plants on your computer, so long as the virus cannot make contact with the hacker's computer and reveal any sensitive information (such as your bank account details). An AV program worth its salt will warn you when your computer (or any sub-routine running on it) tries to make contact with a server and give you the option of terminating the connection.

Originally posted by moonbus
An AV program worth its salt will warn you when your computer (or any sub-routine running on it) tries to make contact with a server and give you the option of terminating the connection.

The vast majority of AV programs do not do that. In fact, AV is not the correct name for such programs anyway - that is a kind of firewall.
More importantly for the thread is the fact that the vast majority of users wouldn't know which programs should or should not be making contact over the internet and thus will not only be greatly hindered by the software, but also likely end up approving any and all requests anyway.
What we need is not more software that nobody understands, but more basic education and awareness combined with some sort of active reminder to follow good habits.
If you have a camera on any of your devices, be aware that it could get turned on by a malicious piece of software, and consider what you do in front of it.
Of course as we see with taking backups, most people need to suffer some pain before they take precautions and even then many people just never learn.

Originally posted by twhitehead
The vast majority of AV programs do not do that. In fact, AV is not the correct name for such programs anyway - that is a kind of firewall.
More importantly for the thread is the fact that the vast majority of users wouldn't know which programs should or should not be making contact over the internet and thus will not only be greatly hindered by the soft ...[text shortened]... eed to suffer some pain before they take precautions and even then many people just never learn.

I agree that many users do not know the difference between anti-virus software and a firewall, and many operating system built-in firewalls (e.g., Microsoft's Windows Defender) are all but useless anyway, since they do not inform the user that his camera just switched on, for example.

Originally posted by moonbus
I agree that many users do not know the difference between anti-virus software and a firewall, and many operating system built-in firewalls (e.g., Microsoft's Windows Defender) are all but useless anyway, since they do not inform the user that his camera just switched on, for example.

Actually Windows Defender is an antivirus / anti-malware not a firewall. Neither an antivirus nor a firewall has anything to do with your camera. For that you need a more general security suite. However, any root kit worth its salt will disable or hide from the better known security suites anyway. Also, in my experience security suites are more trouble than they are worth.

One obvious solution to the camera problem would be to insist that vendors include a slide over cover for all camera. I know some people tape over their cameras but that is not an ideal solution. Of course it is highly unlikely that manufacturers will ever put any such cover on phone cameras.

Ultimately security is a balance between risk and effort and the best way to help people find the right balance is through education. If you know what your risks are you are more likely to put in the appropriate amount of effort, but as I noted with regards to backups, it is still hardly a guarantee of wise behaviour.

Originally posted by moonbus
I agree that many users do not know the difference between anti-virus software and a firewall, and many operating system built-in firewalls (e.g., Microsoft's Windows Defender

Let us put it this way.

Anyone who's read even a single recent article on Windows 10 and still trusts Microsoft with his on-line security deserves all the reaming he will get.
Anyone who hasn't read a recent article on Windows 10 also deserves all the reaming he gets Reveal Hidden Content.

Clear yet?

Originally posted by Shallow Blue
Let us put it this way.

Anyone who's read even a single recent article on Windows 10 and still trusts Microsoft with his on-line security deserves all the reaming he will get.
Anyone who hasn't read a recent article on Windows 10 also deserves all the reaming he gets [hidden]and yes, that also goes for Appletards and Linuxheads[/hidden].

Clear yet?

I don't agree at all.

It's not even remotely reasonable to expect more than a small minority of the population
to be or become sufficiently expert in dealing with computers and/or security to be able
to understand the issues and make informed and rational decisions based on them.

One of the most frequent observations I had about my clients to the IT service and repair
store I worked at was that a majority didn't know what a browser was, or could tell the
difference between their browser and the web-page they happened to be looking at.
Ask them what browser they use and the most common answer is "google".
Which generally didn't mean they used, or wanted to use, Chrome, but meant that
they used google.co.uk as their home page in whatever browser [typically IE, unless
they had been unintentionally co-opted by Chrome without their knowledge or consent]
they happened to be using.

They don't care, and shouldn't have to care, about their computer and how it works.
They only cared about using it to do whatever. This included business people, teenagers,
and OAP's.

The idea that you could successfully teach all of them to be security experts, or that that
would be a good use of resources, is ludicrous.

This is, as you say, an issue of trust.

But, just as when you go into [any] supermarket you have [and should be able to have] a
valid basis for trusting that whatever food you buy will be safe for you to eat, and not be full
of toxins or diseases, without you having to research every item of food to determine yourself.
You should be able to use any mainstream operating system and/or service and trust that
the regulatory structure exists and works to ensure that you can reasonable trust them to
operate in your interests, to a sufficiently high standard.

Apple is not significantly any more trustworthy than Microsoft, or Google, and most people cannot
be expected to work Linux.

If you can't trust any of them, your choice is not have a computing device and remove yourself from
the modern world. Or pick which feudal overlord to trust with your system and data.


The problem is that we need the regulatory and legal framework to ensure that we can reasonably
trust our OS out of the box to be safe and secure and not invade our privacy.

That wont happen while our governments are cashing in on all this insecurity for their own espionage
benefits.

That is where the problem ultimately lies.

gf:"But, just as when you go into [any] supermarket you have [and should be able to have] a valid basis for trusting that whatever food you buy will be safe for you to eat, and not be full of toxins or diseases, without you having to research every item of food to determine yourself. You should be able to use any mainstream operating system and/or service and trust that the regulatory structure exists and works to ensure that you can reasonable trust them to operate in your interests, to a sufficiently high standard. "


Regulatory structure? What regulatory structure? The Internet is not a grocery store. No authority certifies web content to be safe. Read the fine print: "Use at your own risk."

For example:
http://www.redhotpawn.com/myhome/termsofservice.php
Item 17. Disclaimer ....

Standard boilerplate text, every web site has similar disclaimers.

Originally posted by moonbus
gf:"But, just as when you go into [any] supermarket you have [and should be able to have] a valid basis for trusting that whatever food you buy will be safe for you to eat, and not be full of toxins or diseases, without you having to research every item of food to determine yourself. You should be able to use any mainstream operating system and/or service an ...[text shortened]...
Item 17. Disclaimer ....

Standard boilerplate text, every web site has similar disclaimers.

What part of "you should be able to" did you fail to comprehend?

Originally posted by googlefudge
The problem is that we need the regulatory and legal framework to ensure that we can reasonably
trust our OS out of the box to be safe and secure and not invade our privacy.

It is a complicated situation. I rather suspect you would actually not want to live in countries that do try to do exactly what you are proposing with the internet. China for example filters the internet for your safety, yet receives enormous criticism for doing so.

I must also point out that supermarkets may not sell you poisonous food, but that doesn't mean the food they sell is good for you. I think the question of whether hamburgers should be made illegal is still very much up for debate.

I do think there is room for some regulation. For example, Windows 10 is designed to by default take your personal details and sell it to advertisers. There should be regulations requiring Microsoft to make that much clearer to anyone who uses Windows 10. But should they not be allowed to sell you (or give you) such an operating system even when the purpose is clearly stated? You seem to be saying that because users will always be ignorant, we must ban the sale of operating systems that rely on advertising as a business model. Should we also ban Google and Facebook? What about TV that relies on an advertising model? Or is it only targeted ads that are a problem?

What level of security should be demanded by regulation? If a security bug is found in iOS should Apple pay a fine?

Originally posted by twhitehead
It is a complicated situation. I rather suspect you would actually not want to live in countries that do try to do exactly what you are proposing with the internet. China for example filters the internet for your safety, yet receives enormous criticism for doing so.

I must also point out that supermarkets may not sell you poisonous food, but that doesn ...[text shortened]... ity should be demanded by regulation? If a security bug is found in iOS should Apple pay a fine?

It is indeed a complicated situation, however being complicated doesn't mean insolvable.
And China doesn't do anything close to what I want to do, I think you have misunderstood my intentions.

I must also point out that supermarkets may not sell you poisonous food, but that doesn't mean the food they sell is good for you. I think the question of whether hamburgers should be made illegal is still very much up for debate.

I do realise this, however it used to be the case in the past that food sellers could and did try to get away
with [almost literally] murder in selling 'food' that was unfit for human consumption.
You would have to really pay attention to get produce that was 'safe' to eat.
Now we have lots of regulations and enforcement systems that mean that we can have a high level of trust
that when we go to the supermarket the food you buy will be safe.

The situation we have now with technology is analogous to the pre-regulation food industry.

You can go out today and buy a 'smart TV' [or smart fridge/ electricity meter etc] that connects to your home network
and allows connection to the internet. And that device will almost certainly have no security on it whatsoever.
And when you place that completely insecure device on your network, hackers can remotely take over that device and
use it as a launch platform for internal network attacks on your computers and phones in your home.
Similarly your home router is likely also highly insecure, with no regular security updates, and can also be hacked
and used to launch attacks.

And if your network is hacked by someone taking over your smart tv, the manufacturer has zero liability for any damage
caused due to their negligence in failing to provide a decent standard of protection.

And the way the current market is heading, it is already becoming hard to get tv's that are not smart tv's.
Which means that soon you will either only be able to get a non-smart tv by buying a cheapskate crappy tv,
or by not having one at all. Rinse repeat for every other device that is becoming 'smart'.

Now look at all the services that can only be accessed, or are very inconvenient to access, without internet.

In the modern world you a almost required to have a computer with internet access.

And yet we cannot trust those who provide these 'essential' services with our privacy or security.

The market is not, and will not, provide such things.

So we must have regulations that require these companies to provide decent levels of security and privacy.

This may mean that some business models will fail, as tracking people everywhere and selling that information
is no longer legally acceptable. But those are not the only viable business models, however they out-compete
other business models in the current market as detrimental practices often do. This is why you ban them,
because that creates a level playing field for the non-detrimental business practises to thrive.

What about TV that relies on an advertising model?

That TV advertising is based on the expected make-up of the audience based on the program being shown.
It doesn't track you and invade your privacy.

But should they not be allowed to sell you (or give you) such an operating system even when the purpose is clearly stated? You seem to be saying that because users will always be ignorant, we must ban the sale of operating systems that rely on advertising as a business model.

Not quite. I'm saying that users have essentially no choice but to use one of the major OS's and that they should not
be required to sacrifice their privacy to do so.

As someone who had to 'upgrade' to Windows 10 to become familiar with it for my work, I know how much effort
it takes to disable Windows snooper stuff [assuming it's actually disabled and not lying about it] for some of it
I needed to use command line instructions.

Regular users are never ever going to be able to do that, or even realise that they should.

So yes, the manufacturers should be told that their users have a right to privacy and it doesn't matter what is in their
TOS, they are not permitted to collect or sell their users private data.

What level of security should be demanded by regulation? If a security bug is found in iOS should Apple pay a fine?

No. There will always be bugs. Apple should however pay a fine/be liable for damages if they fail to implement proper
practices for locating and patching bugs as they are discovered.
The major OS's are actually now quite good at this, and regular windows security updates, and the same for iOS and
Linux etc are the norm. However the same cannot be said for all the software you use, or all the other internet devices
that you use, are being developed.

Originally posted by googlefudge
And if your network is hacked by someone taking over your smart tv, the manufacturer has zero liability for any damage
caused due to their negligence in failing to provide a decent standard of protection.

I think your analogy of supermarkets fails here. Supermarket food is like non-tamperproof medicine. If someone puts poison in your food after you brought it home, the supermarket cannot be held responsible. Similarly smart devices getting hacked is not necessarily the equivalent of selling you dangerous goods (a supermarket selling your poisonous mushrooms).

Originally posted by twhitehead
I think your analogy of supermarkets fails here. Supermarket food is like non-tamperproof medicine. If someone puts poison in your food after you brought it home, the supermarket cannot be held responsible. Similarly smart devices getting hacked is not necessarily the equivalent of selling you dangerous goods (a supermarket selling your poisonous mushrooms).

And why do we have 'tamper proof medicine'?

Because people tampered with medicine and regulations were brought in to make that harder to do.

I'm pretty sure that makes my point for me.

However, if the analogy breaks down when overextended that's not a problem because that's what analogies
do when you over extend them.

My argument is not that computer security is like selling food.

My argument is that you should b able to trust that what you purchase is safe, and will remain so.

Originally posted by googlefudge
And why do we have 'tamper proof medicine'?
Because people tampered with medicine and regulations were brought in to make that harder to do.
I'm pretty sure that makes my point for me.

No, it demonstrates that there is a balance to be found. Tamper proof food has not been implemented.

My argument is that you should b able to trust that what you purchase is safe, and will remain so.
But should it be merely safe, or safe from malicious interference by others? In the case of medicine we have decided to take some extra precautions, in the case of food not.
In the case of most computer related security, we have taken precautions but usually driven by market competition rather than by regulation.
In most cases, poor computer security will not do you significant harm. In some cases it might such as when someone gains access to video cameras or bank details.

Did you know that it is possible to access millions of security cameras on the web merely because people leave the default password in place and install them on public IP addresses? This includes cameras installed in private homes. So you are basically saying that the risks involved there are similar to the risks involved with say electric fences and thus subject to some amount of regulation. I am not sure how well regulated electric fences are.