Thursday, August 07, 2008

Trust No-one

Dizzy has an article in today's Times about computer security. He says we have become 'infantilised' by technology and that because of our ignorance we put blind trust in computer security systems.
We should not only be angry with government departments or businesses that fail to protect our data from fraudsters and criminals, but also at ourselves for the blind confidence we have put in technology's ability to provide that mythical thing called “total security”. It is a cliché to say that we as a society have sleepwalked into something, but when it comes to the security of our data we have not just walked, we've rushed headlong into an online world where we instinctively trust everything....

We have become infantilised by technology. Instead of trying to get to grips with information technology, we simply defer to the experts, and then we wonder why we are annoyed when things fail. The truth is that there is no system that cannot be hacked. If a human being can create a security system, then another human being will be ingenious enough to find a way in, or around it. That's why Jeff Richards, the security expert, made his two laws of data security so simple: (1) Don't buy a computer; (2) If you do buy a computer, don't turn it on.

Wouldn't life be duller if we followed that bit of advice! Safer, but duller.

17 comments:

  1. Errr, not having my computer on will make running my blog a little difficult....

    ReplyDelete
  2. jeff richards advice on data security iscorrect as far as it goes but does not deal with the way in which our personal data is acquired, stored and accessed, often without our knowledge or agreement, by governments, their agencies, commercial organisations etc.and security treated in such cavalier manner that one might as well say to the criminal 'here is my credit card to save you the effort of cloning it'

    i note that a dutch IT expert has claimed to have cloned the 'uncloneable' chip to be used in our all singing all dancing passports and id cards and that hm government has in effect told him he is wrong - he hasn't even if he has !

    ReplyDelete
  3. The extent to which we are under the total control of IT experts is evidenced by the 'millennium bug'. How much did we spend on killing that thing, only to find that it was an empty threat? Yet we daren't complain about being ripped off by the IT lobby because we are completely dependent upon them.

    ReplyDelete
  4. I also think he's wrong. I get so tired having to explain to my mother/wife/old schoolfriends/colleagues that registering for a site with an e-mail and password will not lead inexorably to theft of their identity and subsequent global meltdown....it seems that the tech-savvy forget that large swathes of the population still treat new technology with considerable suspicion, fuelled by media speculation on issues - and I have to say that Dizzy's piece is just one such example.

    ReplyDelete
  5. It isn't just online though. If you give your credit card details over the phone to pay a bill, that is just as risky.

    One tip. I wonder how many people use Amazon and keep their credit card details stored on their account? DON'T. If someone hacks you Amazon account, don't make life easy by storing your card details on line, otherwise they can order away. I've NEVER understood why Amazon allows that.

    I've also never understood why we can't have a one use system for credit card numbers. They would work a bit like scratchcards. You scrape one off when you make a purchase online and it is linked to your credit card, but it's a one use number only, so even if a hacker gets it, the number can't be used again. They could be used in high risk places, like garages or restaurants.

    Personlly I only use cash in petrol stations. Where I live we've had a big scam problem with several local petrol stations and people getting thier cards cloned.

    I had a card cloned a few years back, I've now gone back to using cash wwhenever possible.

    ReplyDelete
  6. In fairness I was not saying that you shouldn't buy a computer. I was making the point that thinking your secure because of technology or some PC world numpty tells you you are is universally dumb.

    ReplyDelete
  7. I'm a civil servant. When Gus O'Donnell launched his data security report in July I sat in at the back of the press conference. At the end one journalist, I think she was from ITN, repeatedly asked if he could now say that all government databases were 100% secure and nothing could ever go wrong, could he give a cast-iron assurance that no mistakes would ever happen again and so on.

    He, sensibly, replied with something along the lines of "No, but I think if we follow the rules set out in my report we'll be as safe as we can reasonably expect to be."

    And on that night's news she told us that the Cabinet Secretary "was unable to give assurances that [something like the HMRC loss] would never happen again."

    So, Dizzy, in my experience the Government (or at least the Civil Service) is already well aware that there's no such thing as 100% security. Unfortunately this country is full of politicians who think such a truth is unspeakable and journalists who are so desperate for a new scare story that they don't let facts and logic get in the way.

    ReplyDelete
  8. If you want to really frighten yourself take a look at:

    http://p10.hostingprod.com/@spyblog.org.uk/blog/spyblog/

    An altogether sobering experience...

    ReplyDelete
  9. @ Anon Civil Servant.

    Well, she was right, wasn't she? O'Donnell is/was unable to give such assurances.

    And your point is that everyone views things from their own particular perspective? So?

    The real point is that Gus and some of his colleagues are very keen on such measures - with no real justification. I think most of us feel considerable unease at the prospect of large amounts of personal data being routinely examined and handled by largely unaccountable individuals such as, dare I say it, Civil Servants.

    So far there have been all too many spectacular failures. I'm not inclined to suspend my critical faculties because some apparatchik tells me it's all going to be just fine.

    ReplyDelete
  10. So 'we simply defer to the experts' do we? Who would you defer to then, the amateurs? Would you take the same view on doctors or lawyers? As an IT 'expert' who is pretty much at the top end of the technical side of the profession my constant irritation is people who with no IT professional background who think their opinion is better than mine when it comes to large-scale computer systems. Scratch an IT failure and you will find a project where the IT 'experts' were ignored by people who think that just because they can use a word processor they know as much as people who engineer systems for a living. Here is a quiz for you, when was the last time HMG or a large company put up one of its IT professionals to talk publicly about an IT issue? That doesn't happen because people like, well, you Dizzy think you are an ‘expert’.

    ReplyDelete
  11. One of the best trueisms I've ever heard about Computers would have to be "If we had as many problems with a Toaster as we have with a Computer, It would have long ago ended up in the trash." Considering all the important things that Computers do for us these days, I think it's a bit of sage advice.

    ReplyDelete
  12. Excuse me? What one earth are you on? I was referring, quite specifcally, to a general tendency to trust insitinctively, what people ar etold is "what they experts say" in relation to the security of systems when in fact, it isn't.

    Regarding IT projects, I don't disagree with you. Project managers and non-technical people are forever cocking up systems, that's why the last things I built (transnational authentication layer using Kerberos and a transnational SNMP based monitoring system), were done by me and me alone, and I didn;t let project managers get their grubby little paws on them.

    As I say though, you've completely missed the point about "experts". It was not a sleight against IT professionals, far from it, after all, why would I slag myself off? No, it was a sleight against the very people you are referring to that stand up and misprepresent the reality of the security of a system.

    ReplyDelete
  13. Anon Civil Servant said ... And on that night's news she told us that the Cabinet Secretary "was unable to give assurances that [something like the HMRC loss] would never happen again."

    - Unsworth said... Well, she was right, wasn't she? O'Donnell is/was unable to give such assurances.

    Unsworth, that is a good example of journalistic anti-government spin. In fact, only a fool would truthfully give such assurances, i.e. that such a thing would never happen again.

    ReplyDelete
  14. All my important work is done on non-mainstream computer systems that no-one is targeting, and are anyway inherent much safer. I back-up my data almost obsessively, and encrypt it, including offsite backups at two other locations.

    I cannot eliminate all risk, and am well alert to the remaining deficiencies (thankfully not all that significant in reality!) but have at least made the effort to minimise the chance of anyone dodgy (and that includes today's Government) getting their hands on anything they might devise a way to misuse, as they tend to do.

    Therefore my main computer is switched on -- and so am I!

    ReplyDelete
  15. Anon 4:19 PM

    "that is a good example of journalistic anti-government spin. In fact, only a fool would truthfully give such assurances, i.e. that such a thing would never happen again."

    Precisely.

    So we should take O'Donnell's flannel about being "as safe as we can reasonably expect to be" as some sort of reassurance? WTF does that comment actually mean?

    All these soothing noises emanating from Civil Servants who most certainly will not have to pick up the pieces when the whole thing crashes and burns are simple persiflage (or, if you like, bullshit). What's O'Donnell's career plan, anyway?

    When I hear this kind of garbage from these highly paid and grossly irresponsible jerks my immediate reaction is to check that the magazine on my Browning automatic is fully loaded.

    ReplyDelete
  16. "In fact, only a fool would truthfully give such assurances, i.e. that such a thing would never happen again."

    That was the point I was trying to make - as Dizzy says, there is no such thing as 100% safe and there never will be.

    Yet ministers and the media both like to pretend there is such a thing as a risk-free world, ministers so they can reassure the voters that everything is fine and the media so they can do their smug and superior act whenever something goes wrong.

    Which reminds me, have the Daily Mail found their missing laptop yet?

    ReplyDelete
  17. Dizzy, your piece was easily misunderstood.

    On the substantive, do you have a bank account? If yes to that do you believe that your bank runs it on paper ledgers marked up with quill pens? If no then do you allow that some computer systems can operate a level of security that most people find acceptable?

    The real issue is actually incentives and public policy. Banks operate generally secure systems because if they didn't then they would go out of business very quickly. So they spend on technology and expertise for very secure systems. However, the downside risks of poor security for organisations that do not face being punished by the market are not high, hence a general laxity in governmental systems, particularly with ordinary people's personal data. If there was a Data Protection Act 2008 that changed the risks to all organisations of playing fast and loose with people's privacy then the whole dynamic would change rapidly.

    You can build systems with good-enough security, if you can persuade someone it is important enough to pay for it.

    ReplyDelete