2016 02 25.Why Computer Security Needs To Be Incredibly Strong
Why Computer Security Needs to be Incredibly Strong
When you think about your garage and security it is mostly about keeping people out so that they can't steal your stuff. The people are the ones in your vicinity. They may not be your neighbors, but at most they are from across town. That limits your exposure.
A lot of time you just keep the more valuable stuff in a more secure location. You don't store your jewelry in the garage. You hide that inside the house with a better lock and lock the door to the house.
Burglars might still find it but this made it difficult enough. If the government wanted to search your house, they got a search warrant and showed up at your door. If you didn't open the door and let them in, they just broke it down. Supposing that they didn't find anything? They would pay for fixing the broken door and you were left with your stuff.
On a 1 to 10 scale of security this is a 2 or 3. It keeps most bad folks out and the government has to have a very good reason to do a search. To do a search they have to actually arrive at your door.
If you want to keep your jewelry safe, you put it into a safe with a combination lock. This is more to keep the burglars out than anybody else. You might even bolt the safe to the floor! Now you are up to a 4 or 5 for security. If you keep the location of the safe hidden, then you gain some security by obscurity and that is making it a 5 or 6.
If you want more, then you lease a safe deposit box with a bigger, (and hopefully better), safe and keep your precious stuff inside a bank. Let's give that a 6 for safety. This is not much of an improvement. You lose obscurity because a safe deposit box is a target for thieves. You gain a much better lock.
Now enter the digital world. The game is a little different. First of all if somebody steals your digital data, you still have a copy. You may not notice that the data is even gone. If somebody breaks into your house and takes your physical stuff, you will more than likely notice it. The risks are higher too. If somebody steals a fake gold necklace, you might just not care. Loss to you is $20 to $50. Suppose they take your SSN, your passwords, empty all your savings accounts and take out a car loan in your name. Now the damage is $30,000 maybe even $50,000. You now spend weeks of your time, (time that you can never get back), dealing with identity theft.
Also the potential set of attackers is much larger. The set of criminals that might attack you is no longer in your vicinity. You are at a larger risk from the Russian Mafia then you are from the people in your city. One attacker can leave holes that another can exploit. Maybe you are unlucky and for some random chance you get attacked by the
After 13 seconds they find that they have broken into the wrong persons computer but they leave a hole. Now the Russian Mafia knows what this hole looks like and they go looking for people with this hole. This has already happened with
routers where a foreign government opened a back door and then other unfriendlies used it.
Before the digital world you only had to defend against a small set of ill equipped enemies. Now you have to have security as strong as the DOD because you have to defend your iPhone and Android against nation states!
Trust in government is much less too. Not just our government but all of them.
got hacked and lost four million personnel records including fingerprints, biometric data, social security numbers and other private, personal data like health records. The problem with this is that these are the attacks that we know about. Should you trust your own government with sensitive data when they have a track record that is that bad? Think about this. The job of the NSA is to keep secrets and they have had leaks like
That is access to every persons' passwords, bank accounts and pay checks. How long before somebody figures out how to steal that access? They may not need to even steal it. All they need to do is observe how it works and duplicate it.
It is not just our government that has bad security. How many billions of dollars have been lost to the movie industry because they couldn't keep the magic keys to movie encryption safe?
Any backdoor to encryption is the magic key that will be more valuable than any other magic key. Apple's security may be perfect but as soon as you have a tool to crack security it will get distributed to the
around the US. If 11,998 of them are perfect and only 2 of them are bad, then the bad guys get the tool. Most police and most police departments are good and honest.
Note: Added Mar 1, 2016 - [An expert on Apple security, Jonathan Zdziarski, thinks that this spread of the software would occur to all police and other foreign governments. ]:http://mashable.com/2016/03/01/apple-vs-fbi-govtos/#DCImnzTcDaqJ In his words it will spread "exponentially".
The risk of theft is the value of what is stolen divided by the ease of stealing it. A backdoor into security has a near infinite value for a thief. That means that no matter how hard you make it to steal it will still get stolen.
With computers everything is or is not. There is absolutely no middle ground. Things are either true or false. There is no such thing as mostly true and a little bit false. No gray areas. Computers make no distinctions between the good guys and the bad guys. They simply respond to commands. If you know the correct command, then they do what they are told.
Do you want a world where a terrorist organization gains access to a single magic key, a backdoor into your car and then proceeds to crash every car in the US? What happens if your son or daughter is in that car at that moment? The risks are not getting smaller.
No gray areas means that either you have security or you don't. You can't have security and only let the good guys in. Security means that it is locked until you and only you unlock it. If the good guys need in, then they have to ask. Anything less than this is no security at all.
In this modern world a security level of 6 or 7 is not enough for an individual. Everybody needs near perfect security. They need a 9.75 or a 10. They need that not just some of the time. They need it every minute of every day. They need it to protect themselves from every bad government in the world.
Making a backdoor into security is an existential threat to everybody including the US government. Our government will not and can not protect our security in this brave new digital world.
One final note:
If the US puts in backdoors,`then people in other countries will create software that will take them out. It has happened before. It will happen again. Net result is that all the really bad guys will end up with good security and all the good guys will end up with backdoors to let the bad guys in. That is worse than no security at all.
P.S. When I originally wrote this I did not have access to Apple's responce to the request from the FBI. Apparently Apple is thinking along the same lines:
"Given the millions of iPhones in use and the value of the data on them criminals, terrorists, and hackers will no doubt view the code as a major prize and can be expected to go to considerable lengths to steal it, risking the security, safety, and privacy of customers whose lives are chronicled on their phones."
• • • • • •
Author: Philip J. Schlump
Published On: 2016-02-25