Today's post is 9 parts current events and 1 part Irreni.
First the Irreni part: people do not understand technology, scale or especially both when coupled together.
Second the current events:
By Adam Levine
The parade of data breaches that expose information that should be untouchable continues because we're not asking the right questions. It persists because the underlying conditions that make breaches not only possible, but inevitable, haven't changed--and yet we somehow magically think that everything will be all right. And of course we keep getting compromised by a shortlist of usual suspects, and there's a reason. We're focused too much on the "who" and not asking simple questions, like, "How can we reliably put sensitive information out of harm's way while we work on shoring up our cyber defenses?"As a computer scientist with two degrees from UC Berkeley then let me assure you that your data will never be safe. Ever. Why? Because there are humans involved. That was the opening comment in a class lesson on security.
In a hostile environment where there are known vulnerabilities, allowing remote access to sensitive information is not only irresponsible -- regardless the reason -- it's indefensible. Yet according to the same article in the Times, the Office of Personnel Management not only allowed it, but it did so on a system that didn't require multifactor authentication. (There are many kinds, but a typical setup uses a one-time security code needed for access, which is texted to an authorized user's mobile phone.)
For what it's worth there are uncrackable storage systems. The only problem is that even the person who encrypted the data cannot retrieve it.
My beef with Levine is the same as my praise, "The parade of data breaches that expose information that should be untouchable continues because we're not asking the right questions."
The right question is "who" not "how". The easiest, easiest way to breach any computer security system is with someone on the inside. How much would it cost to pay off someone inside the government or Sony to give you access? Target?
Now here's the thing: once you have access then you still need to download the data. For that you'll need computers somewhere on the Internet, preferably out of the reach of US law enforcement. Like say North Korea, China or Russia.
Here's a thought. Why is Edward Snowden the only "inside" person ever to be acknowledged by government and corporations? Oh that's right, Snowden outed himself. There is no conspiracy here, just an understanding of human nature that executives would rather blame data breaches on the Chinese or Koreans rather than to admit an inside job.
If I were a betting man I would bet all my money that the recent Federal Employee, Sony and Target hacks were all inside jobs.
And your inside person doesn't even need to be an inside person. Just steal someone's laptop at the airport. Did you know that laptops are high target items commonly stolen at airports?
To come back full circle to my first class lesson on security then there is no sure security with humans involved. Adam Levine correctly identifies multifactor authentication as required for modern security. But even that won't do you well with humans. RSA SecurID servers have been hacked.
To whit, Adam Levine is not asking the right questions either. The right questions are "who is the inside person"or "who's laptop recently got stolen"?
Hollywood doesn't help things by depicting hacking passwords as trivially easy. The issue here is not just a single password of a user. There many passwords and intimate system topology knowledge required to gain access to databases. Adam Levine fails to ask the right questions of the human dimension.
From an Irreni perspective these security breaches teach a stark reality about technology scale: the "experts" in the media haven't a clue. Educating people on technology and scale is going to be a long, hard slog.
Scale your empathy, scale the world!
Find your tribe!
Be sexy people!
The future is coming!
Innovate at a rapid pace!
Slow speed ahead!
Well come! and well met!