And BTW; @bishop and I touched upon some of the challenges with lawmakers as well. And I’m sympathetic to their challenges as well, as a lot of this is totally out of their realm, and vice versa in my case when it comes to lawmaking.
But again doing nothing or relying on users to protect themselves is just setting the table for a disaster(s).
Again not to be hyperbolic, but flawed software was a contributing factor in the Boeing 757 crashes a few years ago. Those weren’t vulnerabilities in the sense that we’ve been discussing here but they were the result of some fundamental flaws in the verification and testing process, something that vulnerabilities are a close cousin to.
No worries, better to have a discussion that builds to a bang, than one that just whimpers out, right?
I seem to see a desire to “crush my points”, but I want to stress I don’t actually see any of our positions as mutually exclusive. Why not have both grassroots, consumer-led legislation as well as hefty fines for corporate negligence? Though as @JoeS said, it is difficult, as companies are adept at deflecting blame, appealing a verdict ad infinitum, or as @dstrauss put it, just taking it on the chin and carrying on.
I know you think I’m trying to avoid your point about user’s not having capability to deal with many intricate OS vulnerabilties, and apologies for that. I should make clear that I agree, much of security is beyond the average user. My point was only that precautionary measures can taken, and those measures should be highlighted, not obfuscated to the average user.
So I’d like to ask you how you’d like to carry on this debate. I could go over your criticisms one-by-one, as you laid out before. As for me, I hope I’ve made obvious, my concern is for the knowledge to be there, so the public and lawmakers will be able to craft effective legislation (that is not riddled with loopholes) that actually cause the shareholder pressure we see now in Right-to-Repair.
I believe that consumer-led legislative pressure is far more suited for a long-term solution, but a dual-pronged approach, with fines in the short term, could work too. How do you want to proceed?
I know this was directed at @Desertlap but (and apologies if the answer is in the above 41 posts) how do we define a standard of security clearly enough to be able to hold companies liable?
Example: wireless router manufacturer X has been informed of vulnerability Y. What agency tracks the vulnerability? Which agency determines whether this is something egregious (easily fixable, stems from a known basic coding flaw), which agency determines how long a fix should take, and for how many years fixes should be provided? Who decides the punishment and how consumers are to be compensated for negligence? To even begin setting up rules around this requires the establishment of several standards and agencies that afaik don’t exist yet.
Would be great if this could get started though. I’d buy a wifi router with known compliance and security commitment if I knew which certification label to look for.
@Marty Well first of all I think possibly we may just have to agree to disagree on some of the points discussed. With that preamble, my actual intent in creating the thread was to have a place to discuss various security issues and vulnerabilities and to your point of educating users where possible.
As to what I intend to do, I certainly educate/alert/explain these issues when possible to both my company and customers where I have a good professional relationship. I also, when we ourselves or through a customer discover a flaw or vulnerability, report it to the company(s) involved and are rigorous in “staying after them” for lack of a better descriptor. I feel like this is a responsibility I have in my role in managing a systems engineering type group.
As to my activities outside of the work context. I try to act where/when I can with actions tailored to the topic at hand.
And I feel that this thread should not become a rallying or activist point, but more as educating type of thing.
That all being said, two last things.
I find the current level of urgency and methods of dealing with these vulnerabilities completely unacceptable. And while I don’t believe you personally @Marty intend to do so, I’ve also seen your users need to educate themselves statements used by companies to defer/ defend their own action/inaction.
Finally, up to this point I generally find our discussions both instructive and entertaining at such the recent interchange about IOS tags, and hope we can continue those.
But I still have the strong opinion that companies are shirking their responsibility, that many by their actions or lack thereof are enabling them, and that it is government role to step in, in some form or fashion, because that may be the only way some of this improves. And I will be the first to admit that that same government often gets it wrong (DMCA immediately comes to mind), but no effort is far worse for us all.
And in the spirit of trying to move this thread back to my original intent.
This is both a very important and very poorly documented and explained by MS feature of modern Windows. One that we’ve seen more times than I can count “where users choose wrongly” and open themselves to an exploit(s)
PS: I’ve retitled the thread to also hopefully refocus the discussion
Physics has Newton’s First Law of Motion: Objects at rest remain at rest and objects in motion remain in motion until acted upon by other forces. I submit there is a corollary for large business enterprises. Overcoming “Systems Intertia,” if you will, takes huge amounts of time, money and people.
Large businesses dependent on computing resources (e.g. banking, finance, insurance, telecomm, etc.) are also end users in this scenario. I know of at least one large regional bank merger in the last 2 years driven in no small part by the huge and looming financial cost of updating systems for privacy and cyber vulnerabilities. The rationale being one much larger bank could better carry the cost rather than 2 smaller banks trying to spend the same amount money twice.
Think about patching existing production environments. (e.g. VISA/MC/AMEX running millions of transactions per minute, wireless carriers with millions per second.) The big Equifax breach a few years ago was in part attributable to delaying patching cycles because of problems taking down the production environment. How many times have all of us b i t c h e d at the odd hour when we log into a banking or transaction app to get the message “down for maintenance”? Running patches every week/day has to be $$$$$$$$ and painful to people whose compensation is tied to customer satisfaction.
There is no excuse for poor management, but escalating cyber/privacy risks track increasing software automation. I suspect that the future costs of cyber/privacy risks and the mitigation thereof may not always be fully baked into the business plans greenlighting incremental automation. Will AI give us self-healing systems that can continue to run the production environment in real-time?
To your point, while I think the username/password infrastructure is hugely flawed and antiquated, I have significant trepidation around efforts like this, not the least of which is that the complexity of these increases possible entry vectors by an order of magnitude and I’m not confident that companies are as rigorous as they can/should be and often roll out these initiatives for their own benefit as much as anything.
That being said, I’m in wait and see mode on this one. Though I do think it’s a significant effort
PS: One thing I do wish I saw more of is the incorporation of human factors in all of this. such as why so many reuse passwords. And it’s not just laziness IMHO
Speaking as one late-stage “Boomer”: So d a m n e d many accounts to needed to function. The credit card, the bank, the mortgage, the car note, one for each email, doctor, social media account,
Only if it doesn’t impact the next quarter income statement.
1 Like
Hifihedgehog
(Hifihedgehog - Waiting for Surface Pro 10!)
52
That’s a front and a distraction from the man behind the curtain. Disney, for example, is notorious for buying up, gutting, and destroying/discarding every game studio they acquire within a matter of a few years. The survival rate is 0%: Disney Interactive Studios - Wikipedia The sad part is no game studio of the dozen or so they have acquired over the last few decades has survived their burn and slash managerial style. In fact, it finally caught up with them and their parent one Disney Interactive Studios went kerplunk and kerplooey. And no, Lucasfilm Games/LucasArts doesn’t count because they are a figurehead office of a whopping 10 employees for licensing of the brand to third party developers and don’t do any active game development themselves. Karma has finally caught up and Disney now has to contract out to third party studios for games and many of those studios have employees that were formally employed by them or their acquisitions, meaning they depend totally on external entities for any licensed video games. So Disney can pretend like they have a colossal amount of brain trust, but they are pretty much brain dead when they have killed off most of those brain cells.
@Desertlap, I too find our conversation always enlightening, even this one, which help me reflect and broaden my perspective on the issue.
I hope I’ll also be able to make my contribution to take the topic back to center.
We have no disagreement there, the final goal is fair and effective legislation. I believe this lies in addressing the power / liability imbalance in walled gardens, ie. establishing the following:
“Those who have the control in a tech ecosystem, should also bear the most liability to users when that ecosystem fails.”
Would you say, that’s a pretty fair aim for legislation?
This is getting to the heart of the issue. Since companies currently bear little to no legal liability, any attempt to pin additional liability on them will have to be clawed out. And they will argue (fairly, I think) that they can’t be held liable for any dumb user that decided to engage reckless behavior.
So the legislation will have to perform the tricky slicing of the pie, to determine where user responsibilty ends, and corporate responsiblity begins.
Using all the ideas discussed so far, I think we can sort of even attempt what this might look like:
Reasonable expectations on the User
Reasonable expectations on the Corporation
2FA / responsible credential management
Prompt closing of OS vulnerablilties and regular security audits
One form of data backup (in case of data loss/attack)
Provide one form of said data backup
Reading and understanding of basic security risks and information
Clear and transparent security information provided via the OS
In the case of the 3rd party apps, any apps signed off by Google (Play Store) or 3rd-party providers (eg. Epic), are defacto, the responsibility of the signing authority.
For unsigned apps, the user bears the liability—unless the exploit uses a known security vulnerablility—in which case, it is the responsibility of the controlling entity (eg. Google).
I think that roughly splits the pie, according to the relative resources available to the individual vs. corporation. What do you guys think?
@marty While I appreciate your responses and I find merit in some of your suggestions, as I said earlier I feel your responses are getting circular, and you likely feel the same about mine
Again what I see in your responses IMHO is that you want to put far too much responsibility on the user, while still not acknowledging the severe lack of tools and resources for them to do so. For example while 2fA is a step in the right direction, it is absolutely both reviled and completely misunderstood by many in the consumer space and for that matter the corporate space as well. Specifically in the case of corporate where the end user is using company provided devices /and or resources companies should absolutely enforce those requirements regardless because they also bear the responsibility of the consequences.
One form of backup : Which one, who pays for it, who maintains and manages it? Not to mention that backup itself is often a vector for attack and also has had multiple vulnerabilities as well.
I struggle with all of the above, especially as some of the attacks have become or have the ability to become truly threatening to an individuals well being. I know that at least a few of the thinkers on this have proposed ideas like a “drivers license for the internet” and without it, perhaps they should be restricted from certain activities until they do. So I HAVE HUGE, HUGE ISSUES WITH THAT, but the underlying ideas are at least worthy of a little more thought and modification.
Again , I feel like this is getting circular and neither is likely to significantly move the other. So again lets agree to disagree at least in the broader realm and move on. Where I think we both can still engage is on specific topic related news, innovations etc., a couple of which I’ve already posted above.
Another article on FIDO. The more I think about this, the more I find merit in it. It’s far from perfect, but it’s definitely several steps in the right direction.
So of course we’ve already seen movies or TV shows where they do things like point the iPhone at the dead guys face to gain access.but …
And BTW: Apple has actually improved their Face ID tech to address that in that the most current iteration looks for some movement cues such as an eye blink as part of the verification.
The big plus I see, is that literally everyone I know over the age of 12 has their phone with them, all of the time. I do acknowledge though that it also has the potential to further the gap between the tech have and have nots. eg. people at the lowest income levels might not have a smartphone.
Surprisingly, research shows cell phones are often the primary (or only) access to internet for the low-income demographics. That realization drove the iOS/Android explosion of banking/bill pay apps.
Also true, in fact in Phoenix and LA I’ve seen pilot programs to provide phones and service at no cost. I’m not up to date on the outcomes so far, but the last time I was in Phoenix, I saw two different “pop ups” offering these devices, and fairly long lines to get them.
And for most Asians, irregardless of income level. Computer sales are way down, and most now use their phone and sometimes also a tablet. Used to be 10 - 15 people with a laptop in Starbucks, now maybe three or four.
I’m fine with Apple, Google, Microsoft, etc. having their own stores that have their own security policies and take their own cuts. I just want options to not use their stores and not have to jump through a silly number of hoops to do so.
The problem is, many developers don’t and wouldn’t bother to publish to those alternate app stores, either through laziness or due to relying on services those app stores offer.
Then there’s the games consoles, that I’m not so sure about. Theoretically, they really should be treated the same. But then again they are purely a luxury, and the companies behind them often put an immense amount of effort into publicising and advertising the work of a range of developers on their stores (that frankly, the smartphone store owners don’t - Apple just show off (and name in small text) just a few, often the same apps).
So this is an interesting exploit though it’s not as new as ARS implies, and it certainly is MUCH harder to execute in practice than the article implies.
In other words, it’s on the order of a scene in a John LeCarre novel. OTOH, this does show the broader problem of “man in the middle” attacks which are an inherent problem with connected devices or “internet of things” which so far the tech companies have been pretty weak in responding to IMHO.
How do you want to proceed?