Just read the following article: Security Trade-Offs, which refers to an original article claiming that people need to stop trusting Apple with their data because Apple, as a purveyor of “Shiny Objects”, doesn’t understand security.
Which is funny because the original article shows a lack of knowledge of computer security.
I’ve encountered this lack of understanding of security when talking to friends and co-workers as well, and it irritates me. Worse, they “know” they’re right, because of course it’s incredibly obvious, and they’ve read all sorts of stuff which reaffirm their ignorance thinking they were learning something new.
Security involves three aspects, not just one–and to better understand each of these issues we can think of a house rather than a computer. After all, for your house to be a home, it’d be nice to know it was physically secure, right?
The three fundamental aspects of security are Confidentiality, Integrity and Availability.
For your house to be secure, it needs to be “confidential”: meaning access controls need to be implemented to prevent people who do not have access to get in. That’s the lock on your front door: the house needs to be locked, your house (just one of a bunch in a neighborhood) is somewhat anonymous, perhaps drapes on the front windows will help people see you don’t have an expensive stereo system and big screen TV inside.
Now the mistake most people make is that they stop here: as long as people can’t break into my house, all is well. But keeping people out of your house is dirt simple: just cover the front door with cement. Bury your house under a mound of dirt. No-one can enter your house if it is encased in a sealed metal box–not even you.
Sure, we can talk about two factor authentication and if our default of putting patio furniture outside makes sense or we should chain your patio furniture down with bolts in your back yard or keep your patio furniture inside your house so someone can’t jump the fence and steal it.
But all this ignores the two other dimensions of security: availability and integrity.
Availability means can you get into your house easily, or are you going to be outside fumbling with your multiple keys and trying to remember button combinations while standing in the rain? Does your house do what you want–can you move from room to room easily and look at the view from the bedroom window–or are the windows encased in bars and are you constantly having to unlock the door to your bathroom? (After all, your house would be more secure if every door was equipped with a combination lock which automatically locked when the door automatically closed.)
And integrity: does all the weight of those metal plates and the bars on the window corrupt the appearance of your house or make part of it structurally weak and cause the back bedroom to collapse? Sure, you can reduce the attack profile of your house by barring up all the windows–preventing crooks from breaking in by breaking through the window. But you’ve corrupted the functionality of your house: you’ve made it difficult to evacuate your house in the event of a fire. (People have died because of this.)
And sure, the default of putting your patio furniture unlocked in the back yard where it can be stolen by any miscreant capable of climbing a fence makes no sense if you only look at access controls–but if your guests cannot move the patio furniture around freely or you’re constantly dragging the furniture out from a locked garage (locked with a combination lock and separate deadbolt lock), you’re not going to use your patio.
The lack of easy availability of your patio furniture, in other words, means you may as well not have any furniture outside.
Think of Apple as the developer of a subdivision of homes. They all have similar front door locks, similar patios, similar layouts. Apple made those houses convenient and pretty and nice for people to use.
And now a bunch of homes got broken into, and people are (rightfully) asking Apple if somehow the design of the house make it easy for the burglars to break in. And after looking at the corner security cameras, Apple concluded that only specific homes were targeted by burglars who somehow copied the keys to the front door using ‘social engineering’ means: people followed the owners of those homes around with silly putty, and managed to get an imprint of the front door key.
The fact that Apple made it easy to open the front door with just a key is not a stupid vulnerability, as the original Slate article implies.
And in fact, the Slate article ignores the single most common security attack used against computer systems and homes alike: social engineering. Which is just a fancy way of saying that if someone spends the time befriending you at the local bar, and then asks you to show him what’s on your computer system or inside your house–you’ll happily bypass security for them by holding the front door open, or handing him your unlocked phone.
Social engineering was apparently used for most of the break-ins to get into Apple iCloud accounts–by determining the e-mail address of various celebrity accounts (stalking the neighborhood to see who lives where), and then following those celebrities around trying to guess their password (taking pictures of the people who live in the neighborhood hoping to get a glance of the key so one can be made from the photo).
This sort of thing happened over the course of years and wasn’t limited to just Apple’s neighborhood; Android and Windows Mobile devices were also hacked. And this was a sophisticated ring who had gathered stolen images over years.
In fact, the only place where the analogy breaks down is that until the leak this past weekend, we had no idea stuff had been stolen.
Does this mean we should start blaming Apple for building houses with front door windows whose drapes are sometimes left open, which can be opened with a single front door key? Should we demand Apple go back and board up the windows and put multiple locks on everyone’s door? Should Apple patrol the neighborhood and force people who leave patio furniture out in the back yard to bolt it down with bolts sunk in cement, or at least move them into the garage when not in use?
Should Apple go back and retrofit interior doors with automatically locking locks and automatically closing doors?
Or does this mean those who have more to protect should be more thoughtful about protecting their stuff?
Bringing it back to the computer model, should we all be forced to use two factor authentication to access our photos on the Cloud, using a password that may be forgotten and cannot be reset, and a thumb print reader that flakes out when the sensor gets dirty–just to protect the occasional picture I may snap while hiking or the occasional selfie someone may take in front of a museum exhibit–simply because a few starlets took naked pictures of themselves they intended only for their boyfriends, pictures that were then stuck on a server using an inadequate password managed by a handler who then scraped the naked photos off the phone without the starlet knowing?
After all, it was not my iCloud account that was targeted. And even if my photos happened to be scraped from iCloud–all you would see are bird photos and hiking photos and the occasional photo shot from an airplane: worthless crap to anyone who is not me or in my immediate circle of friends.
And while we’re on the topic, let’s talk “factors.”
All access control boils down to three factors: who you are, what you know and what you have.
An ATM is “two factor authentication”: it relies on you having an ATM card, and knowing your PIN. Scanners which know “who you are” rely on some physical attribute: think finger print scanners or retina scanners or devices that measure relative finger lengths.
The problem with always going back to using multiple “factors” ignores the fact that some factors are strong, and some are weak. A 4 digit PIN is a weak password. As Mythbusters showed, fingerprint scanners are moderately weak. And the ready availability of card readers have made ATM cards weak: given that most ATM cards now double as debit cards, it would be easy for a waitress to scan your card at a restaurant, duplicating your ATM/debit card with just a swipe.
Combining factors make things stronger: combining a 4 digit PIN with your ATM card makes it safe to hand just your card to your waitress. Using a key fob which generates a cryptographically pseudo-random number combined with a relatively strong password makes an even stronger security gateway. One place I knew which hosted servers required you to present an identity card, get through a palm scanner, and know an 8 digit PIN to enter the cage.
But all of this is worthless if the guard leaves the door open–which they did on occasion.
The point is two factor authentication is not a cure-all. Two factor authentication can make weak security (such as a 4 digit pin) stronger (by requiring a card as well), but it doesn’t save you from social engineering, such as asking a security guard to keep a door open as you bring in a bunch of boxes. Having a combination padlock on your front door along with a key-activated deadbolt doesn’t help if you leave your front door unlocked.
And worse, two factor authentication violates availability. And why availability is important is simple: the harder it is to get into the front door lock of your house, the less likely you are to lock the front door.
Perhaps the real lesson here is twofold. First, a dedicated burglar will break into your house if the incentive is high enough, regardless of the security checks: remember, while everyone is looking at Apple’s iCloud, other services were broken into as well: these photos came from a variety of sources, and iCloud was a common target only because it was the largest neighborhood.
So part of the problem is just a matter of keeping the drapes closed, so the burglars can’t see your expensive stereo and big-screen TV.
Second, it means you need to be a little bit aware of your neighborhood: if you have something important to secure, perhaps a little additional attention is in order. If you’re a young and beautiful starlet taking naked pictures of yourself, you may want to consider not putting those photos up on the Internet.
But then, most starlets who took these photos did not consider security at all–they did not consider these photos as having any value. And so even if Apple made two factor authentication dirt simple, passwords would have been set to “1234” and the option to double-encrypt the individual files would have been set to “no”. After all, it was just a fun nude photo between her and her boyfriend–no biggie. Right?
Because we don’t understand security: we think its okay to leave the front drapes open and the front doors unlocked, until someone breaks in–at which point we demand our houses be encased in cement.