So, I read this article recently. Have a read, the rest of this post is tangentially related at best.
So anyway this is maybe the first post on here that’s related to what I do for work. I’m a consultant for possibly the leading IT security company out there, in terms of network security. We do endpoint stuff as well that honestly seems pretty good, but I’ve no idea how we stack up to the competition in that regard. Anyway, this isn’t really about our products per se, I just wanted to give some context to it.
So, security as a culture thing. Most of you probably don’t immediately know what I’m talking about here, but it’s something that’s been talked about in the IT security field for years. Hands up who gets frustrated at the seemingly arbitrary rules that are in place around your IT stuff. Mandatory password changes, must have a number, something symbolic and a capital city somewhere in there. We’ll let you browse the ‘net at work, but we’re logging everything you do and you’re not allowed to access your webmail service. I guess you can look at facebook, but none of the games on there will work. Don’t even thing about something like Dropbox. Its frustrating, right? I mean, what’s the harm?
So it turns out there are actual reasons behind all this draconianism. A lot of it comes down to the preventing of data leakage. Sure, it seems that there’s no harm in emailing that spreadsheet home so you can keep working on it, right? I mean, it’s a good thing! You’re being productive! Unfortunately email is about as secure as a post card. Email is a system that lets your stuff pass through about as many places as places as a letter through the post office would be, except that in this case your mail routes to your home via the US, or Iceland. Maybe both. The point is that there’s many people who can read that post card that you just sent with this year’s financial figures on it. Sure, chances are they won’t, but some things aren’t worth the risk. Especially now with things like data breach disclosure regulations coming in – companies will have to disclose to the public when they find out that the personal data they store has been exposed to the outside world (presuming they find out about it.. but that’s another thing.)
So why is this a culture thing? Because most of the time you try and do something convenient, it just fails. Let’s use the Dropbox example. When I first received my work laptop, I had a go at installing dropbox on there, because I wanted to access some personal stuff on there from time to time. I installed it, it said it finished installing, the little box icon appeared in the system tray… then disappeared. Huh.. check the start menu, add/remove programs, nope.. gone. First reaction is, of course, indignation. ‘What?! I’m The Security Professional! I can be trusted not to put anything work related on there! This is madness!’ No pimento, this is Sparta, and the same rules apply to everyone in the company. Sure, I’m fully across the implications of this stuff, but what about everyone else? This is a worldwide company, there’s a bunch of employees who aren’t here because they’re at all interested in security.
So, again, why is this a culture thing? It’s a culture thing because if at first you don’t succeed, try again. You try to load a webpage, it just fails. Internet Explorer cannot load the page. Try again, nope. ‘Stupid IT mooks couldn’t run a damn network if they… oh hang on, I can just tether this laptop to my phone and email this spreadsheet home! Excellent!’ Next day you email it back to yourself, the inbound mail filter picks it up and you have a meeting with HR. A more useful appoach is when you try to go to gmail and a page pops up and states ‘Hey you can’t do this because it’s against corporate policy and you’d have an uncomfortable meeting with HR and hey, you know what, have a night off.’ It’s about changing the way people thing about IT security and privacy.
Privacy? Why privacy? What does that have to do with security, I thought we were just avoiding that HR chat? Turns out that they’re two sides of the same coin. I have a job because IT security is mostly there to help corporations maintain the privacy of their data. (Our corporate slogan is magnificintly backwards, but that’s another thing.) Basically put, anything that’s online is not private. Even more so, a lot of things that you put on line are owned by the companies that gave you that space to put things up there. Facebook? You’re not a customer of facebook, you’re their product. They sell your interests and statistics and details in the form of targetted advertising. Google tracks where you browse and what you email about and what you search for and what you watch on youtube and tried to make a facebook alternative for even more data. Why? Ever more targetted advertising. Ever noticed that if you go browsing for some new glasses, the next few months you’ll have huge amounts of advertsising anywhere you go trying to sell you glasses? Book an hotel in Hong Kong, see all sort of ads for acommodation and things to do in Hong Kong.
This is all OK because.. because.. that’s how it is I guess? I mean, what’re you going to do about it? Sure, there are ways to block the ads on your PC which will have a genuine effect on these things. The first thing that it does is ruin a major source of income for people running little website, be they webcomics, niche news outlets or free sources of recipes. Running a website properly costs time and money, and without advertising they’ll have to rely on t-shirt sales and subscriptions to survive. Many have tried, many have failed. I don’t have a better way for that.
I’m still failing to really address the point here. Part of that is because I’m not sure what my point really is. It’s one of those things that can go a bunch of ways. Capitalism! (it’s more lucrative to own people’s data than to not) (it’s cheaper to write crappy insecure software) (it’s cheaper to run an insecure network). Ignorance! (why the heck can’t I use dropbox this is shit) (why the heck do I have to change my stupid password again, I need another post-it note for my laptop to write it on) (what do you mean the NSA has access to all my emails, they’re on my computer, stupid) (the process says I do it this way, even though that vendor guy says it’s bad). Motivation! (I know this is dodgy, but who cares).
Really I guess it’s summed up by all the USB keys that the train guys in NSW auction off every year. When folk failed to be able to email things home, they chucked in on a USB key that then got left on a train, and bought in a bulk lot by.. someone. In one case it was some researchers who found an awful lot of private corporate data in the seats. It’s really not hard to encrypt a USB key to prevent that data from leaking out, but.. hey, that costs time/money! (Capitalism!) .. what? why would that matter? (Ignorance!) .. eh, fuck it, it’ll be fine. (Motivation!).
Ignorance about things leads into other things that’ve been going down lately. UKIP stuff in the UK. MRAs aligning with the NRA in the US. Political woes in Aus. All sorts of shitty things going on everywhere in the world, far more important than some corporate data on a USB stick, but pretty much all caused by ignorance, and the exploitation/celebration/reinforcement thereof.
Ignorance is a bastardly powerful thing. Manipulated ideas that circulate around ignorant folk lead to dangerously narrow-minded political policies, state promoted racism, and mass murder. I’m not going to get too deep into UKIP because I’m not super informed about it, nor MRAs because they disgust me, but I will urge you to seek all sides of an arguement. Take your opinions and ask yourself why someone might disagree. Argue with yourself. If the only reason you’re right is because that’s just like, your opinion man, then you might need to really consider things a bit more here.
Conversely, next time you confront someone who says something hateful, don’t fire back with hate. 9/10 times they’re utterly ignorant about the situation, and just informing them that they’re a fuckwit and asking them to consider dying under a bus isn’t real helpful. Take it off twitter, go with something long form around the situation and gently inform them. Sure, it’s a lot of effort (Motivation!) but changing the world isn’t easy. If it were, we’d’ve sorted the place out by now. It’s also generally going to lead to a lot of failures individually. We’re all individuals. Even you. But we don’t have act that way. Rocks of ignorance will resist a surge of information, but wave after wave of knowledge, gently flowing over time, will erode it away until it’s gone. Be the change you want, and don’t be cynical. Cycnicism is boring.
To bastardise, everybody would be dancing if we’re doing it right. Everybody would be dancing if we’re feeling all right. But.. we aint.
The ending note of the article I linked to at the top there is basically ‘things are fucked, and it’s up to us to unfuck it’. The writer isn’t wrong there. I think you all know that. The question is.. are you going to get involved?