Some thoughts on security

Digital security is a tricky subject: technology is constantly opening up new horizons that can be used licitly as well as illicitly, as a result of which we find many contradictions. On the one hand, illicit uses look for new areas to operate in and where they frequently generate new resources. On the other, as these areas are exploited, new ways are sought to avoid these illicit uses, and this process in turn brings further technological progress. Hacker ethic, an attitude towards exposing security weaknesses and make them public after giving the affected entities some time to fix them, have contributed greatly to information technology: punishing somebody for breaching a security system or code is a conceptual absurdity; thanks to their efforts, the system in question will be improved.

With this in mind, I would like to discuss the absurdity of attributing our problems to technology. Every technology has its security weaknesses, most of which can be easily avoided. The first thing the locksmith told me after he changed all the locks on my home last week was that however much money I might choose to spend on some sophisticated anti-burglary system, anybody with the right knowhow would be able to breach it without attracting too much attention.

But at the same time, if my home has what appears to be a relatively sophisticated anti-burglary system and my neighbor’s doesn’t, then human nature suggest that perhaps a burglar might choose my neighbor’s home rather than mine… unless of course the burglar assumes that my huge investment in securing my home points to the likelihood of many valuable goods within.

In the physical world, I am still surprised by the illogicalities of so-called security measures: a few days ago, I had to go several kilometers out of my way and spend several valuable hours of my time just to sign a document. Sign a document? What real security could really be provided by a signature, when anybody with a minimum of dexterity would easily able to copy it?

A recent article in Wired called “The app I used to break into my neighbor’s home” discusses a new generation of apps such as KeyMe, KeysDuplicated o Keysave, which all the user to take a series of photographs of a key, store them in a data base, and then request copies on demand, in some cases with the added convenience of doing so from automated sales points. Using one of these apps, the author of the article sneakily managed to take a few photographs of his neighbor’s keys, and then, a few hours later after making a copy and warning him, walked into his home.

If you think about it for a moment, keys are a pretty out of date security system. For example, any time we use a restaurant’s car-parking facility, we are as good as handing over our vehicle’s keys to be copied, along with access to our vehicle’s documents that reveal where we live, and in many cases to the card required to produce a copy of our car keys.

In the case of the digital world, which because it is a new environment where security protocols are still being established, our sense of insecurity is even greater. But are we really more at risk, or is this fear simply based on misperceptions? One of the characteristics of the internet is that everything we do is recorded in a log, which means that in many cases things can be more easily traced than in the physical world. There are obviously other factors at play: near-universal access to the internet makes pursuing a crime difficult, as does the fact that there is a decentralized and easily accessible market for stolen information. At the same time, technology’s rapid development means that new resources are constantly being developed, and with them, new weaknesses.

Bearing all this in mind, my impression is that while in the physical world we have come to accept certain risks, we are still to do the same in the digital world. In the physical world there are agents of the law and insurance companies, which are yet to manifest themselves online. Needless to say, this is a problem without a solution: in the physical world no system is completely inviolable, and the same applies to the internet; all we can do in both cases is try to reduce our exposure to risk. A key or a signature do not guarantee security, and neither does a password, or even a biometrics system if somebody is able to access the information being transmitted (with the added problem that we cannot change it once it has been intercepted).

Last week in class, I quizzed my students about the security levels of their passwords, and despite most of them being among the most technologically savvy one could hope to find, only four of them used some kind of password manager such as LastPass, and several of them admitted to “using the same password for everything”, even though some of these passwords could have been affected by previous security breaches on sites that they have already used.

In the final analysis, security is not so much a technological problem, but instead a human nature problem; we’re the cause of most risks. The fact that we read more and more about security issues on the internet more than we do about similar problems in the physical world is simply because those risks are still new, and thus newsworthy: although there is still news value in repeating new variations of time-honored stupidities.

(En español, aquí)