info
You see, the thing about humans is that we have a really short attention span, and really bad memories. It’s actually hard for me to remember a time before I had a phone that could effectively replace my entire computer in most situations. A phone that I could make video calls from from any spot in the world, one that would let me log into our team’s IRC channel while on the floor of a major media event in any city and communicate with our whole staff. A device that was small enough to fit into the front pocket of my arguably-too-tight jeans that would let me connect and share my most important thoughts about developing news and world events — in real time! — with millions of people at once. A device that would underpin and enable modern social movements and political revolutions, generally shrink our sense of the size of humanity, and mesmerize and delight almost everyone who used it.
Joshua Topolsky, “Reasons to be excited”
Feudalism 2.0
Bruce Schneier has a clever piece discussing the contemporary model of ‘feudal security’, where user have committed themselves to differing lords of the Internet. As a taste:
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.
These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them — or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.
Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.
Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.
And it’s this model that’s starting to permeate computer security today.
The rest of the piece is clever; highly recommend taking a read.
I need to create responses to the above security questions before I can purchase items through Apple’s digital stores. The problem: I actually don’t know the (legitimate/real) answers to any of the questions.
Admittedly the best security procedure, in the face of any vendor authentication questions, is to produce garbage/unrelated responses to any authentication questions that vendors ask. This said, it’s a a bit insane that I have to do this for the questions Apple has provided. Now, is this a problem that most people can overcome? Of course. They just write in answers and (somewhere) they write down their responses. I actually could use 1Password for this, a terrific password and identity manager that I highly recommend. This said, I’m not going to bother. Purchasing the $20 piece of software just isn’t worth the effort for me: in effect, Apple has succeeded in dissuading me from making an impulse purchase. That’s really not great for the business of app developers (Apple, really, doesn’t care that much given the relative amount that the app store contributes to their overall yearly profits).
You might wonder why these questions are being asked. I suspect they’re largely in response to the Mat Honan hack. In short, a Wired reporter’s Apple, Amazon, Twitter, and Google accounts were hacked so a third-party could masquerade as Mat on Twitter. This led to a ridiculous level of criticism in the press concerning how Apple authenticated users’ identities. I have no doubt that these questions - again, pictured above - are largely meant to better authenticate users and thus avoid identity fraud.
The problem of authentication fraud can be devilishly hard for companies to address. In the case of Apple, there is no option for the user to generate their own questions and responses. This might be seen as good security amongst ‘professionals’ - it prevents really, really crappy questions and easily found responses - but it creates an incredibly poor user experience. While writing down passwords isn’t the horrific nightmare scenario that some security analysts declare, expecting people to find those responses when they’re in trouble - such as their accounts have been hacked - will meet mixed results at best. Further, given how other companies tend to follow Apple’s lead(s) it’s only a matter of time until more and more (less security conscious) companies adopt similar or identical security questions/answers. Such adoptions will limit the relative novelty of Apple’s authentication questions and thus reduce their capability to genuinely authenticate users’ identities. Consequently, such questions (in the short and long terms) will likely just leave its customers frustrated.
Ultimately, this kind of authentication really is less than ideal; more nuanced and (to the user) transparent analytics protocols to detect aberrant behaviours and then recover accounts would be far, far superior to what Apple is presently rolling out. Hopefully it doesn’t take further authentication failures, on Apple’s part, for them to realize the error of their ways and correct it.
iMessage and 'Secure' Communications
Matthew Green has a good piece that discusses some of the security concerns around iMessage. Specifically he speaks to how, despite Apple’s assurances that it employs “secure end-to-end encryption,” the company still hasn’t properly explained how its encryption processes are established or deployed. Green does a good job explaining these concerns for a very non-technical audience. Highly recommended, especially if you happen to be using iMessage.
I’m typing this post while connected to my Time Capsule router. You’d never know that from looking at the Airport Utility, which can’t identify the router on the network. Never run into this problem before updating to Snow Lion.
Fun aside: last night my MBP couldn’t find its backup images on the router. The ‘solution’ was to delete the existing image bundle on the Time Capsule - I could navigate to them in Finder - and then OSX could see the Time Capsule and backup to it.
