Security in a Brave New World
You’re working in a hotel lobby of a conference, connected to a wireless hotspot, comfortably surfing the web. Email is open in one tab, your personal cloud storage in another. You’re logged in to your company portal, checking your paystubs. You hear a beep behind you. You turn, and find yourself face to face with a robot, a screen attached to its gangly body. Your first reaction is amusement, but your attention is soon drawn to the glassy display. Gibberish fills the screen, at least, what first appears to be gibberish. A sudden sense of unease creeps though your body as you recognize those strange symbols populating the display in front of you. It’s a complete list of your passwords.
That robot, Hackerbot, was created by Pablo Holman while he was investigating the security properties of wireless networks [1]. As it turns out, the security problems that plague our everyday interactions with technology go far beyond the scope that was hinted at by last week’s guest lecturer Steve Herrod, Managing Director of General Catalyst and Ex-CTO of VMWare.
In his talk at TEDxMidwest, Holman goes into gut wrenching detail about the various exploits that can be executed with modern technology. In an age, where, as Holman puts it, “your car is now a PC, your phone is also a PC, your toaster, if it is not a PC, soon will be”[1], attacks can come from any multitude of fronts. As much as we espouse the benefits of high tech cars like Tesla, and the positive externalities that arise from having an Internet of Things, we have to also be cognizant of the security risks that inevitably follow.
One measure that was mentioned in Herrod’s lecture as a possible defense against attacks was stronger authentication practices, with specific reference to technology like voice recognition. Already, companies have started incorporating biometric authentication into their services and devices. If you own an iPhone, chances are you use Apple’s fingerprint recognition to unlock your phone. If you own a Windows laptop, chances are you use Windows Hello, a face-recognition software that replaces the need for a password, and is said to be so secure it can even detect differences between (almost) identical twins [2]. The examples do not stop there. Countries like Singapore use biometric passports to verify the identity of owners. Companies like Baidu are starting to work on face-recognition door locks for houses [3].
It is comforting to think that field of security is marching seemingly in step with the rest of technology. As new exploits surface, we come up with new ways to protect against them. The challenge is to keep ourselves ahead of the attackers. This, however, is not a trivial task. Even software that is developed with non-malevolent intentions can often be used for nefarious purposes. Returning to the example of voice recognition, for instance, we could feasibly see the new advances in voice synthesis being used to fool such security mechanisms. Groups like Lyrebird [4], and Google’s WaveNet [5] are able to synthesize voices, even creating phrases that have not been uttered by the original speaker. While their results are far from perfect, it is a testament to how even biometric authentication is an imperfect solution.
Even if we are able to create security mechanisms that are robust against such attempts to fool the system, we are still not safe. In one of his lectures, Professor Dan Boneh, a Professor of Computer Science and Electrical Engineering at Stanford, talked about the greatest problem in security, referencing this XKCD Comic : https://xkcd.com/538/. Security experts all over the world are continuously trying to improve the state of security, but the truth is, these algorithms and high-tech solutions often fall apart at the weakest link – the user. We must not let advances in technology let us lapse into complacency – Security may not be a battle that can ever be fully won, but it is a battle that should continuously be fought.
[1] https://singjupost.com/top-hacker-shows-us-how-its-done-by-pablos-holman-full-transcript/
[2] http://www.businessinsider.com/windows-hello-twins-wins-recognition-2015-8
[3] https://www.fastcompany.com/3065778/baidu-says-new-face-recognition-can-replace-checking-ids-or-tickets
[4] https://lyrebird.ai/
[5] https://deepmind.com/blog/wavenet-generative-model-raw-audio/
[6] https://xkcd.com/538/
5 comments on “Security in a Brave New World”
Comments are closed.
Great post, while Steve Herrod claimed he would use a portion of his presentation to scare us I got the feeling he could have gone much further had he thought it prudent. I looked into his claims about internet routers a bit and found some disturbing results just as he promised.
The pervasiveness of computing in our lives, brought on by 5G and the IOT certainly seems to have a downside when you look at the impact malicious hackers already have on our lives and how that seems set to increase exponentially with the number of connected devices. An unfortunate consequence of all this additional exposure and subsequent security measures seems to be that it often comes at the expense of our privacy, the impact of these probes and violations I don’t think have yet to be realized.
I agree that there will constantly be a “battle”, and have too found evidence that users are often the weakest link of even the most thoughtful and theoretically secure software and practices. I have been in meetings where hired firms have presented that they stole highly secure, confidential information simply by tossing unmarked USB sticks containing malware over fences into company parking lots to be picked up and plugged in by curious employees … (true story).
Great post Aaron! It’s a scary reality that we are becoming so exposed to these risks, and in particular because these days some people still have the same password for every account! I am interested in the way that you described keeping ahead of the attackers. This is an important distinction that many people do not realise. It is unrealistic to suggest that we can stamp out threats by going on the offensive, and preventing them from happening at all, and far more realistic to accept that the threats are always going to be there and that we must keep ahead of them. What concerns me is that the security of, say, a ‘smart fridge’ is unlikely to be taken very seriously by the user (or even the manufacturer!), with little consideration given to the threats posed by its connectivity. As was discussed in last week’s talks, we should be focusing on damage limitation once an attacker gets into a system, rather than just a perimeter firewall, as the increasing complexity of systems means that we are becoming more exposed.
Thanks for a great post, I agree that going forward companies will have to be “security first” in their products. Your example reminded me a Dutch commercial mocking lack of security in smart homes: https://www.youtube.com/watch?v=_CQA3X-qNgA
I agree with you that though security advances keep continuously increasing, it at the end depends on people’s willingness to rely on the efficiency of the security provided to them. At the end, the great majority of the population that is connected to the internet often have no idea of the potential threats that they are exposed to, and of the high level of advancement that hackers possess.
It, therefore, is the duty of the providers to enforce a good amount of security and protection for its customers. Internet users must also be informed about potential threats, and to be more cautious regarding the possible risk that they might face.
Aaron, thank you for a great piece! Kelvin, I think you touch upon a very important aspect when pointing out that security often depends on “people’s willingness to rely on the efficiency of the security provided to them.” Unfortunately, I believe that even many users that are informed about at least some of the threaths are ignorant about the issues. F-Secure, a Finnish cyber security company, has put a lot of effort into pushing people to view online privacy as “physical privacy.” For instance, at Slush 2014 (Europe’s leading startup conference) the taped all the toilets with huge stickers of barely censored naked people and the tagline: “You’re naked on public WIFI, put your clothes back on.” (you can see a picture of some of the stickers here: http://arcticstartup.com/article/will-you-be-remembered-after-slush/). They’ve also brought in a small glass cube where people have lived for the duration of a conference in order to highlight the discomfort of physical surveilence. I think many people, myself included, still views being naked in public much more uncomfortable than using public WIFI, even though the risks of public WIFI are arguably much, much higher.