The Soylent Green of “Epic Hacks” – It’s Made of PEOPLE!
Allow me to immediately state that I am, in no way, attempting to blame or shame the victim in my editorial below.
However, the recent rash of commentary from security wonks on Twitter and blogs regarding who is to “blame” in Mat Honan’s unfortunate experience leaves me confused and misses an important point.
Firstly, the title of the oft-referenced article documenting the series of events is at the root of my discontent:
“How Apple and Amazon Security Flaws Led to My Epic Hacking“
As I tweeted, my assessment and suggestion for a title would be:
How my poor behavior led to my epic hacking & flawed trust models & bad luck w/Apple and Amazon assisted
…especially when coupled with what is clearly an admission by Mr. Honan, that he is, fundamentally, responsible for enabling the chained series of events that took place:
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.
Those security lapses are my fault, and I deeply, deeply regret them.
The important highlighted snippets above are obscured by the salacious title and the bulk of the article which focuses on how services — which he enabled and relied upon — however flawed certain components of that trust and process may have been, are *really* at the center of the debate here. Or ought to be.
There’s clearly a bit of emotional transference occurring. It’s easier to associate causality with a faceless big corporate machine rather than swing the light toward the victim, even if he, himself, self-identifies.
Before you think I’m madly defending and/or suggesting that there weren’t breakdowns with any of the vendors — especially Apple — let me assure you I am not. There are many things that can and should be addressed here, but leaving out the human element, the root of it all here, is dangerous.
I am concerned that as a community there is often an aire of suggestion that consumers are incapable and inculpable with respect to understanding the risks associated with the clicky-clicky-connect syndrome that all of these interconnected services brings.
People give third party applications and services unfettered access to services like Twitter and Facebook every day — even when messages surrounding the potential incursion of privacy and security are clearly stated.
When something does fail — and it does and always will — we vilify the suppliers (sometimes rightfully so for poor practices) but we never really look at what we need to do to prevent having to see this again: “Those security lapses are my fault, and I deeply, deeply regret them.”
The more interconnected things become, the more dependent upon flawed trust models and the expectations that users aren’t responsible we shall be.
This is the point I made in my presentations: Cloudifornication and Cloudinomicon.
There’s a lot of interesting discussion regarding the effectiveness of security awareness training. Dave Aitel started a lively one here: “Why you shouldn’t train employees for security awareness”
It’s unfortunate the the only real way people learn is through misfortune, and any way you look at it, that’s the thing that drives awareness.
There are many lessons we can learn from Mr. Honan’s unfortunate experience…I urge you to consider less focusing blame on one link in the chain and instead guide the people you can influence to reconsider decisions of convenience over the potential tradeoffs they incur.
/Hoff
P.S. For you youngsters who don’t get the Soylent Green reference, see here. Better yet, watch it. It’s awesome. Charlton Heston, FTW.
P.P.S. (Check out the sentiment of all the articles below)
Related articles
Brilliant title.
Though I thought that title would lead to a description of the human/process flows at the providers, how they enabled this and how little incentives vendors have to spend the resources to address them. And not on the human errors committed by the victim, which while real, are just a fact of life. 99% of people are less tech savvy than Mat Honan and will make worse mistakes than he did.
This is unsolvable via technical-only means (the human/process factor prevents that) since you need something that is both safe and forgiving (when people forget/loose their credentials). And that it needs both technology, shared processes (not letting each vendor separately decide what information is sufficient to verify who you are) AND judicial enforcement.
Mail delivery has the postal police. Currency has the secret service. Our ID mechanism needs a similar oversight to make the whole system robust.
Great post.
When this story first emerged, I viewed Mat Honan as a typical consumer. Many of the practices that he engaged in are commonplace. This episode could have had effects with much more of an impact, had Honan not been able to call in favors and stop the attack from continuing. I was left wondering, “What if this wasn’t a journalist, but just an ordinary consumer?” Would we even know about it, and how far would the attacks gone? Would Apple and Amazon be so quick to re-evaluate their internal policies if this happened to any other customer?
I would disagree that people only learn through misfortune. I think people can learn if there is an effort to teach them. I spend quite a bit of time in an academic setting, and have many students ask me about best practices on the internet, when they learn of my background in security. I explain simple lessons like the ones learned by Honan, and many times it results in one less uneducated consumer on the web. I think that awareness training could be successful if we just focus on the basics, the low level stuff like social engineering and compartmentalizing information. From there, the next layer can be applied.
this is exactly why it makes me nervous when retail stores give me a receipt with the last four of my credit card printed on it