Finding The Hidden InfoSec Story


Photo Credit: Sigfrid Lundberg via Compfight cc
Photo Credit: Sigfrid Lundberg via Compfight cc

In the real world, we all have an idea of what good neighborhoods and bad neighborhoods look like. There are neighborhoods where anyone could walk outside in the middle of the night without fear for their safety. In other neighborhoods, you risk a mugging or worse every time you go into the street, even in the middle of the day. Most people avoid dangerous neighborhoods if they can. The most dangerous neighborhoods are usually the poor ones, where the economically disadvantaged find themselves, whether they like it or not.

Not all dangerous neighborhoods are the places where poor people live. The hills above Oakland, California are an example of an upper middle class neighborhood where home invasions are common. Just a short bus ride away, people live in the poverty of the flatlands and gang violence rules the streets. Other neighborhoods are dangerous only for a few, because of their race, their gender, or some other quality the local criminals use to choose their prey.

Some neighborhoods are neither particularly safe nor particularly dangerous in comparison to others in the same geographic area, but may present the simple threats of opportunistic crime. There are places in this world where you could safely leave your wallet on the table at a cafe while you go to the counter to pick up your order. In other places, your wallet would be gone before you had taken three steps. Sometimes, even in the safest of neighborhoods, a street faire can bring crowds where pickpockets busily clean as many people of their valuables as possible.

On the Internet, we have neighborhoods, too. They aren’t the sort of neighborhoods you walk through, but they have a geography, none the less. Unfortunately, I fear that these neighborhoods look a lot like the ones I’ve seen in developing countries where most of the people live with a constant level of danger while the wealthiest people live in gated communities and homes surrounded by both security and broken glass-topped fences and where large corporations hire armed guards to serve as a private security force on the premises.

Despite the fact that the biggest cyber security news lately has been about massive corporate breaches at retailers like Target and Neiman Marcus, I am not terribly worried about the long term safety of corporate networks. They have the money protect themselves, and will do so more and more as they face the escalating dangers of cybercrime. However, I worry that we are quickly rushing towards a world where the guarded castles of the few stand in stark contrast to the vulnerable existence of the vast majority of Internet users. Worst of all, the poorest and least educated are the most vulnerable of all.

In neighborhood terms, you can think of Starbucks WiFi as a street in the middle of one of the most dangerous cities in the world. You can think of your local library’s wall of Internet connected workstations as the local homeless shelter.* The corporate Internet is the walled castle village in an anachronistic twist of neighborhood dynamics.

It’s not just the location of your Internet connection that defines your neighborhood. Specific sites can provide some of those dynamics, too. Facebook is a gated community where you pay in personal data to get the right to share what you want with just the friends and family that you want to. Of course, since you are not actually paying with money, but being sold as a product to advertisers, this may be less of a neighborhood and more of a farm. That might be a slightly darker analogy than we’d like, but it might be true just the same.

A device can be part of the geography of your Internet experience, too. Unlocked iPhones offer some sense of security in that all the software you can put on them has been pre-approved by Apple. We commonly call this a walled garden, but in our analogy here, it’s more like a walled city with many more neighborhoods inside. Does the walled garden really create more security for those with iPhones? Will in the future? If it does, doesn’t that just add to the inequality of access to safe Internet tools?

How do we make sure that all of our Network neighborhoods are safe? That may actually be as impossible as making sure that all of our physical neighborhoods are safe. Some of the very methods used to secure neighborhoods rob them of freedom and others penalize innocent behaviors that fit chosen profiles. Any neighborhood secured with such a stranglehold — in the physical world or online –can be as dangerous to its inhabitants as the one that is uncontrolled.

I don’t offer answers here, just a reminder to all of us who build the software, systems and networks and attempt to make them safe: think about the kinds of neighborhoods you are building.

*Lest you think that I am maligning libraries in any way, let me assure you that I am not. Libraries are often the only place where the very poorest can get Internet access, and those users are subject to the sorts of threats that are easily accomplished on shared hardware.

Author: Lisha Sterling

Share This Post On