![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
silveradeptOkay, this may be "old man yells at cloud" territory, but being an Old on the Internet and watching technology develop over time sometimes means you notice the trivial things and wonder.
I most recently completed a few modules of our workplace's new-and-outsourced mandatory cybersecurity training. Which, for the most part, was find in what it was. It appropriately put the focus on the idea that people are easier to hack than computers are, but apart from "treat anything that's unfamiliar as suspicious until you confirm it isn't," a few possible flags for what might be phishing or other attack vectors, and a request for a certain amount of social media discipline regarding what personal information you post, there weren't exactly a lot of practical steps on reducing your attack surface, and even one of the modules, hosted by someone who has done their fair share of hacking, pointed out and then demonstrated there are weaknesses in the ways that calendars, e-mail, and other elements are displayed that make malicious things look legitimate, and that only by doing counter-intuitive things like hovering over links to see where they lead, looking at return addresses to see if they're correct, and really thinking hard about where a person is being asked to go on the Web can a person potentially determine whether or not they're being phished or otherwise attacked. And this is also in combination with having listened to an episode about how good deepfakes can be with someone who has spoken aloud enough to have their voice used as a training corpus. Because I could easily see someone walking away from this training with the message of "the really crude ones will be easy to spot and delete, and the really sophisticated ones will be impossible to spot, so why are we doing this?" (And also, the bit in there about not posting about how much you dislike your work or about compromising things about your workplace to social media is...not that cut and dried. Understandably, if you want to stay employed with your employer, there's going to be a certain amount of self-censorship or necessary anonymizing done if you're going to criticize them, and even more so if you're going to whistleblow on them, but it should never be a blanket "say nothing bad about your employer for security purposes.")
I think I did the modules in reverse order, though, starting with the top and going back, because the top modules made references to concepts and other elements that were present in lower modules, which is a UX fail in its entirety. If some things were supposed to be required or recommended before others, it behooves the environment that is offering the courses to signpost which order they are supposed to be done in. Even then, there were more than a few things in the "review" quizzes that made reference to things that had not been covered at all, either in that module or in previous modules. For example, in a quiz question about what constructed good passwords, there was a ticky indicating "using a password manager" as an option of what would make for good password practice, despite the fact that password managers had not been mentioned once before that point.
Despite that, there seemed to be a certain amount of in-the-past-ness about some of the modules. Like, the one that walked through what a good idea of a password might be said "Type the first letters of this line of a popular song, [All-Star, in this case] then add a few numbers, then type out the name of an emoji" as a good password generation scheme, rather than using xkcd #936 ("Correct Horse Battery Staple") as a method for generating difficult to crack but easy to remember passwords (an objection says that your password manager is better than you at generating and remembering your passwords, and that the most important part should be not only limiting the number of passwords a person should use, but also in hardening passwords against the likelihood that they've been used by someone else and are thus easier to crack. Which is less about the correctness of the battery horse staple and much more about the sheer number of passwords that are required at this point and the lack of ingenuity of people in generating and remembering them all. (Thus, the password manager doing the remembering for you.))
There was one thing that I was aggravated by in the training, even as I know and fully understand the reason why it's there. One of the security recommendations for people and their mobile phones was "don't root or jailbreak your phone." Which, y'know, makes perfect sense, and also makes me wonder when exactly this particular guide was completed.
It's absolutely true that root access on Android used to require the running of specific exploits and security vulnerabilities present in the operating system so that a superuser state could be achieved. And for iProducts and Apple devices, that's still the thing that's needed to jailbreak them. So, yeah, anyone who wanted to root or jailbreak essentially needed to run a privilege escalation attack on their own device, which took advantage of an exploit or weakness in the security of the device. If you want to run homebrew on a game console, same thing. (I don't entirely know how the modern systemless root solutions like Magisk work to know whether they still require privilege escalation or whether they operate on an entirely different paradigm.) Security leaks are bad, and companies don't want them existing in the wild, because arbitrary code execution is not good for the integrity of a device, and arbitrary code execution that uses a known vulnerable pathway or knows to look and see if superuser access is available makes things easier for malice to do what it does best. And if it's a device that has work secrets or is connecting to networks that have work secrets, having vulnerabilities and the like is not good for a corporation or other entity.
The flip side of this, however, is that most devices that we have in this space will outlast the support that their manufacturers and carriers will provide for them. At a certain point, Android and iOS stop supporting a particular device, usually by requiring specifications that are beyond what a particular device has. Long before that, however, most device manufacturers stop sending support and updates to the devices to make sure they are patched against known security vulnerabilities. I think most devices can expect maybe two years of support from their manufacturer, if that, and then there's no further support, leaving a person to have to decide between shelling out for a completely new device or continuing on with the device they have that is going to become increasingly obsolete, not because the circuits or technology on it is failing in any particular way, but because the "minimum requirements" for the operating systems and applications will slowly start going past the place where the device is able to keep up. [edit] Apple has been particularly vicious in the past about this planned obsolescence for their iProducts and computers, while simultaneously removing the market for used devices to circulate, because the minimum version of iOS needed to run any apps will be beyond what the device can do. [/edit] (There's no official documentation about how long Apple intends to keep supporting certain devices, but unofficial sources show closer to five or six years of support for iPhones starting at the 6S stage, as is suggested by an anonymous commenter whose claims I then researched. I wonder if this extended support has more to do with the general design and kit of the iPhone standardizing such that iOS can continue to be built for older models without having system requirements change that much, due to Apple being the only hardware manufacturer of iOS devices. It's the macOS/Windows situation all over again, just on mobile devices.)
Unsurprisingly, a lot of people are going to be caught in the Sam Vimes Theory of Economic Injustice when it comes to purchasing devices, even with trade-in discounts for devices that are relatively new, and device manufacturers make it very difficult for someone to buy and hold a particular device to last them through a long period with the assurance that they'll be able to keep getting updates from the manufacturer for the life of the device. Which, in turn, contributes to increased electronic waste and pollution generated from gathering the raw materials and manufacturing the devices themselves. (Yes, there is recycling of electronics and their components, certainly.)
Then there is the headache of transferring data and setup options to a new device, which rarely seems to be a complete transfer from one device to the next (although it is presumably getting better, so long as you stay within the same device manufacturer) and the further difficulty of having to adjust to a new device's form factor and size, which may very well be either too large or too small for the hands that intend to hold the device.
Which brings us back to the reasons why people would jailbreak or otherwise turn to their communities for support. Because there are lots of people who have perfectly functional devices that they have no intention of giving up on, but who do not want to run completely outdated software or an operating system version that is no longer being actively maintained. Despite meeting the system requirements for the new operating system. At which point it becomes a question of which security risks you want to take, the ones involved with having an operating system and applications that are old and potentially flawed, or the ones associated with having to trust that a maintaining community and additional software repositories are going to keep patching and releasing and won't introduce malicious applications into your devices (at least, no more malicious than whatever is already provided by your device manufacturer). So that you can, in fact, get the device to last as long as it can physically do so.
And the choice of whether to replace or turn to community support is, for the most part, entirely illegal under the DMCA, as doing such things is circumvention of digital locks meant to prevent someone from owning their device and using it for their own purposes. We don't get prosecuted for it because the Librarian of Congress has exempted the practice, but we certainly could be if that changes. (Insert rant here.)
So, yeah, old man yells at cloud, because the security program is saying sensible things for security reasons that conflict with other things that someone might do to improve the security of their devices on a different vector.
I most recently completed a few modules of our workplace's new-and-outsourced mandatory cybersecurity training. Which, for the most part, was find in what it was. It appropriately put the focus on the idea that people are easier to hack than computers are, but apart from "treat anything that's unfamiliar as suspicious until you confirm it isn't," a few possible flags for what might be phishing or other attack vectors, and a request for a certain amount of social media discipline regarding what personal information you post, there weren't exactly a lot of practical steps on reducing your attack surface, and even one of the modules, hosted by someone who has done their fair share of hacking, pointed out and then demonstrated there are weaknesses in the ways that calendars, e-mail, and other elements are displayed that make malicious things look legitimate, and that only by doing counter-intuitive things like hovering over links to see where they lead, looking at return addresses to see if they're correct, and really thinking hard about where a person is being asked to go on the Web can a person potentially determine whether or not they're being phished or otherwise attacked. And this is also in combination with having listened to an episode about how good deepfakes can be with someone who has spoken aloud enough to have their voice used as a training corpus. Because I could easily see someone walking away from this training with the message of "the really crude ones will be easy to spot and delete, and the really sophisticated ones will be impossible to spot, so why are we doing this?" (And also, the bit in there about not posting about how much you dislike your work or about compromising things about your workplace to social media is...not that cut and dried. Understandably, if you want to stay employed with your employer, there's going to be a certain amount of self-censorship or necessary anonymizing done if you're going to criticize them, and even more so if you're going to whistleblow on them, but it should never be a blanket "say nothing bad about your employer for security purposes.")
I think I did the modules in reverse order, though, starting with the top and going back, because the top modules made references to concepts and other elements that were present in lower modules, which is a UX fail in its entirety. If some things were supposed to be required or recommended before others, it behooves the environment that is offering the courses to signpost which order they are supposed to be done in. Even then, there were more than a few things in the "review" quizzes that made reference to things that had not been covered at all, either in that module or in previous modules. For example, in a quiz question about what constructed good passwords, there was a ticky indicating "using a password manager" as an option of what would make for good password practice, despite the fact that password managers had not been mentioned once before that point.
Despite that, there seemed to be a certain amount of in-the-past-ness about some of the modules. Like, the one that walked through what a good idea of a password might be said "Type the first letters of this line of a popular song, [All-Star, in this case] then add a few numbers, then type out the name of an emoji" as a good password generation scheme, rather than using xkcd #936 ("Correct Horse Battery Staple") as a method for generating difficult to crack but easy to remember passwords (an objection says that your password manager is better than you at generating and remembering your passwords, and that the most important part should be not only limiting the number of passwords a person should use, but also in hardening passwords against the likelihood that they've been used by someone else and are thus easier to crack. Which is less about the correctness of the battery horse staple and much more about the sheer number of passwords that are required at this point and the lack of ingenuity of people in generating and remembering them all. (Thus, the password manager doing the remembering for you.))
There was one thing that I was aggravated by in the training, even as I know and fully understand the reason why it's there. One of the security recommendations for people and their mobile phones was "don't root or jailbreak your phone." Which, y'know, makes perfect sense, and also makes me wonder when exactly this particular guide was completed.
It's absolutely true that root access on Android used to require the running of specific exploits and security vulnerabilities present in the operating system so that a superuser state could be achieved. And for iProducts and Apple devices, that's still the thing that's needed to jailbreak them. So, yeah, anyone who wanted to root or jailbreak essentially needed to run a privilege escalation attack on their own device, which took advantage of an exploit or weakness in the security of the device. If you want to run homebrew on a game console, same thing. (I don't entirely know how the modern systemless root solutions like Magisk work to know whether they still require privilege escalation or whether they operate on an entirely different paradigm.) Security leaks are bad, and companies don't want them existing in the wild, because arbitrary code execution is not good for the integrity of a device, and arbitrary code execution that uses a known vulnerable pathway or knows to look and see if superuser access is available makes things easier for malice to do what it does best. And if it's a device that has work secrets or is connecting to networks that have work secrets, having vulnerabilities and the like is not good for a corporation or other entity.
The flip side of this, however, is that most devices that we have in this space will outlast the support that their manufacturers and carriers will provide for them. At a certain point, Android and iOS stop supporting a particular device, usually by requiring specifications that are beyond what a particular device has. Long before that, however, most device manufacturers stop sending support and updates to the devices to make sure they are patched against known security vulnerabilities. I think most devices can expect maybe two years of support from their manufacturer, if that, and then there's no further support, leaving a person to have to decide between shelling out for a completely new device or continuing on with the device they have that is going to become increasingly obsolete, not because the circuits or technology on it is failing in any particular way, but because the "minimum requirements" for the operating systems and applications will slowly start going past the place where the device is able to keep up. [edit] Apple has been particularly vicious in the past about this planned obsolescence for their iProducts and computers, while simultaneously removing the market for used devices to circulate, because the minimum version of iOS needed to run any apps will be beyond what the device can do. [/edit] (There's no official documentation about how long Apple intends to keep supporting certain devices, but unofficial sources show closer to five or six years of support for iPhones starting at the 6S stage, as is suggested by an anonymous commenter whose claims I then researched. I wonder if this extended support has more to do with the general design and kit of the iPhone standardizing such that iOS can continue to be built for older models without having system requirements change that much, due to Apple being the only hardware manufacturer of iOS devices. It's the macOS/Windows situation all over again, just on mobile devices.)
Unsurprisingly, a lot of people are going to be caught in the Sam Vimes Theory of Economic Injustice when it comes to purchasing devices, even with trade-in discounts for devices that are relatively new, and device manufacturers make it very difficult for someone to buy and hold a particular device to last them through a long period with the assurance that they'll be able to keep getting updates from the manufacturer for the life of the device. Which, in turn, contributes to increased electronic waste and pollution generated from gathering the raw materials and manufacturing the devices themselves. (Yes, there is recycling of electronics and their components, certainly.)
Then there is the headache of transferring data and setup options to a new device, which rarely seems to be a complete transfer from one device to the next (although it is presumably getting better, so long as you stay within the same device manufacturer) and the further difficulty of having to adjust to a new device's form factor and size, which may very well be either too large or too small for the hands that intend to hold the device.
Which brings us back to the reasons why people would jailbreak or otherwise turn to their communities for support. Because there are lots of people who have perfectly functional devices that they have no intention of giving up on, but who do not want to run completely outdated software or an operating system version that is no longer being actively maintained. Despite meeting the system requirements for the new operating system. At which point it becomes a question of which security risks you want to take, the ones involved with having an operating system and applications that are old and potentially flawed, or the ones associated with having to trust that a maintaining community and additional software repositories are going to keep patching and releasing and won't introduce malicious applications into your devices (at least, no more malicious than whatever is already provided by your device manufacturer). So that you can, in fact, get the device to last as long as it can physically do so.
And the choice of whether to replace or turn to community support is, for the most part, entirely illegal under the DMCA, as doing such things is circumvention of digital locks meant to prevent someone from owning their device and using it for their own purposes. We don't get prosecuted for it because the Librarian of Congress has exempted the practice, but we certainly could be if that changes. (Insert rant here.)
So, yeah, old man yells at cloud, because the security program is saying sensible things for security reasons that conflict with other things that someone might do to improve the security of their devices on a different vector.
no subject
Date: 2020-09-10 09:05 pm (UTC)The other big piece is principle of least access on the organizational side, such that one person getting phished doesn't bring down everything - only give people access to what they need to do their job, rather than 'everything'.
(I suspect the 'don't root your phone' bit is mostly about the fact that on a rooted device, apps can bypass all the OS security controls, and we can't convince people not to trust some random executable they found on Google.)
no subject
Date: 2020-09-10 11:48 pm (UTC)Least access and using a manager are good recommendations to have, so long as your manager can work in all the places where you need access to those passwords. And that passwords generated by the manager fit the requirements of the entity the password is for, for which there are all sorts of hair-raising stories.
I get why not to root from a security perspective, it just also happens to trip my annoyance at planned obsolescence and the consumer treadmill that seems more interested in manufacturing the new rather than in having a product that is rock-solid and will last a long time...while somehow keeping it affordable enough for people to buy, rather than as something they have to save up for. Impossible contradictions, I know.
no subject
Date: 2020-09-11 12:35 am (UTC)Yeah, it has the advantage of having a built-in mnemonic already, and is relatively easy to make decently long (just use more lines). I tend not to throw random punctuation at the end, and rather incorporate punctuation from whatever source I'm using (easy with quotes from books or plays, slightly harder with songs though sometimes I add implied commas between lines). I find LastPass at least is pretty good about giving options for what types of characters to include/what length to do, though with special characters sometimes you have to refresh a few times to get one if the website only lets you use some rather than the full set. PINs are harder though I usually use either fictional character birthdays or a date of a historical event not related to me that I will remember. My personal frustration is websites that won't let you auto-fill/copy&paste into the password field. Please don't make me have to swap back and forth between your site and my password manager as I try and accurately type my 16 character random password. Especially don't make me do it on mobile.
The joys of capitalism! And it does have security implications too, because abandoned devices won't get the latest security updates. The Android One program was designed to somewhat combat that (guaranteed two years of OS updates and three of security patches), though more years of security updates would be better. That said, I think there are fewer in-the-wild exploits of mobile devices and the bigger issue is smart devices/Internet of Things which typically are terribly secured to begin with and which are frequently abandoned rapidly.
(and now I'm curious if my first Android phone, which was the second commercially available model and thus is over ten years old, still boots/sees signals)
no subject
Date: 2020-09-11 01:38 am (UTC)I mean, the ideal would be for people who are doing crime to be found and yote swiftly (once we figure out that it is crime, and not security research), but we have enough trouble with SWATting and the like for me to have any real hope that there won't always be a group of people who want to do crime for whatever reason.
(Aigh, having to manually type a random password.)
Yes, fun times with the Internet of Things, because very few manufacturers seem to have put the thought into whether their device is an easy entry point into a network or not, and seem to be a lot of something getting hacked together from what was available and then released without any thought of support, because they were hoping to get eaten by someone else who would make it their problem. All the same, I would still like to see longer device support, because the first phone I bought from the manufacturer, I bought with the idea of holding on to for five years or better, and that happened before the physical components failed, but even then, after two or three years, there would have to be a switch to a community maintained operating system to keep the device in updates. It's a sad kind of world where you need to use an exploit on a device to allow it to receive updates that would potentially close that exploit and others discovered in the meantime. Because a lot of mobile devices are engineered to work well past the point in time where they stop receiving updates.
One of my old phones that runs Cyanogenmod 7 boots fine and still runs it, and can connect to the wifi. Probably can't do much for app updating or anything like that, but it'll still browse and can connect to things like a PirateBox.
no subject
Date: 2020-09-11 12:46 am (UTC)I do think the first letter of a phrase/lyric works out alright if you can remember the phrase (and it's long enough), but you still want to be careful about reusing it too much so mostly that and the multiple-word-password are best used as master passwords to your password manager that comes up with truly random ones for all your one-offs. When I was attempting to make do without a manager, I was patterning my password a lot to remember it in other sites (ie '$0meP4$sworD-SiteShorthand') and that wasn't good. The forced rotation![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
momijizukamori mentioned has a similar issue of people often picking some sort of 'root' and then just alternating on some kind of pattern which is less secure than just picking a good password that doesn't have any similarities to previous passwords or passwords used elsewhere. But good luck getting corporate places not to enforce constant password changes.
Work made me swap from LastPass to 1Password, and I did find it interesting that 1Password offers an option to give you a memorable password giving you four less common words separated by hyphens as well as just jumbled letter-number-symbols. It seems like most password managers have some sort of ability to work on phones and most browsers these days, so access is less of an issue at least, but yeah can still be an issue too.
One thing that I recently found Firefox is offering that I'm curious if it'll catch on more is free email aliasing so you can easily pass a throwaway email out and monitor it and quickly dump the aliases that get compromised. It's not a new idea entirely, that +something alias trick has been around a while and Yahoo also used to allow limited aliasing, but this is completely disconnected from your actual email account so you could in theory never actually give out your real email which would make it more difficult to get email hacked.
no subject
Date: 2020-09-11 01:43 am (UTC)Yeah, the problem of being human, of course, is the limited memory management space, and it becomes harder to create really unique things and remember them, the more accounts you have to deal with. Of course, then there's the problem of what happens when you forget the vault password...
no subject
Date: 2020-09-12 05:06 pm (UTC)no subject
Date: 2020-09-12 06:02 pm (UTC)no subject
Date: 2020-09-13 02:08 pm (UTC)no subject
Date: 2020-09-13 06:49 pm (UTC)