I attended Black Hat USA a few weeks ago in Las Vegas*. I also spent some time at B-Sides LV and DEFCON. These were my first visits to all of them, and they were interesting experiences. There were some seriously clever people talking about some seriously complex things, some of which were way beyond my level of knowledge. There were also some seriously odd things and odd people**. There was one particular speaker who did a great job, and whose keynote made me think: Alex Stamos, CSO of Facebook.
The reason that I want to talk about Stamos’ talk is that I got a phone call a few minutes back from a member of my family. It was about his iCloud account, which he was having problems accessing. Now: I don’t use Apple products***, so I wasn’t able to help. But the background was the interesting point. I’d had a call last week ago from the same family member. He’s not … techno-savvy. You know the one I’m talking about: that family member. He was phoning me on last week in something of a fluster.
“I think I’ve just been got by a phishing email,” he started.
Now: this is a win. Somebody – whether me or the media – has got him to understand what a phishing email is. I’m not saying he could spell it correctly, mind you – or that he’s not going to get hit by one – but at least he knows.
“OK,” I said.
“It said that it was from Apple, and if I didn’t change my password within 72 hours, I’d lose all of my data,” he explained.
Ah, I thought, one of those.
“So I clicked on the link and changed my password. But I realised after about 5 minutes and changed it again,” he continued.
“Where did you change it that time?” I asked.
“On the Apple site.”
“apple.com?”
“Yes.”
“Then you’re probably OK.” I gave him some advice on things to check, and suggested ringing Apple and maybe his bank to let them know. I also gave him the Stern Talk[tm] that we’ve all given users – the one about never clicking through a link on an email, and always entering it by hand.***** He called me back a few hours later to tell me that the guy he’d spoken to at Apple had reassured him that his bank details weren’t in danger, and that a subsequent notification he’d got that someone was trying to use his account from an unidentified device was a good sign, because it meant that the extra layers of security that Apple had put in place were doing their job. He was significantly (and rightly) relieved.
“So what has this to do with Stamos’ keynote?” you’re probably asking. Well, Stamos talked about how many of the attacks and vulnerabilities that we worry about much of the time – zero days, privilege escalations, network segment isolation – make up the tiniest tip of the huge pyramid of security issues that affect our users. Most of the problems are around misuse of accounts or services. And most of the users in the world aren’t uberhackers or even script kiddies – they’re not even people like those in the audience****** – but people with sub-$100******* smartphones.
And he’s right. We need to think about these people, too. I’m not saying that we shouldn’t worry about all the complex and scary technical issues that we’re paid to understand, fix and mitigate. They are important, and if we don’t fix them, we’re in for a world of pain. But our jobs – what we get paid for – should also include thinking about the other people: people who Facebook and Apple make a great deal of money from, and who they quite rightly care about. The question is: do we, the rest of the industry? And how are we going to know that we’re thinking like a 68 year old woman in India or a 15 year old boy in Brazil? (Hint: part of the answer is around diversity in our industry.)
Apple didn’t do too bad a job, I think – though my family member is still struggling with the impact of the password reset. And the organisation I talked about in my previous post on the simple things we should do absolutely didn’t. So, from now on, I’m going to try to think a little harder about what impact the recommendations, architectures and designs I come up with might have on the “hidden users” – not the sysadmins, not the developers, not the expert users, but people like my family members. We need to think about security for them just as much as for security for people like us.
*weird place, right? And hot. Too hot.
**I walked out of one session at DEFCON after six minutes as it was getting more and more difficult to resist the temptation to approach the speaker at the podium and punch him on the nose.
***no, I’m not going to explain. I just don’t: let’s leave it at that for now, OK? I’m not judging you if you do.****
****of course I’m judging you. But you’ll be fine.
*****clearly whoever had explained about phishing attacks hadn’t done quite as good a job as I’d hoped.
******who, he seemed to assume, were mainly Good Guys & Gals[tm].
*******approximately sub-€85 or sub-£80 at time of going to press********: please substitute your favoured currency here and convert as required.
********I’m guessing around 0.0000000000000001 bitcoins. I don’t follow the conversion rate, to be brutally honest.
Alice, Eve and Bob - a security blog 
Hey Mike, great post and I completely agree but….there will inevitable be “that guy” (usually it’s a guy and being one I’m allowed to take swipes at people who look like me) who says that he just does not have bandwidth to worry about people who don’t actually impact his paycheck. To him I say: Worry about the little guy or gal! That person, even if you don’t actually care about them, will be the chink in the armor that let’s the slavering hordes through the city walls.
LikeLike
And, in the end, they probably _will_ impact on his paycheck. It may not be directly, but if you don’t think about it now…
LikeLike