In Hindsight, the Internet Was a Mistake. And It’s All Your Fault.
Every hour of every day, somewhere, someone’s device is compromised by a computer virus of some sort. Some make the news when it compromises a large organization, the vast majority do not.
And we’ve accepted this as the normal state of affairs as we heedlessly accelerate the digital revolution of human society. And every-time someone is compromised, it is the fault of the victim.
Back when I started my path into an IT career, I took computer studies at a local college. This was the dawn of the IBM PC clone era, the start of MS-DOS and Microsoft Windows as the dominant platform. My school had multiple computer labs. One lab was general use, available to any enrolled student in any post-secondary program. One lab was reserved for computer studies students. The general lab was a boot-sector virus infested nightmare. Us “real computer users” knew better than to try to use it. How did viruses spread from computer to computer back then? By floppy disk. Insert a disk into an infected computer, the virus would replicate to the disk, and then would infect the next computer it was inserted into. It’s amazing that before the Internet, even before wholesale computer networks, how quickly viruses ran rampant.
Us “real computer users” blamed the know-nothing computer illiterates for creating that mess. Looking back, that scenario was a warning sign that everyone missed. A warning of what was to come.
As the digital revolution has progressed into our perpetually online world, the ways and means that a criminal can takeover a computer, a network, an entire system has grown exponentially. Security counter-measures designed to keep us safe are overcome almost as quickly as they are devised.
The current flavour of protection is to “two factor authenticate” (or multi-factor authenticate) everything. Why? To protect yourself. If you don’t do it, your personal information can be compromised, and it will be your fault that it happened. If the multi-factor authentication you diligently setup gets compromised? It’s still your fault. Don’t worry, some other form of protection will be devised that you will be told to use instead.
This is the world we live in now. We have to protect ourselves, because no one will take responsibility to prevent these attacks from happening. Sure, arrests are made, and trumpeted as successes, but at a guess, that stops 0.005% of the ongoing attacks everyone is facing.
But the best we can do is never good enough.
There is a saying in the Information Security world. “It’s not a matter of ‘if’ you will be compromised, it’s ‘when’.” It’s inevitable. (That is often used as a launching pad to market a product to help mitigate the ‘when.’)
Everybody involved in InfoSec knows that it is inevitable. And we accept it. It’s our responsibility to protect and respond to that inevitable criminal act.
There is so much wrong with that paragraph, that I can’t express how wrong it feels. The effect of which is like having your brains smashed out with a slice of lemon wrapped round a large gold brick. I’ve been gargle-blasted.*
Where we are at now is similar to how we protect our homes from water damage. Many homes in Canada have basements that are finished living areas. But even in areas where overland flooding isn’t a threat, water penetration into the basement is still a concern from other groundwater sources. There are many techniques to keep water out, but there is one last resort measure. To install a French Drain inside the foundation. As a moat type perimeter defense on the interior of the home. Water penetrates the walls of the foundation, and drains into the French Drain which is then siphoned or pumped out. Any finished living areas are constructed inside the drain, inside the protection of the moat.
However, if a home-owner uses this technique, they may well very be unable to obtain water damage protection as part of their home insurance. Why? Because they have elected to let the water enter the home. The enemy is already inside the house, therefore it cannot be insured against.
This is where InfoSec is at now in our digital world. The enemy is already inside the house. Now we have to limit the damage that enemy can do. We’re building moats everywhere, but they keep getting breached. And the organizations we would assume would be there to help us say they cannot, we let the enemy in. That’s our responsibility now.
The insanity of this is, every minute of every day, each of us has to be on guard against that ‘when’ our information is compromised. Be it directly, on a device we own or indirectly though a service that we use. Like a bank, a book store, a one time purchase on a website. It’s our responsibility to guard against these threats, and it’s our fault if we fail. It’s an impossible responsibility, but it is there nonetheless.
Where is this “it’s our fault” coming from? As I’ve been describing above, all of our responses, all of our mitigations, all of our responsibilities for dealing with these threats is placed on the victim. And public commentary often follows saying that “they didn’t adequately protect themselves, this is what you should do so that it doesn’t happen to you.”
Very little emphasis is put on the criminals that have made the digital world the ongoing Internet of Shit that it is now.
The emphasis on “Two Factor Authentication” highlights the absurdity of all this. How? It requires you to have a smartphone. Yes, most people have one, because they want to. But it is a vast leap to assume a convenience for many is a requirement for all, and we are rapidly approaching the point in society that you are no longer allowed to participate if you do not have a smartphone. You cannot choose to opt out. We should be able to, but we’re not allowed. This is something I have experienced. I only have a “company phone.” I do not own (nor want) a personal smartphone, and if I try to refuse to provide my company number when asked for my “cell number” I am denied service. It’s a requirement to have a smartphone with an active associated number. They don’t care that it’s not “my” phone number, that it belongs to my employer, and if I leave my employment, I will give it back.
This is creeping into the workplace now too. Many of you have to use two-factor authentication to sign into work. And does it require you to use a personal device? Can you refuse to do that? Did it even occur to you that you should be able to refuse if the world made any sense at all?
Why is this a requirement? Why are we blurring the lines between the personal and the professional? Part of it is the assumption that the convenience of many is the requirement for all, but it’s also because we have normalized the acceptance of criminal behaviour. We have accepted that the enemy is already inside the gates, and we all have to work together to push them out. It’s our fault if we fail. And so we are forced to execute ever more complex actions to validate that we are who we say we are. We have to blur and meld our professional identities with our personal lives as part of the collective responsibility.
And we blithely accept that fact.
Maybe it is all our fault after all.
*Yes I know I flipped around the meaning of the best drink in existence. I stand by my appropriation of the description.
