Wednesday 2 January 2008

Is it a Security Issue?

One of the Blogging Old Guard, Dave Winer, has been complaining vociferously about what he regards as a huge security issue for Apple.

My initial reaction was that he was out of line. The computing professional in me would say that if he relies heavily on any computing resource for his livelihood then he should have [a] frequent, reliable, tested and comprehensive backups of his data and [b] Backup hardware that he can switch to on demand and [c] all of his sensitive data should be encrypted. He handed his drive over to Apple without ensuring that it was safe to do so and that means that the mistake was his.

On reflection though that attitude of mine reflects a fundamental problem with the overall approach to security that is endemic among "IT Professionals". It should be reasonable to expect that you can avail of a warranty repair or vendor supplied service without worrying about who might end up with your credit card details, e-mail account access or (as in Dave's case) proprietary source code.

You can't of course and Dave's complaint is the sort of thing that needs to happen in order to make the various vendors involved (Apple, Microsoft and the IBM, Dell and the rest).

With a little more reflection I am beginning to think that Dave doesn't go far enough. It seems to me that he just wants to get his old hard drive back so that he can dispose of it thoroughly and prevent anyone stealing something from it in the future but he's already handed control of it over to Apple so from a purist InfoSec perspective he's already lost the data and that's the bit that needs to be fixed. He should be able to give a broken hard drive to anyone who might be able to fix it for him without worrying about losing control of who gets meaningful access to the data on it.

There is an opinion that Bitlocker [style] full disk encryption is the answer but I'm not so sure it's either sufficient or necessary. I think there is a need for full disk encryption in some cases but that an "un-mounted by default" secure store for "all things sensitive" is a better approach - that would include user profiles (and cookies\passwords) for web browsers, cached credential stores for network resources\e-mail\web services... as well as the more typical sensitive documents like letters to your bank and so on. You can hack together solutions for this today that are moderately safe but for normal consumers to benefit properly it would require some OS level re-architecture work and new versions of critical applications to work with the new architectures but I see in this the foundations for a compelling approach to making "secure by default" a desirable Operating System feature for consumers and small businesses.

No comments: