Blog Post

Security Through Simplicity

I recently stumbled upon a picture of myself from when I was 5-years-old sitting in front of my first computer – what would arguably be the catalyst that led me down the career path I am currently treading.

Like many do when confronted with reminders of our past, I thought back to what life was like then and how much has changed. It was immediately apparent – given that the oversized computer in this photo was much-less-powerful than the version currently nestled in my pocket – that times have changed on the technology front.

As with most things, for all of the advantages and conveniences that this astronomical leap in technology has brought us, there have also been disadvantages. For example, the increased convenience of banking and financial transactions created more opportunity for those wishing to move that money into their own pockets. With more complex systems and plugins that are all working separately to bring you a final product, a plethora of bugs and vulnerabilities have been introduced – if for no other reason because people simply cannot keep up with the speed at which all of those different technologies evolve.

With more methods of communication came more attack vectors for criminals to plant viruses that use our resources, or outright steal information or cash (even if that cash is blockchain). And of course with the proliferation of smart technology into every aspect of our lives, criminals (at least according to current law as far as most courts seem to be concerned) aren’t the only ones that are interested in collecting and storing our intimate details…

Decreased security and privacy alone don’t make up the sum of the price we’ve paid for better, faster, and stronger technology. It has caught my attention that there seems to be a growing interest in reducing one’s daily distractions – at work, and in their daily life. I’ve read several articles offering advice on how to reduce distractions and “become more productive” (the irony of searching for such a thing while working is not lost on me). Some suggestions include analog improvements like “creating a quiet, distraction-free workspace” and “tackle one thing at a time”, while others target technology directly – suggesting that you “turn off or silent your cell phone,” “manage your use of email and social media,” or perhaps the most audacious advice I’ve seen: “switch off your WiFi connection” (gasp!).

All joking aside, I believe you’d be hard-pressed to find a job that truly doesn’t require an internet connection since that is a pretty unreasonable suggestion for someone looking to decrease distractions while also improving productivity.

emacs screenshotEven my text editor was in the cloud until recently…

The Fart in Smart

I’ve seen article after post after article lamenting the fact that we seem to be virtually shackled to purchasing a “smart” TV, and for annoying-but-par-for-the-course reasons.

business_insider

Business Insider

kelly2

I found my smart TV often makes (incorrect) decisions on its own about types of input and how it should display them. Firing up Wireshark reveals that it sources a nonsensical network traffic jam of constant web requests for resources it already has and those that no longer exist.

The consensus, ignoring those that don’t seem to realize the implications of allowing a TV’s intelligence to go unchecked (have you seen terminator!?), seems to be to either:

  • Disconnect it from the internet – and miss out on security/performance updates
  • Buy a projector – and have a big, white wall
  • Buy a “dumb” TV – but deal with the lower quality
  • Buy a commercial monitor – $$$

Personally, I hope there are some “dumb” TV options on the horizon. Alternatively, the OS that Samsung uses for its TVs (Tizen) is open source, and LG has followed suit with webOS, but it may be worth a perusal to see what corrections can be made (or maybe it’s not worth our time).

Fight Fire with Fire!

The Google search trends must be increasing on this topic – they seem to have created an ad for android devices masquerading as P.h.D. backed advice that focuses entirely on how to “minimize distractions.” I’m not sure which is the chicken and which is the egg in this case, but Big Brother is not the only company to put stock in the idea that focusing on the lack of distraction their product can offer is good for business. Other members of this decreasingly exclusive club include:

As I was searching for examples of these pro-productivity devices, I can’t help but find the idea of owning devices that are simpler, dumber, and serve fewer purposes attractive. In fact, as previously mentioned, many of the security woes we’ve faced over the years have been due to the sheer unmanageable scale of all the different software and plugins that are all running simultaneously, making the attack surface of our gadgets potentially gargantuan.

If the phone in our pocket only makes calls, then we don’t have to worry about all the other apps and processes of our current machines. If our TV isn’t constantly connected to the internet, then maybe we won’t have to worry about it running the other TV without us knowing. If your e-ink device doesn’t run javascript in its browser, then that nixes a lot of extra web requests.

The point is, if you like to manage your security on your own, you’re going to have a bad time with today’s electronics. It’s essentially a full-time job given that your attack surface is so great. But if you want to lessen that attack surface, then it may go a long way by starting to use devices that have a single (or at least fewer) purpose in mind (must… not… draw parallel to functional programming). They also have the added benefit of not tracking you all the time.

I’m not naive enough to say that this is the answer we’ve all been searching for, but I will say that I (like many others) am often annoyed with the amount of stuff my devices are doing without my knowledge or consent. Adopting devices that are doing less is a step in the right direction for security, and for my peace of mind.

With less power… comes less responsibility?

Troy Kent
Troy Kent

Threat Researcher