Home / Blogs

A Trebuchet Defence in the Age of the Augmented Reality Cyberwarrior

Neil Schwartzman

I've been ruminating on this for a while, this follow-up that was a decade in the offing. My article Trench Warfare in the Age of The Laser-Guided Missile from January 2007 did pretty good in terms of views since I wrote it. Less so in terms of how well the ideas aged or didn't, but that's the nature of the beast. Everything gets worse, and simultaneously, better, and so here we are: Using embarrassingly ancient approaches to next-generation threats. Plus ça change.

I'M OPTIMISTIC. I just got an Oculus Go, something as revolutionary as the iPhone — cheap, free of most constraints, and VR a technology with inherent emotional impact well beyond traditional channels. You are 'there' wherever there you choose. The top of Everest. On the moon, watching Neil Armstrong take those steps. The steps. I wept. VR is a sensorial nec-plus-ultra. If you haven't, you don't know.

Yes, there must be one.

BUT

Recently, I had the opportunity to work with a victim of a sophisticated credential theft attack, with many parallels to phishing. Someone paid someone at a mobile company $50 to swap her cellphone SIM. He took her phone number. So much for two-factor authentication.

He owned her life. He could own yours too. Just. Like. That. Nobody wants to talk about it, the popular press aren't interested and for $50 your life is gone. Poof.

It was eye-opening to walk through the process with this woman, trying to put her life back together, locking down valuable assets: her bank account, mortgage, pharmacy and medical and professional online accounts, and on and on through every detail of her existence.

After some hours spent on the phone, late night for us both, she suddenly realized a sad truth, and broke down crying. 'Am I safe?' she asked. She was alone, thousands of miles away. I had no way to know, no way to protect her from an attacker who had proven capable of severing a foundational lifeline, her phone, and identity, at will. So I lied, and told her she was absolutely safe, then stayed on the line until I fell asleep.

The reality of the impact on her life was disgraceful and profound; the incremental incursions so complex and intertwined unappreciable until wrested from one's grip. Her Hotmail, Twitter, Gmail, Facebook, Snapchat and Instagram accounts were devilishly difficult to re-attain, despite my having highly-placed colleagues in most security departments to whom I had made calls. The response to a victim would be embarrassing, if it existed. Nay, nothing more than a collective yawn was issued by all, save for those companies, two of them, from whom she had purchased connectivity and hardware. They let her call. They heard her voice, distraught, confused and angry. A price too dear according to the logic of a business plan that drives free services; thus free too from messy distraction by outsourced firewall and webpages with a common friendly tone but unmistakably focused in having the customer, user, rather to go away, as quickly and far as is possible.

I've attended security conferences regularly since 1998, where we mutter self-reassurances and work hard on standards and papers and high-flying concepts that work, sometimes, utter bon mots about cross-organizational initiatives that demand our presence, and are always somewhere cool "No, no, not my motivation, I swear, didn't you hear me just now? I was saying, braying really, that Business was sold out and at great personal sacrifice, flew here *economy plus*! The horror! " It is our want to pay lip service to this standard or that, never missing a chance to virtue signal about one's service to the community, without an inkling of how confusing it is to a normal human being that you cannot simply call a place and get your account back. What? Is she mad? No, her login to countless ancillary services is based on a social media login. Which is tied to a compromised email. Which was changed to 2FA to the attacker's burner phone. ya know, so really, she does need her account back and photo ID and a bank letter isn't good enough for an over-worked out-sourced staffer half a globe away and even further in terms of caring.

Online help? An obscene joke, so broken: submit documents, someone reviews them and denies a legitimate request with a curt 'no', 'no' with no rationale, No upon which follow-ups are ignored: that it is clear no-one in authority has actually tried to them recently. It looks good on paper but let me tell you — it is a morass to rival the bogs of Scotland, so acutely byzantine, it would be home to any self-respecting Minotaur. The experience suffered by users so insanely frustrating one wishes to become that mythical beast so as to sup on the innards of the middle management dweebs who are bonused for its horrid, terrifying deployment and maintenance.

It was base abandonment and abjuration of the industry's responsibility to their customer. And don't give me that hooey about 'you are the product being sold' on some platforms. That is cynical, and to a degree true, but that does not absolve anyone of their fundamental responsibility to the users of a network or service.

Nor should you get me started on the subject of companies downsizing their abuse and security departments so often we in the security community begin all too many conversations with 'I know we are a cost center'. Talk about Stockholm Syndrome!

Stop apologizing for what we do. We are an essential service tasked with protecting people from more threats than could possibly be imagined, let alone fathomed. It's so bad, I attribute anyone's continued use of 'the net' to collective insanity.

Sadly: Seriously. There are hosting provider and registrars who have pared staffing to the bone and beyond, discouraging good staff with arbitrary downsizing, and promoting the dim and incompetent to put a handsome face on an ugly problem: At one of the largest and most threat-fraught services, word on the street is their abuse ticketing queue dates back SIX MONTHS. Time to flush and start fresh, folks.

As the Internet, once a trifling plaything is now fully integrated into a vast number of people's lives, thus disruptions have serious real-life consequences. Nascent technologies are democratized with blinding speed — a $70,000 4K screen costing less than $1,000 little over a year hence; Virtual Reality from thousands to hundreds in less that. But, the rush forward is insanely blind as iOT and Augmented Reality seem poised to make the two-week hellscape my friend endured, a typical ID Theft in final measure, a tempest in the tiniest of teacups. Ransomware has disrupted medical services. What happens when someone hacks the neural network of AR subscribers to a popular entertainment stream piped straight to an always-on sub-cutaneous implant receiver? Same as it ever was. Same as it ever was. We'll deal with security ... later.

Personally, I think we should tap the brakes (decidedly faster than the self-driving Uber), and make some decisions as to realistic but irrevocable expectations of this place we call home, this thing of ours. You don't get to freaking sell our personal information without us having informed express consent. The same kind of informed express consent some of my gender apparently seem to think is optional, to their long over-due peril I am glad to say.

There is an often-justified skepticism of government, but by the same token, CASL, Canada's spam law, and the EU GDRP came about because of rampant, systemic abuse of fundamental human rights. Shame on those responsible. You acted like jerks, or failed to act, at the expense of us all. Breaches unspoken. Marketing based upon personal details we aren't aware of it. Basic technologies left fallow so long network time and SSL needed emergency efforts to sustain them; a collapse of either so dire a situation it could not possibly be overstated. This exploitation is common to all humanity, but one with hens that will come home to roost without fail, besides which, they bought a trebuchet while on their last trip to Ibiza.

This inter-related network is not a simple marketing opportunity, despite what you've been told. We are here because of the humanity, the art, jokes and cat pictures. Those are what is precious and worth protecting. When I spoke face to face in a virtual room with a friend in another city last week, I felt the way I hadn't in a long while, a familiar sensation.

It was first and best described by the great Arthur C. Clarke in 1962. Ironically, in an essay entitled "Hazards of Prophecy: The Failure of Imagination" which I suppose is a charge levelled fairly about this piece and its predecessor. I'm not innovative, I speak the obvious, nicely at times.

I am, of course, referring to law the third: Any sufficiently advanced technology is indistinguishable from magic.

My Oculus Go made me feel like the first time I used NCSA Mosaic. Wonderment, and pure unbridled joy. We are a lovely race when we put our minds to it. See you at the bottom of the Mariana Trench!

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

New TLDs

Sponsored byAfilias

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign