Thu 21 Oct 2010
Poison Apple?
Posted by anaglyph under Gadgets, Hmmm..., In The News, Skeptical Thinking, Technology, Words
[7] Comments
A few days ago in my post iPods Will Kill You! a couple of commenters thought I might be over-analyzing the current trend for the Fairfax media (among others) to be engaging in Apple-bashing. Naturally enough, my antennae have been quivering ever since, on the lookout for some further substantiation of my claim. Indeed, the ink was hardly dry on that post before Universal Head pointed out another instance in the Sydney Morning Herald the very next day.
And this morning, this, under the headline ‘Smart phone, pity criminals are proving even smarter’:
The story goes on to detail how the head of the ACC, John Lawler, ‘said’ at an Australian Institute of Criminology conference, that Apple’s iPhone was a veritable treasure trove of criminal opportunity.
Only thing is, if you read the article carefully, Mr Lawler is never quoted once as having said anything of the sort. He never specifically names the iPhone in any of his attributed quotes. He certainly mentions ‘personal communication devices’ and ‘instant services’ but these are catchall phrases that cover a lot of ground
Now, I’m not saying that Mr Lawler didn’t actually mention the iPhone during his presentation, but there is no evidence of that in this article. The thing is, the piece is written in such a way that a casual reader could easily come away with the impression that he did.
Applying a little critical thinking to this story reveals it to be a wonderland of misdirection. Let me guide you through:
The global obsession with the iPhone…
The ‘obsession’ with the iPhone is no more an obsession than is the desire to own any other popular product. This so-called obsession is an invention of the media. People like their iPhones because they are useful and appealing. Why is that obsessive? Popularity doesn’t equal obsession, it just equals popularity. If anyone is obsessed with the iPhone, it’s the newspapers. They’re the ones obsessively telling us at every opportunity about how we’re obsessed with the iPhone.
This year Apple’s chief financial officer told a shareholder meeting that more than 70 Fortune 100 companies were either using or trying out iPhones, and it was rapidly replacing the BlackBerry as the must-have business phone.
This sentence follows quickly on the heels of Mr Lawler’s quote, deftly conflating the two paragraphs to give the inference that this was also said by him. The intention is obviously to imply to the reader that he also went on to say, in the next paragraph:
But unlike the BlackBerry and other smartphones, the iPhone does not allow a company’s IT staff to install and upgrade its own security software, leaving business networks at risk of penetration.
Whether nor not these are Mr Lawler’s thoughts (and this is far from clear), a discerning person can only respond SO WHAT? The banality of this statement is profound on so many levels. How many people with BlackBerries have security software installed by their IT department? I’d wager next to none. And, even if they do, what the heck does that entail? Some password protection? You can do that on the iPhone. Encrypted files? You can do that on the iPhone. A kill switch? The iPhone has that. What we’re supposed to believe here is that IT departments are the be-all and end-all of security – a myth kept in circulation largely by IT departments. The ultimate security on any system has to do with user responsibility. If the IT departments of corporations are really concerned about security they would do well to spend less time trying to solve problems with tech fixes and instead devote some serious energy to teaching their users some basic computer hygiene. My iPhone is secure. You can’t get my data if you find and steal my phone. And if you did steal it, I would remotely kill it (if you hadn’t already done it yourself by attempting to circumvent the security). Does the ACC think this is impossible on a iPhone? I don’t believe they’re that naive.
And anyway, let’s say the contention is true. Do we really want to compare it to the security of the open-system Android, or the plethora of Nokias, Samsungs and Sonys out there? Or perhaps the new Windows 7 phone? (Windows – now there’s a secure and virus-free environment!) The fact is that, as popular as the iPhone is, it is still well and truly outnumbered by other brands. This being the case, rather than be concerned with the security-catastrophe-that-is to-come when iPhones rule the planet, why is this story not about the security disaster that is already in place?
Mr Lawler also said the increasing ubiquity of the phone meant that criminals were finding more and more opportunities to use it to intrude, to steal and to defraud.
Well, DUH. I can’t even comment on this, except to say that once again this is not a direct quote from John Lawler. Why is the reporter giving us Mr Lawler’s non-specific-brand terms like ‘communications devices’ in direct first-person quotes and yet attributing anything about the iPhone at second hand? I’ll tell you exactly why – because if Mr Lawler didn’t single out the iPhone by name in his talk, it’s very easy for the reporter to say he intended ‘the phone’ in a much more general sense (as in ‘the mobile phone’). With that in mind, read that paragraph again and you’ll see what I mean. The English language is a sublimely slippery substance.
In fact, the next direct quote from John Lawler again mentions only ubiquitous technology:
”With the explosive uptake of personal communication devices there are certainly already opportunities that appeal to organised criminals,” said Mr Lawler.
That’s a sensible, if very general observation. Organised criminals use mobile phones! So do librarians.
Even the desire for the phone is creating a burgeoning black market, he said.
Yes, as has the desire for PS3s, Gucci handbags and cigarettes. Black markets spring up anywhere and everywhere that there is an item of value that can be produced without imprimatur and sold for less than a legitimate vendor’s prices. This is perhaps a point of interest, but hardly the stuff of news.
The most disturbing thing about this whole pile of non-news is that in the course of less than one day it’s been disseminated so widely that trying to search for any actual information about what John Lawler might really have said at the Institute of Criminology conference turns up only myriads of requoted versions of the Fairfax article. Pretty much all of them bandying around headlines like ‘iPhone Poses Threat to Security!’ Hundreds of dumb zines and tech blogs have just taken the Fairfax article completely at face value without an ounce of critical appraisal. Most of them quote the article word for word. Some of them get opinions from their own ‘experts’ expounding the crumminess of the iPhone’s security. Many of them plainly have vested interests or agendas. ((If you have time, go read some of the ones linked in the Google search. It is an astounding (and depressing) eye-opening example of uncritical re-mouthing of something that has low information and high titillation value.)) If this is not about trying to denigrate Apple products, then it has that sum effect anyway. Everyone who uncritically picked up this story did so because it felt good to put the boot in.
I would sincerely like to know what John Lawler said at that conference. Did he single out iPhones as promoting such a large and serious security problem? If so, what were his reasons, given that iPhones are no less secure than many other devices on the market? ((I’m not claiming that iPhones are the Fort Knox of mobile phones, by the way – just that as security risks go – as devices – they’re neither here nor there. They could be better, sure, but they are decent enough if you take the trouble to use their security features properly.)) Or did he, as I suspect, merely mention the iPhone as one of a growing number of mobile personal communication and computation devices that should take security more seriously?
I will continue to investigate this as I am able, but if anyone was at that conference, or has any more information, I’d love to hear from you.
7 Responses to “ Poison Apple? ”
Trackbacks & Pingbacks:
-
[…] This post was mentioned on Twitter by Stilgherrian, Amy W. Amy W said: RT @stilgherrian: Tethered Cow Ahead has a go at another potential Apple-tech beat-up story. http://arseh.at/10d […]
The problem with ‘news’ like this is that it is what most people want to read in the first place. Fear mongering sells unfortunately.
As for IT departments being the end all of security, it ultimately depends on the end user. While quite a few people are able to manage the security on their phone (as the difficulty to do so drops with every generation of smart phone), there will always be the few who take their ignorance of technology as a badge of pride. Unfortunately, these are also the people who get their IT departments to set up their phones whilst trying their hardest to not learn anything about how to use them. In cases like this, having a fair bit more control over what they can and cannot do on their device would be welcome to the overworked IT staff who try to stop them from doing something stupid.
The biggest security issue with Iphones at the moment is the turnover, as with each new iteration people buy a new Iphone and sell/give the old one away without wiping their data from it first. Is it any wonder that people might consider that a security risk?
Hello Tim!
I sincerely believe you’re wrong about that. I think people will just as happily read well-written proper news if it’s given to them. This kind of journalism is just an easy (and lazy) option for newspapers. It’s the least amount of work they can do for the optimum result. It shows a cynical disrespect – enmity, even – for their readers. ‘Those dumb shits! Let’s give ’em pap – they’ll never know the difference!’
Ah, Tim – do detect someone speaking from experience here? :-) I have to take exception to what you’re saying though. ‘Having control’ over what a user might or might not do on their device is not the greatest problem with security, nor, in my opinion is it anywhere near a solution to security woes. You can put in place all the technical precautions you like but you’ll never defeat an idiot.
Whenever I talk to people in large organizations about these kinds of things as a general rule I am flabbergasted by their lack of knowledge in these matters. To give you an example, Violet Towne, my gorgeous wife, teaches at a large private school. The security at the school is mind-bogglingly screwed up. The IT department has virtually clamped the entire internet and intranet system down with the most inconvenient of strictures. Teachers struggle to get the most basic of tasks done, and must continually consult IT about all kinds of spurious and idiotic issues. All this in an effort to control student access to the web and other technology. Guess what – the students just adapt. They bring in their own wireless connections. They run proxies on school computers. They successfully guess or otherwise discover passwords on ‘protected’ machines. In short, the massive blocks put in place to give the appearance of security merely cause slight inconvenience to the kids, while seriously hindering the utility of the system for those who really need it.
In my opinion the problem here is not one of ‘IT’, it is a real-world one of basic education and policing.
It may well be that, as you say, the greatest problem with iPhones is that people don’t delete their data when they pass a phone on. But that is most definitely A: not a problem with the iPhone itself and B: not limited to iPhones. Blaming the issue on technology is convenient but not accurate. As I said in my post – the purview of an IT department should be more than just coding and wiring. At VT’s school basic level computer housekeeping is not taught ANYWHERE, by ANYONE. With the exception of self-taught users, everyone who uses a computer at VT’s school is just plugging away in the dark. How can anyone expect that this will not result in all kinds of nutty technical and security issues?
THAT shortcoming, in my opinion, is the biggest security issue we face with all these devices and systems.
Just to confirm about my school. One of the things that kids were supposed to be prevented from doing was play games. HA HA HA!
Plus the IPhone will molest your children
I agree with you that the iphone is being picked on by the media, both in terms of panning it, and hyping it.
I also agree that in this case they used a weaselly-specific interpretation of “communication devices” and that was somewhat shoddy reporting, to say the least.
But I think you maybe, as an iPhone owner, take your defensiveness a little TOO far here, into security woo-land. Or maybe, as a security guy, I’m being too defensive myself – you decide! :D
“Some password protection? You can do that on the iPhone. Encrypted files? You can do that on the iPhone. A kill switch? The iPhone has that.”
It’s pretty obvious that they mean “virus scanner”. You’re doing the same shoddy weaselly-interpretation thing that they did.
Even Symbian has virus scanners available for it. Do the iphone, and ipad? A quick Googling suggests not, but I may be wrong.
“What we’re supposed to believe here is that IT departments are the be-all and end-all of security – a myth kept in circulation largely by IT departments.”
Where’s that stated, as an exact quote? Or is that the weaselly-misinterpreting thing, again?
Even if it were an exact quote, though, I’d argue that within a company, IT depts know one heck of a lot more about security than middle management, who drag malware inside the firewall every day when they bring their laptop in, as well as their iphone, ipod, ipad, macbook, etc, all loaded with torrented crud that couldn’t possibly ever have any malware once they’ve been stored on an iphone, because OSX is made from anti-evil magic that whisks the malware away like fairy-woo.
Except, despite the woo security claims about OSX, it does have plenty of malware written for it: http://www.iantivirus.com/threats/
Now, antivirus authors WANT to protect iphone users, but they can’t (http://www.itpro.co.uk/618154/security-firms-cannot-protect-the-iphone-from-threats). Apple won’t LET them, because (it claims) there is no iphone malware out there. Except, obviously, there is (Ikee, Duh, etc). So what’s the real reason Apple doesn’t want a virus scanner? The conspiracy-theorist in me thinks maybe because it would mean admitting that there’s malware for the iphone, and that would hurt sales. But admittedly, the more reasonable security guy in me thinks that it may be because that would mean rewriting the OS to allow an app (the virus scanner) to look at other apps files, and that would be a really insecure thing to do, and they feel that it would cause more malware problems than it would fix.
“The ultimate security on any system has to do with user responsibility. If the IT departments of corporations are really concerned about security they would do well to spend less time trying to solve problems with tech fixes and instead devote some serious energy to teaching their users some basic computer hygiene.”
Security is a multi-layered thing. Sure, user education is a big part, and you do what you can, in an IT dept of three people in a 700 person company, where everyone ignores all reminder emails and so on from you, and no management is willing to OK any training time unless legally required by HASAWA.
But there will always be an idiot. And you’re right, you can’t defeat them. You can’t, because usually they will have a title like “IT director”, and will yell stuff like “I’m your superior, I know what I’m doing, of course I need administrator access to my laptop!” and then they take it home and play farmville at night and click the ads, and lend it to their kids, and…
Against these idiots, you can never have perfect protection: all you can do is have enough reasonable security layers. A reasonable security policy, reasonable virus scanners, and reasonable network monitoring. And unreasonably excellent disaster recovery procedures and backups, because it won’t be the idiots who get it in the neck and stay in all weekend for no overtime, when the shit they dragged in on their ipod hits the fans of the main server.
“My iPhone is secure. You can’t get my data if you find and steal my phone.”
Um. There was a brief period when this was true, and you may have posted during it, but another vulnerability was found. http://news.cnet.com/8301-13579_3-20020886-37.html Not the first vulnerability, won’t be the last, but it’s in the wild at the moment, and does what you claim to be impossible. As did the last one.
If you still feel that the iphone is secure, then try a little mental test (based on real-life events, though my clients are not musicians).
Musicians are visiting countries which are hostile to music. Underground musicians visiting this country, and their families, and their local contacts, have recently been arrested, detained indefinitely, beaten, tortured, and killed.
One of your current group takes their iPhone on the trip, and it has just been confiscated by the authorities. If it is insecure, then all their contacts will be “outed” by their address-book and incriminating photos: you need to recall them all immediately, before the authorities have time to apply forensics to the phone. If it’s secure, then they’re fine, and they can remain working under the hostile regime.
You are the man ultimately responsible for their security. Do you bring them back, and cancel the tour? Or look them in the eye and say “we’ll be fine”?
If you didn’t initiate a recall, and something like the above-linked exploit was released the following week – how do you defend your decision?
“Do we really want to compare it to the security of the open-system Android, or the plethora of Nokias, Samsungs and Sonys out there?”
Let’s. Not one of them is fully secure, and it is irresponsible to claim that they are, or that this is even a possibility. In fact, as the doubtless-badly-misquoted John Lawler seems to be pointing out in the talk, they are all gaping goatses of insecurity, that the security community has paid far too little attention to, and is currently playing catch-up as we find our security policies and firewalls useless in the face of the new threats.
Every smartphone has all the insecurities of thumb drives, and exponentially more because there’s an OS attached, along with a network and a list of contacts, so rather than just storing malware, they can run it and spread it too.
To me, it seems that Apple’s aggressive appstore-only install method makes it *massively* less susceptible to executing malware than most phones. Security-wise, it’s a brilliant system. But it’s not perfect, even against that specific category of self-executing malware – no security ever is perfect, and no checking of apps can be.
If you *still* feel your iPhone is secure… then I’m sure you have changed its ssh root password from Apple’s default, “alpine”. Right?
Haha. Dewey, that’s why I love you – you keep me on my toes.
Weirdly, this comment was intercepted as spam by Akismet, which is why it didn’t appear when you posted it. Unfortunately there doesn’t appear to be any way to Whitelist readers, so if you suspect a comment has been intercepted the best thing to do is post ‘Where’d my comment go?’
I agree with what you say for the most part, and I am totally aware that my iPhone is not the be all and end all of security. My point was, as you have understood, that an article on cell phone security problems should not centre exclusively on the the iPhone. I’m sure a determined person could get information off my phone. As I am certain that a determined person could information off my computer or most other phones or computers on the planet. But my point was, of course, that my phone is probably as secure as any phone administered by an IT department. Sure, I suppose there are some phones administered by some IT departments that are sophisticated enough to avoid Kremlin-level cracking, but for the most part I’d be prepared to wager that a mildly clever person could take any phone from any person at random and get personal information from it. IT instigated security notwithstanding.
The hypothetical you relate above is all well and good, but if you substitute ‘iPhone’ with ‘any mobile phone’, as the security advisor for my travelling musos my quandary would be identical. As I say, I’m not trying to say my iPhone is uncrackable, just capable of delivering security that is as good as most other phones. The article in the Age implies that John Lawler said at the IOC conference that this is not the case.