I've run into the programmer vs normal person difference in thinking quite often with regard to customer support calls.
Occasionally I will be called by someone from some company or government department because they want to notify of something. Lets say for example, I forgot to pay my insurance bill.
At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
I'm always met with complete incredulity at this concept. About 50% of callers don't understand at all what I'm trying to get at. Most of the rest just don't have any idea how to continue.
What I tell them at this point is that the correct way to handle this is that they need to give me an extension number for them personally and I will find the external number of their company/dept myself on their website and then call them back.
Unfortunately a lot of these callers either can't (due to not having a personal extension number) or wont (it's off protocol I guess?).
The problem is, I feel like an asshole for taking a stand on things like this ("Why is this guy trying to make my job difficult"), but more people need to understand that it's all too easy to be socially engineered!
> At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
> The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
This ties in with a scam in the UK that exploits a feature / bug of the POTS.
The scammer calls, and claims to be from your bank, and that you've been the victim of crime, and that they need to sort it out.
Some people express doubt about the validity of the caller.
The scammer says something like "Have a look on the Internet at your bank's phone number, and give them a call, and ask for Mr Jones in the Fraud Response Unit on extension 537. I'll hang up while you look. But it's really important that you do this quickly, to prevent more of your money being stolen".
The person being called hangs up the phone, but the scammer does not. Since the scammer initiated the phone call they're keeping that line open.
When the victim picks up their phone to make a call the scammer plays a fake dial tone while the victim "dials a number". An assistant of the scammer then pretends to be a bank phone answerer and connects the victim back to the scammer.
This little bit of social engineering appears to be very strong. There are stories of people who were initially suspicious, but who then lost all suspicion because of this trick, and who lost tens of thousands of pounds.
And since the victim handed out the money the banks tend to refuse to give the money back. The victims really lose real money.
It's very sad.
>The person being called hangs up the phone, but the scammer does not. Since the scammer initiated the phone call they're keeping that line open.
Is that a some UK specific thing? Because in Moscow hanging up the phone breaks connection at any side. Pretty sure that it was this way since soviet times.
Of course scammers can easily physically connect to your wire so analogue connections are totally insecure for communicating with bank anyway.
I've had this happen in the US, but only if the phone is picked up again within 1-2 seconds. Presumably there's a timeout somewhere (whether deliberately implemented or as a side effect of reactance on the network) that can be different in different systems.
As an old person my memory is that this phenomenon used to be relatively commonplace in the US as well, and I remember people abusing it to make prank calls and the like. Not sure if I've thought about it since the 80's.
You use a mobile phone, another line, or walk to the bank. Other than that one must ask himself, what type of crime? Why does my bank's website show none of it? Is it related to any of my cards missing? Why is the bank contacting me and not the card issuer (VISA, etc)?
I must guess this kind of primitive social engineering can work around 1 out of 100 cases and still be practical. As far as I've seen though the real treat is phishing. Really easy to set up and for most people it works.
Just the other day I was playing around an unprotected server of a phisher that had just sent me an email and there was plenty of people that had fallen for their trick. It could be seen on a text file were they were lousily saving all these details. Scary stuff.
Two factor authentication and even one-time cards (some banks issue this) can protect from this; but as always people that worry about security are already secure. It's the unaware that will fall for the trick.
One way, if you're suspicious, is to dial some # you know is NOT the bank, and see if they answer as the bank.
But in the heat of the moment we often forget these sorts of things; I got a scam voice mail allegedly from the US Internal Revenue Service (IRS) saying I owed money and was about to get sued.
I KNEW it wasn't legit; I KNEW it was a scam, but I still had that adrenaline surge and a desire to clear it the hell up, right now, using the method they wanted me to use. Which of course would have cost me a lot of money. My cooler head prevailed thankfully, but the fact my emotions rose so high, so quickly, scared me. Still does.
well if something similar happened, you could just call a different number from your bank and see if you still get connected. that would be a bad sign ;)
In my opinion, the best possible demonstration of this lack of security mindset is the time I was repeatedly contacted by some sort of bill-paying service explaining that my credit card details were out of date and the bill to "my" Montana-based electrical utility was overdue. It was clear that someone had accidentally signed up for this bill paying service and gave my email address by accident. After the third notice when they mentioned that my electricity was likely to be cut off, I decided I should call and let them know about the mistake so they could try other methods of contacting their customer. The customer service person said no problem, just give me the social security number associated with the account and she'd be able to assist me. I explained that it wasn't my account, and that was the problem. I didn't have the social security number. Faced with this obstacle, she thought for a moment and said, "ok, well to verify that, just give me your social security number and I'll check that it's not the number on the account." I tried to explain the flaw in her reasoning for a while and eventually just made up a social security number so I could fail her test.
Or they call and ask for someone but won't say a company or name, because DATA PROTECTION.
"Hello is XXX there ?"
"Who is calling ?"
"I can give out that information"
"Mrs XXX here."
"I am going to need you to verify your identity."
"BUT YOU CALLED ME !@*!"
Companies need to actively distinguish their communications from SPAM, SLAM & fishing attempts.
I've run into the programmer vs normal person difference in thinking quite often
As a programmer I can't understand how we are more secure by bunching people into large tight groups in security lines to protect people on the other side of security lines.
If terrorists want to kill the traveling public, one grenade and a few guns could take out dozens if not hundreds of people in a security line. And it requires no security to reach it. It really just seems a textbook case of security theater to me.
That's because there is no real threat and it's all theater. In a place where there are real threats, like in Israel, they have security layers with multiple checkpoints and they understand that a bunch of people in a group is a target.
I am from Brazil, and phone-based scams are VERY common... after my parents fell in two different ones, they started to always answer the question "Who is it?" when someone called, with the reply: "Who you want to reach?"
Some people DO get very pissed off, but never it was someone worth interacting with in first place, so...
Just so we understand, your parents would answer the phone, say "hello", and the person who placed the call would then say "who is this?", really? That seems quite rude to me. We don't carry phones for the purpose of sudden challenges to our identity! I have gotten that sort of "who is this?" call before, but I just hung up.
I think he is saying that his parents' are responding with "Who do you want to reach" when prompted with "Who is this?". If you call a home phone and someone responds with "Hello" then it can be quite difficult to guess who you reached.
Also, it's probably more "Hi, this is Mr XXX, who am I talking to?".
Could just be lost in translation. You'd never hear that in the US, but you might hear "Hi, this is James from Chase Bank, may I ask who I'm speaking with?" which is the same question asked politely.
For US residents, date of birth-name and home address-name pairings are not really sensitive information. There's multiple databases that can be used to access them (often along with SSNs).
I had a text from my bank due to some fraudulent transaction. It asked me to reply if the transaction was legit so I called them up. They couldn't understand why I didn't want to start a conversation about my account with a number I didn't recognise.
They said "if the text says it's from us it definitely is". I was not overly impressed by this.
Heh. Here in Australia, not all of the salespeople are willing to breeze through required info, solely because some staff have been charged with fraud or held liable for fraud. I know of one person who had to pay back $500k worth of fraud from the dodgy cell-phone retail stores he ran. A crook through and through, and god am I glad he got busted.
I think this is a fantastic article - and I thought it was genuinely funny, but my sense of humor is about 80% butt jokes so I think that's just an unusual alignment of my taste with the author's ;).
Now, allow me to take this article about irreduceable complexity and reduce its complexity: the question is not even about which shade of security gray to go with. It's an ongoing psychological battle between security and security theater, which is an unrelated set of activities that is almost, but not entirely, exactly unlike actual security.
Security theater operates on the level of what feels right, instead of what is logically right. That makes it powerful. It offers an appearance and feeling of safety, and there's value in that. Of course, if you ask someone "do you want a phone that feels safe or is actually safe," they'll pick the latter, but actually, they want and need both.
That's the problem with this issue. The general public doesn't feel the difference between these two domains clearly enough to know how dangerous the governments plan for the iPhone is - they don't understand that it shifts the balance wholly from security to security theater, when what you actually want is a blend of both. You need The Great Tagliatelle and the locked cockpit door. You need laminated paper and you need to have pilots with secret codes. Without security, an iPhone will still FEEL safe - it just won't be.
The problem is, feeling safe is good enough for most. That's why we mostly have metal locks and not giant flaming Doberman-lauching turrets on our lawns. Until the public gets the need for a balance, this debate will go nowhere fast, and the government - who is very used to getting its way - will skillfully play on our desire to feel safe in order to get what it needs.
It is really surprising the amount of paranoia and thought that goes into software security compared to pretty much everything else. A driver's license is mostly a laminated piece of paper with some holograms. Social security numbers are 9 digit passwords you share over and over again that can't really be changed.
I was recently asked to sign a receipt at a store when I'd used Apple Pay. My phone uses a fingerprint reader to authorize a one-time-use token for payment that's transmitted in a cryptographically secure way. But that signature - that's the real unfakeable proof.
It's a small part of a package of evidence that proves intent to deceive. If I use someone else's credit card I can lie and say it was an accident. I use someone else's credit card and sign their name, not my name, on the slip it's harder for me to make the same lie.
I always sign my real name, or sometimes a smiley face drawing when I am using other people's credit cards (with their permission!) No cashier has called me on it yet.
Almost certainly the person who owns the credit card is contractually bound such that they can't legally give you permission to use it, you don't have permission because the bank owns it and is the only entity able to give you such permission.
i.e. you go into a car park and upon buying the ticket they make you sign it because on the ticket they have written 'We are not responsible if your car or anything within it gets stolen or damaged.'
This term is onerous and as such needs to be agreed to which the signature does.
The purpose of the signature is to establish legal solemnity, not identity or authority. It's why you can sign with just an X, and why really important contracts still need to notarized (which does establish identity).
The anecdote about the airline industry in the US is half-correct. It's true that cockpit protocol didn't change after the German crash, but that's because the airlines in the US already have a better version than the German one. When a pilot leaves the cockpit to drop a grenade, a flight attendant must enter the cockpit to sit with the remaining pilot until the bomber returns.
While this doesn't protect against a completely insane pilot (he/she could kill the flight attendant), it does eliminate scenarios where the cockpit only has one person present.
Yeah, I'm aware of this. But I don't think this prevents the germanwings outcome (which was, indeed, orchestrated by the "completely insane pilot" you mention).
The person plotting to commandeer the cockpit always has the upper hand, because they'll be the first to act. It's hard to defend against a sucker punch or a knife from first-class.
You could even argue that the two-in-the-cockpit rule is less secure, because it introduces one additional person who could pull off a germanwings scenario into the impenetrable control room. This is the same concern raised by the pilot quoted in this article (http://www.smh.com.au/business/aviation/germanwings-australi...):
"It exposes the cockpit to more security risks than the isolated case of a homicidal pilot," he said. "I think flight crew are a better judge of fellow pilots' mental state. Now I have to judge the cabin crew member's mental state too before leaving them in the cockpit with access to things like the crash axe."
Originally I had a long aside in the article to deal with this point, but I axed it because I don't think it changes the core argument. Unfortunately Medium seems to have removed footnoting capabilities. But it's still a valid note. Thanks.
I'm not sure this guy was insane so much as severely depressed. He did kill a plane full of people but it was a much more passive act than having to swing an ax at someone else in close quarters. Why do you think he waited for the other pilot to go to the crapper?
Also, the argument about now having to judge other cabin crew members mental state falls a little flat since the pilot that left the cockpit clearly wasn't even able to judge the guy he was with. It's sort of like arguing that now you have to read two minds instead of one.
He was seeing a number of psychiatrists, and 41 doctors total, in part because he thought he was going blind and that the blindness would destroy his career. But doctors thought that problem was psychosomatic (http://www.bloomberg.com/news/articles/2015-03-27/germanwing...).
I'm not a psychologist though, so not qualified to weigh in on questions of sanity. For the same reason, I also agree with your point about crew judging each other's mental states. The part that resonated with me was more that there's now one more person in the cockpit who could potentially pull this off.
The fact that he waited for the pilot to leave doesn't prove that he wasn't prepared to pull off the same attack if the pilot didn't leave. He'd still choose to do it this way given the option. We'll never know, but regardless, it remains a possible vector in the future, yet the cockpit security remains in place (for good reason).
I appreciate that. I've been working in tech since I was a kid and have been transitioning over to writing recently. It's been an interesting shift because it doesn't offer the same kind of motivating fuel (up-and-to-the-right graphs, etc). So comments like this are more encouraging than you know. Thank you.
After finishing this, but before reading the byline, I thought to myself, "Yeah, this dude definitely has some writing chops... hmm... maybe that Firefox guy who wrote the screenplay?" Turns out it was indeed you! Definitely looking forward to reading more of your articles/whatever.
He's a very good writer. I realised when looking him up on Twitter that he's also the one behind the Silicon Valley scripts. https://twitter.com/blakeross
<This is the moment you realize that some people just want to watch the world burn.>
Or, maybe the user is "kicking the tires" to see how robustly it was coded, concerned that poor data verification practices reflect weaknesses elsewhere in the code as well.
For what it's worth, you're a fantastic writer and this is one of the most enjoyable articles I think I've ever read. You've captured the essence of the subject perfectly, and your writing style is thoroughly enjoyable.
Seconding this. Maybe it's my love of anecdotes and analogies to illustrate points that may be hard for people to understand. Possibly it's my appreciation for well placed juvenile humor.
Either way, I identified with some of the points being made and easily picked up on the things I'd not considered from this angle thanks to the funny examples.
Everything above echoed, with the important addition that I feel I can share this article with all of my non-techy friends and family and feel they will step away with a much better understanding of the Apple discussions.
I still see unease with some of my friends and family about the topic, and although perhaps some of them have realized the ultimate question of should the cockpit or the cabin control things, I don't think they have a good understanding of why that is, or how this phone security compares to other things that are called "security," whether a door lock or the airport security line.
Very vivid writing that explains this for everyone. And I dig this type of humor.
I liked it. However, I'm not going to forward it since it will confuse people who don't have the background to disambiguate.
For example, who is "you" in the following two bullet points:
It is not 'secure' as the Coke recipe is secure.
Coca Cola has the key to its vault, but you don’t
have the key to yours.
It is not “secure” as the Pentagon is secure. Those
blueprints are closely guarded, but your plans — even
much of your security code — are known to all.
In “thinking like a technologist”, this post is missing the context/subtext in the airline security game.
The metal detector makes the airplane neither more nor less safe than the security theater porno scanner machine, and the precheck also doesn’t accomplish anything. The only reason most of the people need to be diverted through the porno scanner machine is that the federal government spent a few billion on them in a handout to some senator’s friends, and to scrap them now would make the tremendous waste of money obvious to everyone.
But at the same time, business travelers don’t want to go through the new machines, so we let them pay a nominal fee (easily amortized down to trivial if you fly a few dozen times per year) to go through the old metal detectors instead. Bonus: they now get to take a shortcut in the security line that they didn’t used to get. If someone without a real precheck manages to sneak through the metal detector line by counterfeiting some paper token, it isn’t a real security risk.
Well, I did say at the end: "For as much money and time as we’ve wasted on printer-powered air security, only one innovation has prevented another 9/11: Locked, reinforced cockpit doors."
I agree that it's generally theater all the way down.
While locking the door is important, the real innovation is in the attitude of the passengers. It just isn't possible to hijack a plane anymore because the passengers will not allow it.
I was astonished by how un-safe the road/traffic system really is 8 years ago when I started to learn driving. Just think about it, driving on road is extremely vulnerable: any other driver on the road could make a small mistake to get you both killed, accidentally or intentionally. Yet the road system is far more secure than its cyberspace counter part. Why?
* Potential damage is roughly symmetric. A bad/evil driver might kill others but very likely also kill himself.
* Threat is local. There is no way a bad/evil driver to kill all the drivers.
* The road system as a whole does not have the single point of failure.
I think the claim in the article is dangerously wrong. We should never be given a binary choice in such big issue.
We should never be given a binary choice in such big issue.
The question, "should the security of any model of personal computing device be subject to the whims of every court in every nation" seems binary to me.
The best security: be honest and place complete trust in those you employ. Hire people you trust. If there is nothing that is blocking you, then morale is higher, and people get more focused on what is important. If there is nothing to break into, there is less temptation. Your employees won't be perfect, but if they are trusted, if you let things be, there's a good chance everything will be fine- at least as fine as it would have otherwise.
Occasionally I will be called by someone from some company or government department because they want to notify of something. Lets say for example, I forgot to pay my insurance bill.
At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
I'm always met with complete incredulity at this concept. About 50% of callers don't understand at all what I'm trying to get at. Most of the rest just don't have any idea how to continue.
What I tell them at this point is that the correct way to handle this is that they need to give me an extension number for them personally and I will find the external number of their company/dept myself on their website and then call them back.
Unfortunately a lot of these callers either can't (due to not having a personal extension number) or wont (it's off protocol I guess?).
The problem is, I feel like an asshole for taking a stand on things like this ("Why is this guy trying to make my job difficult"), but more people need to understand that it's all too easy to be socially engineered!