I was listening to the new No Strings Attached Wireless podcast on my way to work and Andrew von Nagy (@revolutionwifi) and his guests were talking about the new exploit in WiFi Protected Setup (WPS). Essentially, a hacker can brute force the 8-digit setup PIN in WPS, which was invented in the first place because people needed help figuring out how to setup more secure WiFi at home. Of course, that got me to thinking about other types of hacks that involve ease-of-use features being exploited. Ask Sarah Palin about how the password reset functionality in Yahoo mail could be exploited for nefarious purposes. Talk to Paris Hilton about why not having a PIN on your cell phone’s voice mail account when calling from a known number (i.e. your own phone) is a bad idea when there are so many caller ID spoofing tools in the wild today.
Security isn’t fun or glamorous. In the IT world, the security people are pariahs. We’re the mean people that make you have strong passwords or limit access to certain resources. Everyone thinks were a bunch of wet blankets. Why is that exactly? Why do the security people insist on following procedures or protecting everything with an extra step or two of safety? Wouldn’t it just be easier if we didn’t have to?
The truth is that security people act the way we do because users have been trying for years to make it easy on themselves. The issues with WPS highlight how a relatively secure protocol like WPA can be affected by something minor like WPS because we had to make things easy for the users. We spend an inordinate amount of time taking a carefully constructed security measure and eviscerating it so that users can understand it. We spend almost zero time educating users about why we should follow these procedures. At the end of the day, users circumvent them because they don’t understand why they should be followed and complain that they are forced to do so in the first place.
Kevin Mitnick had a great example of this kind of exploitation in his book The Art of Intrusion. All of the carefully planned security for accessing a facility through the front doors was invalidated because there was a side door into the building for smokers that had no guard or even a secure entrance mechanism. They even left it propped open most of the time! Given the chance, people will circumvent security in a heartbeat if it means their jobs are easier to do. Can you imagine if the US military decided during the Cold War to move the missile launch key systems closer together so that one man could operate them in case the other guy was in the bathroom? Or what if RSA allowed developers to access the seed code for their token system from a non-secured terminal? I mean, what would happen if someone accessed the code from a terminal that had been infected with an APT trojan horse? Oh, wait…
We have been living in the information age for more than a generation now. We can’t use ignorance as an excuse any longer. There is no reason why people shouldn’t be educated about proper security and why it’s so important to prevent not only exposure of our information but possible exposure of the information of others as well. In the same manner, it’s definitely time that was stop coddling users by creating hacking points in technology deemed “too complicated” for them to understand. The average user has a good grasp of technology. Why not give them the courtesy of explaining how WPA works and how to set it up on their router? If we claim that it’s “too hard” to setup or the user interface is too difficult to navigate to setup a WPA key, isn’t that more an indictment of the user interface design than the user’s technical capabilities?
I resolve to spend more time educating people and less time making their lives easy. I resolve to tell people why I’ve forced them to use a regular user account instead of giving them admin privileges. I promise to spend as much time as it takes with my mom explaining how wireless security works and why she shouldn’t use WPS no matter how easy it seems to be. I look at it just like exercise. Exercise shouldn’t be easy. You have to spend time applying yourself to get results. The same goes for users. You need to spend some time applying yourself to learn about things in order to have true security. Creating backdoors and workarounds does nothing but keep those that need to learn ignorant and make those that care spend more time fixing problems than creating solutions.