Android Phones the next security threat?

Take it as an axiom that older software is less secure.  It’s not always true, but if the code wasn’t mature at the time of its release- meaning it hasn’t been fielded for years upon years- it’s certain to be true.  In an article in PC Magazine, Sara Yin finds that only 0.4% of Android users have up to date software, as compared to the iPhone where 90% of users have their phones up to date.

This represents a serious threat to cybersecurity, and it should have been a lesson that was already learned.  Friend and researcher Stefan Frei has already examined in great detail update rates for browsers, a primary vessel for attacks.  The irony here is that the winning model he exposed was that of Google’s Chrome.

What then was the failure with Android?  According to the PC Magazine article, the logic lies with who is responsible for updating software.  Apple take sole responsibility for the iPhone’s software.  There are a few parameters that the service provider can set, but other than that they’re hands off.  Google, however, provides the software to mobile providers, and it is those mobile providers who must then update the phone.  Guess which model is more secure?  Having SPs in the loop makes the Internet more insecure.  Google needs to reconsider their distribution model.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Hello Insecurity, Goodbye Privacy. Thank you, President Obama

Some people say that Internet Security is an oxymoron, because we hear so much about the different ways in which hackers and criminals break into our data, steal our identities, and even use information to commit “real world” crimes like burglary, when it becomes clear that someone’s gone on vacation.  Well now the Obama Administration along with the FBI and NSA are proposing to make things worse, according to an article in today’s New York Times.

According to the Times, the government is going to propose requiring that developers give up on one of the key principals of securing information– use of end to end encryption, the argument being that law enforcement does not have the visibility to information they once had, say, in the Nixon era, where the NSA acted as a vacuum cleaner and had access to anything.

As our friend Professor Steve Bellovin points out, weakening security of the Internet for law enforcement also weakens it for benefit of criminals.  Not a month ago, for instance, David Barksdale was fired from Google for violating the privacy of teenagers.  He could do that because communications between them were not encrypted end-to-end.  (Yes, Google did the right thing by firing the slime).

This isn’t the first time that the government has wanted the keys to all the castles, since the invention of public key cryptography.  Some of us remember the Clipper chip and a government-mandated key escrow system that the Clinton Administration wanted to mandate in the name of law enforcement.  A wise friend of mine said, and this applies equally now, “No matter how many people stand between me and the escrow, there exists a value of money for me to buy them off.”  The same would be true here, only it would be worse, because in this case, the government seems not to be proposing a uniform technical mechanism.

What’s worse– this mandate will impact only law abiding citizens and not criminals, as the criminals will encrypt data anyway on top of whatever service they use.

What you can do: call your congressman now, and find out where she or he stands.  If they’re in favor of such intrusive policy, vote them out.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]