passw0rds1 once again
Once again the topic is passwords. I was just at a local phone store to ask for information. While I had to wait in line I did not stare at my smartphone screen but instead listened to the other people. It was only trivial things until the guy at the counter had to sign his new phone contract. I do not know how it is handled elsewhere but in the country I live in you need your phone number and a client password to login. You can do a lot more than just log in and view contract details if you know this information. So the client talked to the shopkeeper about a new contract, a new phone with it and an internet box. Thats when the shopkeeper had to do some authorized action in the client database. In order to do that he asked the client for his password which he gave him. So the shopkeeper asked and the client replied “mario”- probably his son. “No thats not it” said the shopkeeper. The client then replied with a month-year combination. Probably his birthday or the birthday of someone close to him. The shopkeeper smiled and nodded affirmative that this was in fact the correct passphrase. The customer then boasted “Well it has to be one of those since I use them for everything”.
Standing in a phone shop waiting in line for 5 minutes gave me enough information to access the complete digital life of a stranger. No need to hack or social engineer. No need to be active at all. Just stand around and wait. BackTrack/Kali Linux’ motto seems to be accurate even in real life. “The quieter you become, the more you are able to hear…”
I recently found a written piece by SwiftOnSecurity that depicts a 17 year old girl called Jessica and her experience with computers. In this story Jessica infects her computer with malware because she does not have the technological background to understand how email works. She refuses to update her software because she does not want to break her computer and because an update she did in the past installed weird software that made her browser window smaller. Now I know that there are many people who count themselves to the technical elite and they do not understand how Mr. PhoneShopGuy in front of me could be so stupid as to brag about his passwords. There are also people who think Jessica is a stupid little girl and instead of wasting her energy on dating she should lern how to handle her computer properly.
Like the final verdict in Jessica’s story I think it is the duty of security researchers and software developers to come up with computers that are not in the way of people. We design servers to be fault tolerant yet we fail to provide fault tolerance for common computer usage. There are many computer elitists who are angry because people fail to employ the same safety mechanisms as they do. They blame the people for mass surveillance and security threats such as botnets when in fact it is the responsibility of the people designing and developing these systems. If we want to avert the global information security crisis, researchers, developers and most of all users like Mr. PhoneShopGuy need to participate in the creation of software. So if you are a researcher or a developer, next time before you get angry with a user because he/she is too stupid to understand your ingenious product, ask them why they do not understand your product, then go back and fix the problems. Rinse and repeat until we all live in a world where state agencies, tracking companies and the occasional shady guy sit in their basements and cry.
Thank you, your comment successfully submitted
your comment has been submited, it might take a while to be moderated.