Thursday, May 21, 2020

Only 7.6% of Brits say they trust tech firms with personal information, and that's a problem for all of us

So, it’s May, 2020, and we humans are struggling to cope with a global crisis of unprecedented scope and scale, despite having unprecedented levels of technology at our disposal. Why are we struggling? One factor could be this: less than 10% of adults in the US and UK trust tech firms to protect their personal information.

That's according to a survey I commissioned around the middle of the month, a full account of which can be found in this article on Medium.

To rein in COVID-19, and future pandemics, people need to be able to share their personal information without fear that it will be misused or abused.

I think this pie chart reflects that fear. It shows the US results but the corresponding UK pie chart looks very similar: very few people say Yes when you ask them this question: “Do you trust tech firms to protect your personal information?”

Respondents could answer Yes, No, or Not sure. Less than 1 in 10 respondents answered Yes (7.6% in the UK, 8.9% in the US). More than half said No (55%). Just over one third said Not sure (36%). Who were these people? Adults in the US (n=756) and the UK (n=514).

Why is there such a lack of trust? I think that the Malware Factor has a lot to do with this. People don't trust tech firms to protect personal information because of the massive scale at which malware has enabled such information to be compromised and abused. Companies and governments just don't seem to have the ability to prevent this, either because of a shortage of concern or funds or skills or understanding, or an overabundance of criminal activity, or all of the above.

Ok, but what can we do about this?

My own opinion is that the overabundance of criminal activity, while not the whole problem, is a huge part of the problem. Yes, it's true than many organizations could do better at cybersecurity, but it's also true that the governments of the world have massively failed their citizens when it comes to malware-enabled cybercrime. This failure is so huge that it's now compounding the problems created by a deadly pandemic. Maybe, now that lives are very clearly on the line, more people in positions of power and influence will begin to take the Malware Factor more seriously.

But what would that look like? How does taking the Malware Factor more seriously at the highest levels translate into action? I'm going to list three suggestions. You may not like them. You may even scoff at some or all of them. But I'm already used to that, as I said in this blog post and Medium article from 2017 (same story, two different places). FYI, I'm still fairly sure I'm right.

1. International cooperation and global treaties are the only way to make a serious dent in cybercrime and cyberconflict, and the citizens of the world should push their governments in this direction. I realize this is going to be hard while three of the biggest malware-making countries are still run by Trump, Putin, and Xi, respectively—but that is no reason not to try.

2. Cybersecurity products and services should be made available at lower or no cost.

As I've been saying for more than a decade now, information system security is the healthcare of IT/ICT. Just as profit-based healthcare is, in my opinion and practical experience, a bad idea, so is people making large fortunes from protecting the world's digital infrastructure—as opposed to a decent wage. Besides, a profit-based approach to securing ICT has thus far failed to make any lasting dents in the cybercrime growth curves (see chart of Internet crime losses, from this IEEE blog post by Chey Cobb and myself). 

3. We need to consider an end to broadcasting and bragging about new and interesting ways to gain illegal access to information systems. Justifying this as a way to improve security and reinforce the message that it needs to be taken more seriously might have been valid at some point in the past, but that validity has been seriously eroded. Fully open, freely accessible, in-depth research on things that enable ethically-challenged individuals or governments to seriously undermine our collective future is not, in my opinion, a good idea. (Think of someone making and distributing a version of COVID-19 that doesn't give victims a tell-tale cough—cool?)

I'm happy to hear more suggestions, or your thoughts on what's wrong with these. Also happy to hear about any moves in these three directions. (I am already familiar with the work of the Global Commission on the Stability of Cyberspace—still hoping they take up the idea of an Comprehensive Malware Test Ban Treaty.)

#cybercrime #dataprivacy #privacy #infosec #FTC #FCC #COVID_19 #Covid19UK $FB $AMZN $AAPL $GOOG $MSFT #technology #trust #survey 

Saturday, May 09, 2020

Defcon 2020 Cancelled: Can sad news also be good news?

Now with audio! You can now listen to the blog post.

Talk about mixed emotions! Large swathes of the hacking and information security world are feeling all kinds of sad-and-yet-glad right now. Why? Because, as of May 8, 2020, this year's Defcon is canceled. This was to have been the 28th consecutive Defcon, a very popular annual hacking conference that is traditionally held in Las Vegas around the start of August.

It was also going to be an anniversary event of sorts for me. The canceled Defcon was to have been the 25th anniversary of my first Defcon. That was in 1995 and was known as Def Con III as you can see from the t-shirt.

Looking on the bright side, Defcon 29 in 2021 is already scheduled, as a meatspace event, for August 5 to 8 (see WIRED article). But the main piece of good news is the very thing that many folks—myself included—are also sad about: we won't be seeing each other this August, at least not in person.

There is more goods news: this year there will be a virtual conference. I know that not everyone enjoys this format, but I am pleased that his path was chosen. I am also grateful the hacking community has made a very difficult, yet also very sensible decision: let's not risk spreading COVID-19 by gathering in person in Las Vegas hotels in our tens of thousands to spend several days in packed talks and crowded corridors (estimated attendance last year was 30,000).

And there's even more good news, from way back in the 1990s. Back then, Jeff Moss—the founder of the event—had the wisdom and the foresight to insist that the talks delivered at Defcon be archived. That means anyone with spare time on their hands and an internet connection—maybe in a locked-down-shelter-in-place scenario—can binge on past events.

That also means people can still listen to what I said, 25 years ago, preserved as an audio (.m4b) file. Just scroll down this page: DEFCON III Archive. My talk was titled: The Party's Over: Why Hacking Sucks. My goal was to generate dialogue about the ethics of hacking, and I think I succeeded. In fact, the audio captures that quite well. (Bear in mind that this was 1995—I spoke at numerous events in the twenty-teens where organizers seemed incapable of capturing and curating audio this efficiently.) Click this link to listen in your browser; it's about 49 minutes long and while the sound starts out rough, it gets better quickly.

As someone who had been working on the computer security problem since the 1980s, I have to say that I learned a lot from that 1995 session and really appreciated everyone's input. I was invited back the next year and my talk was about how people might go about transitioning, from hacker to infosec professional. Of course, like many early DEFCON talks this one went in several other directions at first—there was even a steam train excursion—but you might still enjoy listening. Here is a link to that talk. Be warned that there is some swearing, but it is in a very polite voice.

Over time, the Defcon archives have evolved to become a quite amazing cornucopia of knowledge and history, a feast for eager minds, and a legacy for future generations.

Thanks Jeff! Thanks to your foresight, it's possible to find some good news in this sad news.