Computer security is but one in a large and distinguished group of common victims of misunderstanding in the media. Interesting results in mathematics and the sciences present mainstream journalists with an unenviable task: to distill deeply complex technical concepts, often in the vanguard of human thought, down to something easily digestible by today’s attention-deficit culture.
Grigori Perelman‘s insight about the actual impossibility of cigar singularities, combined with clever cutting to deal with other areas of infinite density, meant that there was nothing inhibiting the Ricci flow from eventually producing a uniform geometry on a closed 3-manifold, which unlocked one of the hardest math problems in the last century. It’s fairly difficult for a journalist — who probably doesn’t have a Ph.D. in differential geometry lying around just for this occasion — to boil it all down to an article with the same appeal as stupidly captioned cat pictures.
The problem is that the public has no notion of a closed 3-manifold whereas, in no small part due to endless TV shows and cinematographic masterpieces like Hackers, Swordfish, and Antitrust, the public does have a mental model of computer security. It goes something like this: hackers are guys with chiseled jaws and funny names like Axl Torvalds who spend their days stealing millions from people’s bank accounts with viruses they built by rotating a cube in just the right position on a computer with five monitors and which they spread using a special satellite communication system. They do all this in between being flashed by Halle Berry and bonking a punk-rock, jailbait version of Angelina Jolie. (Lest you think I have a vivid imagination, I’ve just described all three movies I mentioned.)
Take it from me: I spend my days looking at boring green shit in a black terminal window, the closest I’ve come to special satellite communication systems is almost being killed by one, and Angelina Jolie isn’t returning my calls. I’m sure she’ll call back any day now.
Anyway, it’s because of the public’s mental model that bad computer security reporting is particularly conducive to becoming fearmongering. On Friday, the BBC reported on e-mail information overload, finishing the article with tips from some kind of university expert, who helpfully advises:
You shouldn’t open a spam e-mail, because as soon as you open the e-mail up, it notifies the organisation that has sent that, saying this is a valid e-mail address. They know how long you’ve looked at it, when you looked at it and did you go back to it.
They know where you live! Had the BBC bothered to run this by anyone with clue, they’d have learned this kind of e-mail tracking was only possible if you were using an utterly braindead e-mail client, the likes of which haven’t been widely available in some 3-5 years. Swing, miss.
Okay, I’ll cut the Brits some slack. They’re not a technology publication. Surely the folks from Finnish F-Secure, the anti-virus and security house, know better?
Evidently not. From their post about the Apple iPhone SDK:
The security model is based on signed applications. The idea is that if someone attempts to develop something bad, Apple can pull the certificate and make the application unusable. This is the same approach as Symbian uses and while it’s a great idea in theory, we’ve seen bad applications such as spy-tools for phones being able to get their applications signed by claiming that they’re a backup tool.
The iPhone application security model is nothing like Symbian’s. With Symbian, once you get your application signed, you can move it from phone to phone as you please, and any Symbian phone can download it from your website. If something malicious got signed, you’d have to depend on certificate revocation lists to contain the damage, and those have all the security effectiveness of a glass of warm saltwater.
Here’s the thing: you can only download an application to your iPhone from Apple’s application store. Single point of distribution, baby. Apple’s Deric Horn mentions you can’t even move signed applications from phone to phone, because they’re wrapped in Apple’s FairPlay DRM.
The bottom line is that when a bad Symbian app is signed, the genie is out of the bottle, and there’s no practical method to put him back in. When a bad iPhone app is signed or its author cuts off El Jobso in traffic, Cupertino pulls the application from the store. And its distribution, as if by magic, ends there.
Swing and miss, F-Secure. Swing and miss.
