Wednesday, April 25, 2007

My final comment on iPods and security (for now)

Cara took a bit of flack on various blogs and on Network World's own forums for her series of articles about iPods and security. Wherever you stand on the issue, or even if you couldn't care less, I find it interesting to see how naive many of those posters are. I wonder what people think the job of a journalist is.

Where do people think that a journalist gets story ideas from? Could it sometimes be from insider information gleaned from press releases or perhaps gossip or tips from sources they have a relationship with?

Where do people think that follow-up story ideas come from? Is it possible that if readers show an interest in a topic that a journalist might be compelled to write a follow-up to capitalize on that interest?

How is opening up a topic for discussion "causing controversy" or "creating an issue"? If you disagree, then disagree - at least Network World has a forum and allows you to post your disagreement.

While I think it is an interesting discussion point, I've already said all I have to say on this for now. If you disagree with me, that's perfectly okay. Feel free to post a comment!

Wednesday, April 11, 2007

Should Apple include security with iPods?

I corresponded with Cara Garretson via email yesterday, after I read her article but before I wrote my previous post. She invited me to comment on a follow-up article she was considering: should Apple include security with iPods?

I actually received that message from her while driving home from the office, and the wheels have been turning ever since. Perhaps a bit too much so because now I'm not sure I understand which angle she is thinking of taking. It's a very good question, but I can spin it a number of ways. My questions in bold followed by my answers:
  1. Should Apple include security features that make it less likely for an end-user's iPod to be infected by malware?
    Notwithstanding Kaspersky's recent claim of an iPod virus, there is no real evidence that it is likely (or possible) for an iPod to be infected by malware. The problems with Kaspersky's claims are obvious -- not only is it a harmless "proof of concept" virus, but Linux must be installed on the iPod (something that no one outside of a few in the Slashdot crowd or MIT Media Lab is likely to do) in order for it to be vulnerable in the first place. Therefore, I would argue that Apple already does a good job of making it unlikely for an iPod to become infected; with 100 million iPods sold and zero vulnerabilities, it would be hard to argue differently.

  2. Should Apple include security features that make it less likely for an end-user to be tempted to use their iPod for evil?
    I don't know how this would be possible without restricting the user's ability to use the product correctly. One of the selling features of iPods is the fact that they can be used as a portable hard disk. Witness the explosion of portable applications designed to be launched from an iPod or datakey: common sense says there must be a market for these applications if so many vendors are creating them. Existence of a market proves there must be customer demand. Also, Mac OS X has promised the concept of portable home directories for years now and I believe this capability will be built in to iPods and OS X in the near future. So, I would say that this is not Apple's responsibility nor would it be desirable.

  3. Should Apple include security features that make it easier for IT staff to protect against end-users using iPods for evil?
    To me, this is the most legitimate angle. There are possibly arguments to be made that Apple should provide this somehow, and although I can think of a few scenarios to make this possible, there are many more questions raised. Would it be done in software? If so, would Apple charge for the software? How would the software be distributed? How would an IT person deploy, configure, monitor, and manage the software? Perhaps most importantly, what problem would Apple be solving by doing this? There are already software products in existence that could be used to block iPods (my company Faronics makes one called Device Filter Mac); what could or should Apple bring to the table that doesn't already exist?

  4. Because Apple is responsible for 100 million iPods in existence, all of which could potentially be used for nefarious purposes, does Apple have a moral or legal responsibility to ensure iPods are used for good instead of evil?
    I don't believe it is Apple's responsibility to ensure iPods are used for good any more than I believe it is Honda's responsibility to ensure a Civic is never used as a getaway car. In both cases, the product is only a means of potentially enabling a type of behavior, but is not intended to encourage that behavior. Perhaps if there were no alternative security solutions available, Apple would have some minor responsibility here, but the truth is that the worldwide market for endpoint security products is larger than the worldwide market for iPod accessories. If a need exists, someone will fill that need and profit from it. Isn't that what free enterprise is all about?

Tuesday, April 10, 2007

iPods and Security

Cara Garretson at Network World published a great article today, titled Can an iPod bring down your company?. If you haven't read it already, I recommend it.

Of course, where data theft is concerned, iPods are only a specific risk due to their ubiquity. There are many other ways to steal data aside from using an iPod. The fact that seemingly every employee or visitor to a company has an iPod possibly makes it more convenient for a someone to steal data out of opportunity, but it is doubtful that iPods themselves truly present a threat. Banning iPods (or controlling whether people can download data to them) may help to keep the honest (and perhaps technically illiterate) people honest, but would do very little to protect against dishonest people.

Having said that, I do disagree with what Tom Scocca says on page 2 of the article: "Controls targeted at these devices should be based not on the type of device, but on the risk that companies are willing to accept by allowing any type of external storage device into the environment." I disagree with his assessment because the type of device certainly does matter! For example, iPods are charged by plugging them into a computer. (Yes, I realize there are alternative methods of charging iPods, but almost everyone charges them this way). Therefore, not only would it not be unusual for an employee to have an iPod plugged into his or her work computer (and therefore would not raise a red flag with a supervisor or co-worker), but merely having a large-capacity personal storage device plugged in may be enough to tempt that otherwise honest person into stealing information that they otherwise wouldn't have.

A dishonest person or one who really wants a specific piece of data is probably going to get it even without an iPod. Email, FTP, data keys, memorization, camera phones, print-outs, or whatever all put data at risk. If someone can see your data, it is at risk. If someone can't see your data but can access it (for example, an encrypted file can be located but not opened or viewed), it is at risk. David Jordan sums it up nicely at the end of page 2: "We have to rely on our trusted employees." Very true, even if his assumption, that because users agrees to an AUP when they logon they are therefore trustworthy, is assinine.

When speaking of "data" or "information" theft in these scenarios, a couple of seemingly obvious things are typically overlooked by the analysts. They never seem to mention the risk of a person stealing actual software itself. They never seem to mention the productivity loss caused by an employee doing personal work on the company's machine. They never seem to mention the risk of an employee simply downloading files from the Internet all day and copying them to his or her device when they leave for the day. They never seem to mention one of the most obvious risks of all -- that of an employee copying data from the device to the computer and therefore putting the company at risk of security vulnerabilities, lost productivity, liability due to unlicensed software being installed, and much more.

And its not just the analysts who miss the point -- Cara's story is based on or inspired by a press release put out on April 6 by a company that just so happens to sell end-point security software designed to protect against the iPod threat. It was a brilliant piece of PR that garnered a lot of attention. But the press release does miss the point: of course end-point security is a good thing, particularly these days when not a week goes by without a news story of yet another company suffering a major data breach, but it is foolhardy to think that data breaches will be completely stopped by implementing such a solution. According to the company's press release, "the company now believes that the use of iPods for "Pod Slurping" could be one of the biggest "Pocket Fraud" assets for rogue employees to store a variety of confidential data and should be banned until proper policy enforcement capabilities are in place. Well, yeah, of course they believe that! But note the "rogue employees" comment; you're not going to stop a rogue employee this way, but perhaps you will succeed in stopping the otherwise honest employee from making a mistake. You are very likely to succeed in turning off your own employees if you jump to irrational conclusions and don't think it through.

The decision to ban iPods or implement a security solution is one that many organizations should consider, but it is a decision that must be made carefully after weighing the social and monetary costs and benefits; it should not be made irrationally based on an interested party's press release!