Could you speak up a bit? I didn't catch your password

We won't need security experts when there's no security left

listening

Something for the Weekend, Sir? I want to be your backdoor man. Or so asserted Robert Plant at the end of Whole Lotta Love. Hey ho.

Security Australia shutterstock

Wow, what a lovely early Christmas present for Australians: A crypto-busting super-snoop law passes just in time

READ MORE

As a blissfully unaware child, I would sing along to these lyrics – emerging from behind the sofa once track 1's "scary bit" was over – and never bothered to consider the full import of Bob's proposition until I was much older. Much later, and perhaps similarly pondering the career implications of doing so, Leona Lewis failed to lay claim to any such backdoor rights during the closing ceremony of the Beijing Olympics in 2008.

No matter. The original spirit of 1969 Led Zeppelin has just been revived by antipodean lawmakers. It seems the Australian government wants to be your backdoor man too.

While the rest of the free world (oh, you know what I mean) has managed to beat back repeated looming legislative threats to end-to-end encryption, Oz parliamentarians on both sides of the political divide rushed it through, deliberately without deliberation, in time for Christmas. Hurrah for the western forces of good, globally renowned for its honest politicians, restrained security services and incorruptible police!

It is surely unnecessary for me to outline the problems with such a shortsighted law to readers such as yourselves. Come to think of it, the very fact that you can read at all suggests that you are already smart enough to understand that doors are structurally and intrinsically less secure than solid walls.

Even a politician with the IQ of a preschooler and who believes in preposterous computer fairy tales such as 'artificial intelligence' will be familiar with Ali Baba's method of gaining entrance to the thieves' den, i.e. entering the poetic equivalent of password1234. Building a backdoor into encryption means anyone can be a backdoor man, not just Australian civil servants with CompTIA Security+.

Earlier this year, Outpost24 surveyed 155 IT professionals during the RSA Conference in San Francisco and found that 71 per cent were quite sure they could successfully hack any organisation via social engineering, insecure web apps, mobile devices or a public cloud. The other 29 per cent correctly pretended that they couldn't.

Top secret door code

All this comes as the result of self-conflict. We keep thinking up better methods of keeping data secure. But security makes the data awkward to access so we invent ways of circumventing it. Then we have to brick up the circumventions with more layers of security. This eventually gets so annoying to sidestep that we give up on the workarounds altogether and demand instant backdoors instead.

And if you thought fighting off security breaches were already a pain in the arse, just wait until a government opens your backdoor.

We've all heard the arguments about anti-terrorism and how the security services want to enhance our secure systems by building insecurity into them. Yes, I know the cliché that justifies making private data easier to hack by claiming "if it saves just one life, it'll be worth it".

Great, so let's ban all cars and lorries and planes and trains and boats. Let's remove stairs from buildings and forbid the use of ladders. In fact, any type of construction work or operating heavy machinery looks risky. Ban factories. Ban farming. Ban fishing. Ban sport. Ban going outside when it's sunny. If this saves just one life, it'll be worth it, right?

I am being reductive, of course. The Australian government isn't banning anything: it is merely breaking encryption in the name of anti-terrorism. So let's confine ourselves to breaking stuff. Perhaps the US authorities could consider breaking blockchain in order to trace IDs behind this month's bomb-scare Bitcoin accounts. Or Britain's MI6 might want to break its own secret communications systems so that anyone can listen in, just in case they suspect a sleeper agent is misusing them.

Better still, let's go full circle and dispense with security altogether. All that matters is that something looks secure to the general public and legislators despite being about as robust as rice paper in a typhoon.

Shame about yer face

My favourite example of this mad approach put into real-world practice is Android's facial recognition, which eventually found its way into my smartphone handset this year. I haven't seen the official specification that the Android developers were asked to work on but I assume it must have said: "Create a half-arsed piece of crap with as little effort as possible in order to please our stupider Huawei customers."

Unlike Apple's Face ID, the facial recognition security on my phone works if I wave an enlarged passport photo in front of the camera, and that photo doesn't even have to be of me. In fact, I thought I'd have some fun trying photos of various famous people through the history of British entertainment to see if the software still thought it recognised yours truly. This went flatteringly well at first (Daniel Craig) but I lost interest when it started getting stupid (Norman Wisdom).

It makes you wonder how the facial recognition works at international arrivals for certain UK airports since there's no Face ID-like depth analysis data on file with which to compare your real-life mug. My assumption is that, yet again, it's not really a security system at all but is simply designed to look like one. In fact, it's a delaying system that takes a mugshot, checks your passport isn't fake and alerts plod, all while you're trapped between electronic gates and blinded by 10000W lamps.

I suggest these so-called biometric gates could also be used as dementia detectors. Given that you have to watch the same how-to-use-the-biometric-gates video tutorial looped about 50 times while you're queueing at the gates for half an hour or more, it's amazing how many loopy fellow passengers have forgotten what to do when it's their turn. They will inevitably place their passports face-up on the face-down scanner, attempt to scan a blank visas page, stand behind / in front of / next to the bootprints painted on the floor, and face absolutely everywhere except towards the screen that prompts them to look in that specific direction.

Nah, I'm being silly. All that's happening there is that it catches out anyone who finds themselves utterly baffled by technology.

Evidently, they are politician detectors.

Youtube Video

Alistair Dabbs
Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He says he can't let 2018 go without a tip of the beanie to Pete Shelley who died in early December. For most, Shelley will be remembered for founding 1970s punk band The Buzzcocks. For Dabbsy, he remains the only artist to feature a Commodore PET in a charting pop video (1981's Homosapien) and the only one to include Sinclair ZX Spectrum program code on an album (1983's XL-1). Oh, and for managing to get a song about gay love into Shrek 2. Merry Christmas, everybody. @alidabbs

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019