Geeks Who Cry Wolf
Every month - sometimes every week - the tech world is 'rocked' by dire warnings of scary-sounding security vulnerabilities, newly discovered in major products and services. But two recent examples didn't pass my sniff test. Here's the scoop…
Is the Sky Really Falling?
Remember the bogus story from NBC News about the supposed dangers of bringing any electronic gadget to the Sochi Olympics? I wrote about that in Lies, Damned Lies, and Olympic Journalism.
Two of the latest examples of tech journalists spouting nonsense are the stories proclaiming “Android updates open backdoor to hackers” and “Secure Web browsing can leak private data to employers and ISPs”. The life cycles of these stories follow a predictable pattern:
Some obscure security researcher discovers a vulnerability. “Wolf!” he cries to the tech press. “BIG wolf!” meaning it threatens the entire planet. “A whole PACK of wolves!” he continues, warning that legions of Russian Mafioso and teenaged script-kiddies can use this dangerous knowledge to launch attack after attack against everyone.
The researcher backs up hysterical claims of imminent catastrophe with reams of jargon-laden gibberish that only another certified geek can understand, like this white paper from the group that discovered the Android vulnerability.
In step two, the tech press picks up the “Everybody panic” story and runs with it. They “simplify” the geeky details by glossing over technical details that inconveniently say, “This really isn’t a big deal.” The “secure browsing” story doesn’t include anything new. It has long been known that the HTTPS protocol is, under certain rare conditions, vulnerable to eavesdropping. It is also well established that one’s employer and ISP can monitor any of your activity on their networks that they wish. But suddenly these two facts of life are front-page click-bait… er, “news.”
Then the mainstream media gets hold of the story and “simplifies” it beyond recognition. The top line – “Android updates open backdoor” – becomes the bottom line too. In between are lines of speculation about the horrible things a hacker could do with this exploit, but not one example of anything actually being done. This is the story that makes the office gossip rounds, and everyone panics.
Take a Breath...
Missing from all three steps in the evolution of a scare story are the real-world protections against the potentially dangerous thing.
For example, an app that exploits Android’s update vulnerability would not last long in the Google Play ecosystem. Not only can Google instantly take down an app from its online store, but it can also reach out to users’ phones and “kill” any app that is deemed malicious. Further, the problem only manifests in malicious apps that request system privileges that don't exist on the older Android version, but are granted automatically once the system is updated. So it can only happen if (1) you've downloaded a sketchy app, (2) Google didn't notice the malicious app for months or years, and (3) your phone's version of the Android OS is updated. Never mind that the authors of the study didn't mention a single instance of this ever happening in the real world.
As for employers and ISPs secretly monitoring communications that they represent to you as secured from monitoring, there are laws against such frauds and lawyers to keep their clients scared of huge civil lawsuits. Ane there's almost always a Terms Of Service agreement, explaining to employees that the computer and the Internet access they have at work are provided by the employer. And as such, the employer has every right to restrict or monitor the usage of those resources. Check with your employer for clarification if your company's Internet Terms Of Service do not spell out these issues to your satisfaction.
When you read a security scare story in the mainstream press, look to see if there is even ONE verifiable example of a real person who has been affected. If not, it's probably just a theoretical (or completely non-existent) problem. Or you can go to the geeky source and plow through all the jargon to see what it’s really all about. That often takes me several hours. Even better, subscribe to my newsletter and let me tell you in a few short sentences why the big, bad wolf is just a Chihuahua. :-)
Your thoughts on this topic are welcome! Post your comment or question below...
This article was posted by Bob Rankin on 27 Mar 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 26 March 2014
The Top Twenty
Announcing Malwarebytes Premium
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Geeks Who Cry Wolf (Posted: 27 Mar 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved