Cyber Security Paranoia: Trust, Comfort and Security

This isn’t my usual “How to” or any personal opinion on a latest news. This is just a thought I’d like to just write and this has some strong words (عشان محد يقول ماقلت).

To start with, I’d like to say this:

To secure is to sacrifice comfort and luxury. To get luxury and comfort is to sacrifice security

I keep telling everyone that quote to explain to what extend people should push their security borders.

Few months ago, I went to some colleague to set up her email account in her Galaxy Note. She got paranoid about remote device wiping and I explained to her that the feature exists, but no one will do it unless you asked us to. After assuring her no one is going to wipe it UNLESS she asks us to, she agreed to use it normally.

Few days ago, there was some tweets about a feature in Microsoft Exchange server (Or maybe other services too!) to wipe out a device remotely which includes iOS, Android and WP7 (Duuuh, obviously) and people went ape shit about how bad that is and all.

Imagine this scenario:
Someone steals your phone and write “I love penis” in your facebook status update or tweets “I’m gay and proud!”. Wouldn’t you want to wipe your device before that happens?

This got me thinking about technology trust in different perspectives.

When it comes to our common user, your email administrator can have the ability to read your emails, do whatever they want with your email account. But they most likely didn’t. What makes you think they’ll wipe out your device? And if they did, what makes you think you can’t sue the hell out of their ass by tracing times and stuff (Logs are kept and can be used as a proof). And if you don’t trust your work administrators, why do you use their email to begin with? I mean, you can access your work web portal and check your emails, so why the hey?

When it comes to managers, if you can’t trust an administrator, why hire him? I’d understand managers concerns about privacy and all. But hiring an untrustworthy administrator with so many constrains and rules isn’t enough. The administrator WILL find a way or two to snoop around and exploit you guys. Which is why you hire a trustworthy guy AND place the limits and constrains. But comes down to trusting the administrator either way.

This feature can be harmful to some administration and corporates. But in the same time, can be so useful to others. It all comes down to who uses it, how its being used and why. If you’re not comfortable with such feature then simply don’t comply. Others are comfortable.

Enough with the device wiping feature, here comes another thing.

You probably remember the whole talks about WhatsApp traffic being in plaintext and all and how everyone went security expert saying its not secured blah blah blah. yet people are still using it.

To start with, WhatsApp is an application that is available on multiple platforms (Android, BlackBerry iOS, Nokia and WP7) that delivers traffic through port 443 in plaintext. There are many other applications that does pretty much the same since the beginning of communications such as IRC, MSN Messenger, AIM, Yahoo Messenger and so on. And they’re available on all platforms (I’m surprised no one added IRC to their calculators). But no one complains. Then again, who uses IMs and IRC these days (I still do).

If privacy is your main concern, switch to other applications\platforms such as Kik (Which is available on multiplatforms) which uses SSL and BBM which is annoyingly encrypted (Not totally secured, but safer than so many products). But why aren’t people converting? Well, Kik isn’t as popular as WhatsApp and BlackBerry devices aren’t that, well, efficient as other devices (Even WP7).

I wrote this post to explain how some security features and measures can seem harmful, but they’re not and the other way around. It all comes down to these three factors:

You can be comfortable with a specific technology. But being too comfortable means you’ll have to trust your administrators which means it’ll most likely be less secured.
You can be paranoid. But that means you won’t trust your administrators and will have to go through some serious steps to get an email which contains a picture of your cat to be sent to your friend for teh lulz that’d take 10 minutes where you could’ve done that in 2 minutes withouth the hustle.
You can trust your administrators. That will give you a perfect balance between comfort and security. But might be a victim to untrustworthy administration.

So choose wisely

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.