Our devices all touch the Internet all the time. There are many people on the Internet who are extremely smart and extremely bad and want to steal your money. We need to take security very seriously. The tech community’s writers, both professional and amateur, are doing an inadequate job; arguably guilty of both recklessness and laziness.

Consider two mobile-device security stories that broke recently.

Wallpapergate · I mean the Android Wallpaper Fearfest, nicely summed up in JR Raphael’s The truth about those ‘data-mining’ Android apps and then his excellent post-mortem. This thing splashed all over the Internet, inflammatory headlines claiming that millions of peoples’ intimate secrets were being sent to (gasp) China!

So the security folk here at Google investigated it and talked to the developer (see JR’s second piece) and the conclusion is obvious: there was maybe a little there there, but not much.

There was one extremely useful outcome: Nick Kralevich of the Android security team wrote a nice blog piece, Best Practices for Handling Android User Data. If you’re a mobile (not just Android) developer and don’t want to find yourself sitting where that wallpaper guy was, you probably should read that and think hard about what you’re doing.

I’ll omit the names of the people who launched this story and the “reputable” journalistic organizations who ran with it. But there are two things that specifically anger me. First, the initial wave of stories contained these specific numbers, up to and including four million, describing the number of people who’d been affected. These, near as I can tell, were complete science fiction. I like to think when you publish numbers they should mean something and not be just, you know, made up.

Second, the fact that the developer happens to be in China was used as a fear intensifier in a way that was totally ugly and disgraceful. Earth to journalists: there are lots of bad people doing bad things right here in Pacific Time in the northern hemisphere.

The PDF Hole · Then there’s this story about the iOS PDF-renderer vulnerability, which strikes me as fairly horrifying. Apple, obviously, got right on it and already has a patch.

The commentariat handled this one in a more grown-up way. Maybe too grownup — I saw some argument that they should have been a little shriller. I can see the point; at any given time, a certain proportion of iOS users are going to be traversing the darker corners of the Net and, well, maybe they just shouldn’t be, until that patch hits their portables.

This is not an iOS-vs-Android thing; I don’t think either is much less secure than the other, and I’d be unsurprised if there were equally horrible zero-day vulnerabilities lurking on our side of the fence. But when they turn up, we’re facing the risk that people will just blow warnings off after all the crying wolf over the Wallpaper thing. And alternatively, that we’ll all avoid being “alarmist” while the bad guys pour through the breach in the walls.

Plea · People who write about security issues need to bring up their game a few notches. One one hand, they need to be doing basic journalism: fact-checking, multiple independent sources. On the other, they shouldn’t be frightened of turning up the volume when the population needs to be warned.

These stories really matter; I can think of few that are more important to the online population at large.



Contributions

Comment feed for ongoing:Comments feed

From: dc (Aug 04 2010, at 21:30)

..."in the northern hemisphere."

Dude, China is entirely north of the equator, making it also in the northern hemisphere.

Otherwise an interesting article.

It always strikes me how I can admire some really intelligent people that don't seem to see the evil for what it is. aka Google.

Apple dosn't have plans on world domination. Yes they're closed and that sucks ass. But really, they're not linked to the NSA & multiple breaches of privacy on many levels (maps street view vans, monitoring internet, personalized ads, etc) the way google is

[link]

From: fg (Aug 04 2010, at 23:03)

Here's what concerns me as an Android (original Droid) user about the iOS problem. While Apple can and has reacted, and iOS users will get their updates in a timely fashion when they sync, if and/or when a similar problem strikes Android, how long am I going to have to wait while Motorola decides to act, followed by the time it takes Verizon to act?

Say what you will about Apple's central control, but this episode has reminded me again of what lack of that control means.

[link]

From: JulesLt (Aug 05 2010, at 00:39)

Expecting good reportage and journalism on the net?? But it's clicks not truth that makes money.

The big problem is that by the time the facts / retraction comes out, that is never news (in fact, your blog is the first place I've learnt that the PDF patch exists).

It is telling that journalists were more excited about the jailbreak story, for instance, and that it took tech bloggers to realise the security implications of that story. (It says a lot about the low quality of tech journalism that no one even had the moderate understanding of computing required to put two and two together).

Then the media swung round to exaggerating the problem (as with the Android issue) - which to be fair also frequently happens with Windows 'zero-day' issues (always reported as clear and present danger, not risk).

But then this also happens outside the field of computing - there is no better news than a new potential threat we are not protected against. The threats we already face every day are never news.

Ben Goldacre is continually taking newspapers apart for their poor coverage of science and medical stories.

What I think is making matters worse is that PR firms are starting to realise that **** sticks (Adobe's push on Flash has been successful to the degree that people think it is an issue - beyond the iPhone story, it's cropped up in plenty of other phone reviews - as if people cared. In real life, I've never heard any smartphone user, from Nokia to iPhone to Android, complain about the lack of Flash. The only people I've ever heard complain about the lack of Flash on smartphones have been developers).

Or as I once said "Schadenfreude is not a security policy"

[link]

From: Zachary (Aug 05 2010, at 07:59)

@dc

Tim said "Pacific Time in the northern hemisphere".

You amazingly managed to ignore a crucial part of his point.

[link]

From: Charles Liu (Aug 06 2010, at 13:32)

I'd like to point out this bogus story was predicated on some fairly standard "China FUD" our media snaps to.

Basically anything bad about China must be true. Has anyone noticed how racist it is to insinuate servers in China are inherently evil?

[link]

From: Alex Cruise (Aug 10 2010, at 10:59)

+1 fg, infrequent "big bang" updates (from HTC in my case, but obviously endemic in general) are a major problem with Android.

I should hope that Google is investing more effort in modularity and granularity of updates, so that something like last year's comical combination of a paper-bag-on-the-head GPS bug and Rogers' headless-chicken routine are less likely in future.

[link]

author · Dad · software · colophon · rights
picture of the day
August 04, 2010
· Technology (77 fragments)
· · Journalism (3 more)
· · Security (33 more)

By .

I am an employee
of Amazon.com, but
the opinions expressed here
are my own, and no other party
necessarily agrees with them.

A full disclosure of my
professional interests is
on the author page.