Our devices all touch the Internet all the time. There are many people on the Internet who are extremely smart and extremely bad and want to steal your money. We need to take security very seriously. The tech community’s writers, both professional and amateur, are doing an inadequate job; arguably guilty of both recklessness and laziness.
Consider two mobile-device security stories that broke recently.
Wallpapergate · I mean the Android Wallpaper Fearfest, nicely summed up in JR Raphael’s The truth about those ‘data-mining’ Android apps and then his excellent post-mortem. This thing splashed all over the Internet, inflammatory headlines claiming that millions of peoples’ intimate secrets were being sent to (gasp) China!
So the security folk here at Google investigated it and talked to the developer (see JR’s second piece) and the conclusion is obvious: there was maybe a little there there, but not much.
There was one extremely useful outcome: Nick Kralevich of the Android security team wrote a nice blog piece, Best Practices for Handling Android User Data. If you’re a mobile (not just Android) developer and don’t want to find yourself sitting where that wallpaper guy was, you probably should read that and think hard about what you’re doing.
I’ll omit the names of the people who launched this story and the “reputable” journalistic organizations who ran with it. But there are two things that specifically anger me. First, the initial wave of stories contained these specific numbers, up to and including four million, describing the number of people who’d been affected. These, near as I can tell, were complete science fiction. I like to think when you publish numbers they should mean something and not be just, you know, made up.
Second, the fact that the developer happens to be in China was used as a fear intensifier in a way that was totally ugly and disgraceful. Earth to journalists: there are lots of bad people doing bad things right here in Pacific Time in the northern hemisphere.
The commentariat handled this one in a more grown-up way. Maybe too grownup — I saw some argument that they should have been a little shriller. I can see the point; at any given time, a certain proportion of iOS users are going to be traversing the darker corners of the Net and, well, maybe they just shouldn’t be, until that patch hits their portables.
This is not an iOS-vs-Android thing; I don’t think either is much less secure than the other, and I’d be unsurprised if there were equally horrible zero-day vulnerabilities lurking on our side of the fence. But when they turn up, we’re facing the risk that people will just blow warnings off after all the crying wolf over the Wallpaper thing. And alternatively, that we’ll all avoid being “alarmist” while the bad guys pour through the breach in the walls.
Plea · People who write about security issues need to bring up their game a few notches. One one hand, they need to be doing basic journalism: fact-checking, multiple independent sources. On the other, they shouldn’t be frightened of turning up the volume when the population needs to be warned.
These stories really matter; I can think of few that are more important to the online population at large.