I lounge here writing this, from a veranda overlooking the bustling street in San Ignacio, Belize, that for two days is my home. I was hoping that on my 10-day trip, everything digital would vanish into the ether, leaving only the Caribbean ocean, fry-jacks, all things Marie Sharps, and a looming hurricane, as items of importance.
Note: Yes, I actually did leave my computer home for 10 days, though did bring my iPad for looking at maps with, and for in-transit reading. It did come in handy, admittedly, for this, too.
Tuesday morning my travelling companion and I swapped Instapaper articles in preparation for our long bus ride from Dangriga to San Ignacio. The first article I chose to read was one he’d tipped me off to as interesting & urgent enough for me to break my 5-day long digital-fast.
Matt Honan, a gadget journalist from WiReD, had finally published a long awaited article about how Amazon and Apple had both enabled a security loophole, through which a savvy hacker had blown-open the doors to Honan’s entire digital life—and wholly obliterating it, in the 10-minute security carnival. As of this writing, both companies have taken temporary measures to address the vulnerabilities Honan outlined. Long-term solutions, TBD.
The paramount reason I took interest in the article, is because my first Apple cloud account (through their ill fated Mobile Me service) had been relentlessly hacked. I was eventually using dozen-character-long, mixed-case, alpha-numeric and unpronounceable passwords; and towards the end, about 2 days was the longest I could go without being hacked.
I finally called Apple Customer Service, and told them that I’d been hacked. I received a cordial, scripted apology, and was then presented with next-step recommendations—the first of which, being a new password. I politely re-stated what had been happening for the past few months. The rep responded, by issuing me the scripted lecture on what makes for a safe password. I used all my patience to re-articulate that in fact I had been using the most secure passwords possible—that the time for name/birthdate combos was ancient history in this fiasco of mine—and, as kindly as I could muster, that the problem was on Apple’s end. Much to my surprise, that was the end of it- nothing else they could do.
I did get a new account issued with a ridiculously long a/n name, and to their credit they did give me an extra year on my new Mobile Me account (??)… but as a final peace-of-mind measure, I did want my original account closed: nope. Apple doesn’t do that. I promptly cleared all my data from the account, and ended the call a bit grumpy, and shell-shock perplexed. How could this industry pioneer, Apple, fail so miserably at security?! At Yahoo!, at least a case would have been opened and I would have had the gratification of a security engineer at least reviewing my case. Apple just seemed to shrug, and poo-poo the customer incident—closing my new ticket as “solved,” with the decision-tree endpoint cited as my problem’s resolution. I also felt like a bit of a dummy, having so unquestionably trusted a big brand because—well, they’re a big brand. It was of some comfort to read Honan confessing his similarly-naive attitude, in his story.
When I was doing UX at Yahoo!, my last projects included working on stuff with their identity platform, and with the registration/account-creation flow(s). On both projects, one of the most frequent conversations and persistent of conversation-digressions, was security. Working directly on those projects I had some marvelous exposure into the wealth of concerns and exploit-opportunities that exist with protecting private data. I also had the opportunity to see how UX plays a critical role in preventing the Harvard MBAs and the computer scientists from devising security solutions that are pedantically unusable, or more security theater than sensibly protective.
My UX partner and I were able to add a creative problem-solving voice to the conversations, and with everyone’s skills put together, also facilitate collaboration sessions that netted more productive results than banter-y run-around. That experience proved to be very rewarding personally, while also giving me valuable insights into the human cat/mouse game of wit that hacking & data protection so often really is.
After reading Honan’s article, I was floored at the truly labrynthic wit & perseverance demonstrated by the hackers. They didn’t traverse the usual cryptographic route of cracking algorithms or auto-pinging the servers with repeat password combos; rather, they put on their best Dennis The Menace cap, Bart Simpson slingshot, some hearty endurance and plain stepping-back from the green-screen, and they hacked the process—not the code. The system. Same as Bobby Fischer winning chess game. The troubling part however, is that online security isn’t a game, and most of the individual users trusting cloud services with their data just blindly assume that these industry leading companies—Apple & Amazon, among many—have their game together enough to fully shield them from ever needing to worry.
The only chops it took to crack Mr. Honan’s accounts, was a solid dose of teenage boredom bolstered by a healthy desire to rebel.
My travelling companion and I discussed the article after I finished it, both of us in more shock & awe by this, than we were of the pending Hurricane Ernesto (that the entire East Coast of Belize and Yucatan Peninsula had been evacuated in anticipation of). Our discussion then shifted, to how the problems might get solved; to how many companies are also vulnerable because the exploited patterns are all very basic industry paradigms; to finally realizing that really, with how interconnected everything nowadays via cloud systems and social network’ized everything has become— a far cry from how things were when today’s security paradigms were cultivated—the time is likely now, to re-invent the personal data security wheel.
Password/username based authentication, with password recovery via email, sekrit answers to questions assumed to be core in most people’s life-narratives, and standardized data-points to fall back upon: all of what we’ve known as our entry-point into the myopic web, more than likely needs to be tossed with the bathwater and re-thought. Of course, fixes to smarten-up today’s systems could easily be devised and implemented. At what point though, do we draw the line between solid adaptation-oriented updates, and coathanger/duct-tape backpedaling fixes that, accumulated over time, forge the entire experience into crap?
The time seems to be now, to make some quick asap fixes to existing systems, and as an entire industry—in partnership with our friendly hackers that so delight in beating “the system” for the sole purpose of beating something The Suits believe in—to determine what’s next, how it will work, how to transition, and how it might grow with what little we can predict of future innovation. UX folks, engineering/dev folks, and any MBAs with a healthy sense of snark and minimalist egos, from far and wide: come together please. The only rules: no metrics diatribes or Power Point allowed.