Wednesday, September 14, 2011

Cell Phone Hackers, Nude Celebrities, and Data Security in the News.

There's been a lot in the news lately about mobile devices and e-mails hacked, and sensitive information being used for nefarious purposes. Just this morning, nude photographs of Scarlett Johansson taken on a mobile device appeared on the internet. (And no, I'm not posting them, or a link where to find them, that's not what I do here.) The whole affair got me thinking about online privacy, people being tech-savvy (or not,) and how that is changing our daily lives. There are risks and bits of conventional wisdom concerning them that plain did not exist a decade ago, and many of the safeguards people use are less effective than a cheap lock on your front door. We've got major media outlets being prosecuted for using hackers for journalism, and the FBI tracing hackers who hoard and leak pictures of famous people in intimate moments and compromising positions.

The latest target of mobile hacking, resulting in embarrassing photos made public.

The controversy erupted pretty early this morning as the photographs of Ms. Johansson were first leaked to celebrity websites and soon made their way out to larger and more popular sites such as reddit. I'm not going to climb on a high horse here. I looked immediately, and didn't even think of implications of the leaked photos for a good long time. The involvement of the FBI and someone noticing that the wallpaper in one of the pictures matched the photographs taken of one of the star's homes seemed to confirm the authenticity of the shots. Months ago, a group of hackers claimed to have infiltrated the mobile phones and e-mail accounts of a number of celebrities and claimed they had nudes that they would slowly release "when they felt like it." At the time, the reports weren't taken particularly seriously, but their claims were, at least in this case, true.

Let me start by saying that this sort of behavior is obviously an invasion of privacy, and the cautions I'll go into regarding this sort of situation are in no way meant to imply that the targets deserved their private information copied and distributed without their consent. I don't think "you should lock your doors" equates to "if you don't lock your doors, it is ethically okay to break into your home." Today's news isn't the first time pictures have been taken off of a computer or phone and distributed on the internet, as Paris Hilton, Jessica Alba, Blake Lively and Vanessa Hudgens have been targetted for this sort of activity in the past. Pictures all of those young women would rather not have been made publicly available have popped up on the internet. News of the World found itself in serious legal trouble over the hacking of murder victim Milly Dowler's cell phone and unauthorized accessing of her voicemails.

This is not a secure device. Smartphones are like flimsy doors with toy locks to hackers.

What does all this tell us? Something the tech savvy could have told anyone who cared to ask years ago. Email, digital storage, cell phones connected to a network... none of these things are secure. The best solutions we've come up with for securing our privacy online typically prove more effective in keeping us out of our own accounts when we forget a password, than they are at keeping out someone who wants into our data badly enough, as illustrated by this comic at XKCD. It is reasonable, given the near total failure of data security measures against those determined to beat them, that the only way to secure personal data up to and including nude pictures is to make sure that files containing them are not stored digitally at all. Any attractive woman taking racy pictures using a digital camera or cell phone must assume those pictures will get out, as more than one schoolteacher can attest to.

If password protection isn't effective in securing our privacy, then what is? For the people who aren't tech-geeks, awareness that these things aren't foolproof helps. Treat your devices with digital storage with the same care that you give physical property. If you leave packaging for expensive new electronics at the side of the road for garbage pickup, don't secure doors and leave home for an extended period of time, the risk of a break-in is much greater. Even if you take precautions, if someone wants into your home badly enough, they will likely be able to get in. Awareness that pictures, e-mail accounts and the like are no different should help theaverage person take greater care with that information, securing it against casual intrusion and copying of your data. For those with particular risk, encryption, while not 100% secure, should be used to safeguard sensitive information.

There is no way to be 100% secure with private information, unless it is not stored
or transmitted digitally at all, something that becomes harder to do as the years pass.

Items like provocative photographs of famous people on devices with as little security as a mobile phone, or sent through unencrypted email is likely to be accessed. It is the equivalent of having a very expensive stereo system in a car parked in a rough neighborhood with the windows down. It doesn't matter that the doors are locked or that potential thieves don't have your keys. For those who know how, it is a trivial matter to get at your property. If I had information that I wanted to keep secure, that could hurt or embarass me or people I care about if it got out, I'd have to treat it like my property in the real world. I don't leave things in my car, where a broken window allows a curious thief to go through my property to see if it is worth stealing. This doesn't excuse the behavior of thieves who go around smashing the windows of people who don't take precautions, but I'd rather take sensible steps to limit my risk.

Security experts are working on the essential difficulty in balancing effective methods of protection against making those methods easy to use. One of the more interesting advances is the authenticator used for securing World of Warcraft accounts. Users can order a keychain device or download a mobile application to generate a random code that must be input when trying to access an account. This increased level of security means that an account thief would need access to their target's authenticator or phone in addition to username and password, or else a much more sophisticated method of bypassing the authentication would be necessary for unauthorized access. Overnight, account theft associated with those accounts protected by an authenticator dropped to almost nil. I'd like to see how this sort of security thinking could be applied to protecting other sensitive data, even if it does mean that my curiosity regarding what a starlet looks like naked must go unsatisfied.

3 comments:

  1. woke up to the news of the leaked pics. it was a pleasant morning. :)

    ReplyDelete
  2. Having a mobile device is a lot riskier than people think.

    ReplyDelete
  3. I find putting my confidential details in my blog fairly secure. A bit like leaving things on the front door step with a big sign saying free to a good home....

    ReplyDelete