I fried my BlackBerry Tour yesterday updating it to the new OS. I trying hacking it myself, but couldn’t, so shamefully I called Verizon technical support. Their solution after 30 seconds of script-based trouble shooting, was to send me a new BlackBerry. Although that was tempting, I was approaching a full-blown-I-don’t -have-instantaneous-mobile-access-to-everything-panic-attack so I refused their solution, whereupon they bumped me up to second level support, who unsuccessfully spent 30 minutes on script-based support until finally getting me to RIM itself, where I went through 2 levels of support before finally getting the problem fixed.
Whew. We ended up wiping the device and starting fresh like with the new OS. It actually felt kind of good – like a spring cleanse.
Anyway, today as I was reinstalling apps and setting up email accounts, and entering my properly-complex password over and over, and wondered what, if any, effect the growing popularity of smartphones is having on password complexity. Over the past couple of years I have moved more and more of my online life to my phone – reading articles, BBM, FaceBook, Twitter, WordPress updates, etc. But what I find interesting is that many of my online accounts and subscriptions are now “born smartphone,” i.e., I originate and manage them completely on my BlackBerry.
Although I have pretty good password hygiene, the temptation to choose simpler passwords that are easily type-able on my BlackBerry keyboard is great (one exception is a password that I type dozens of times a day: if you ever find my BlackBerry, the unlock password is “ooop”). Typing capitals, symbols, and numbers in a password is a pain in the butt on a smartphone-and that is on a device lauded for its keyboard.
What are others who have less of an information security background or less usable keyboards doing? If someone can guess Obama’s Twitter password, what chance do people without a Secret Service living in their house have?
So, what do you think? Are smartphones a threat to password complexity, and thus to information security overall?
Some eye-opening stuff from presenters at the Raytheon Cyberstrategies seminar that I spoke at today. Richard Stiennon was impressive with his personal stories about some of the most notable “cyber warfare” events of the past couple of years, including the debacles in Georgia and Estonia, and of course the latest developments in the Google/China story. One of the minor points of Richard’s presentation (but one I found fascinating) was that cyber warfare is “asymetrical,” i.e., the cost of mounting an attack is trivial whereas the cost of defending against an attack is monumental. The term asymetrical warfare entered most people’s vocabularies (including mine) post 9-11 to describe terrorist vs. military conflict, but I had never connected the dots from the physical to the virtual world.
Mike Theis gave one of the more insightful presentations I have seen around security pitfalls and strategies for social networking tools. Although the temptation for many organizations – especially those that are the most security sensitive – may be strong to simply block these technologies, they are missing out on the tremendous value they can provide. Mike pointed to three fundamentals for tackling this issue: 1) getting better at judging trustworthiness in the digital world 2) making sure that the controls we have over information access are properly tuned and tailored, and 3) ensuring that we have the ability to adequately monitor what is happening inside our own institutions.
I think my presentation was a good fit. I focused on how we can create and manage information in a trustworthy way. I talked about some recent developments that demonstrate that this challenge is only getting more difficult and complex, and laid out my thinking on a strategy for tackling this problem.
I don’t use PPT slides as a teleprompter, so I’m not really sure that the slides have much value without the audio, but perhaps you might find some value in them. I’ve embedded it below.