panel on secure mobile computing at hotmobile2006
DESCRIPTION
Some thoughts on privacy and security in the context of mobile computing. Presented at HotMobile 2006.TRANSCRIPT
Can We Achieve Secure Mobile Computing Anytime Soon?
Jason I. Hong
WMCSA2006
April 7 2006
My Position
No Secure Mobile Computing Soon
• Lots of important info on mobile devices• Usability issues• Cultural issues• Economic issues
Lots of important info on mobile devices
This was just March 2006
Lots of important info on mobile devices
• More and more devices out there• More and more valuable data and services on
devices– M-Commerce with mobile phones– Browser history and passwords– Unlock doors to home– Paris Hilton photos!!!!
• Observation: More and more incentives for theft– Steal and resell on EBay– Steal and punch through corporate firewalls– Mobile spyware (tracks location, already starting)
Usability Issues
• ~20% of WiFi access points returned– People couldn’t figure out how to make it work
• My guess: ~80% of unsecured WiFi access points– When you are mobile, risk of eavesdroppers
– Computer security too hard to understand, too hard to setup
Usability Issues
• Phishing really really works– Exact numbers hard to find, but LOTS of people fall for them
• Semantic gap between us and everyday users– SSL, certificates, encryption, man-in-the-middle attacks
– But simple phishing is stunningly effective
• Observation: need security models that are invisible (managed by others) or extremely easy to understand
“Civilization advances by extending the number of operations we can perform without thinking about them.” - Alfred North Whitehead
Cultural Issues
• Browser Cookies– Originally meant for maintaining state
– Now a pervasive means for tracking people online
– Embedded in every browser, hard to change
• Observation: Security hard issue to wrap brain around– Hard to assess risk of low-probability event in future
– Adds to cost of development for uncertain benefit
– Thus, often done as an afterthought (ie too late)
Economic Issues
Economic Issues
• Estimated cost of phishing in US is ~$5 billion• Solutions already exist
– Two-factor authentication– Email authentication
• But:– Non-computer scams ~$200 billion– Estimated cost of implementation > $5 billion
• Observation: Many solutions are out there, but: – Need to align needs of various parties (politics)– Need incentives (cost-benefit, law)
• Observation: Scammers getting more sophisticated– Market for scammers (setup + steal, mules, bookkeeping)– “Build it, and scammers will also come”
No Secure Mobile Computing Soon
• Lots of important info on mobile devices• Usability issues• Cultural issues• Economic issues
IEEE Computer, Dec 2005“Minimizing Security Risks in Ubicomp Systems”Invisible Computing Column
Cultural Issues 1
• Algorithm for handling important societal issues in the United States
Wait for disaster to Happen
If (disaster == true) {
willSomeonePleaseThinkOfTheChildren()
legislate() || overreact()
}
Repeat
• Observation: Slow and suboptimal