By Jesse Schooff
February 28, 2017
Article from Jesse Schooff
When Government is an Adversary of IT Security
Never Share Your Password.
Those four words fall into place for me like stone bricks — a system administrator’s mantra. In an ideal world, IT doesn’t know your password, and encourages you to never share it with anyone. Never Ever Share Your Password, intones an article on NC State University’s IT website. “Sharing your World of Warcraft account can compromise its security!” players are warned as they log into the game. “We’ll never send you messages asking you to provide us with your login information,” says your bank.
This is decades of IT security culture in action — a valiant attempt by sysadmins to inoculate their users against ransomware attacks, bank fraud, or even someone using their co-worker’s workstation to do something nasty. The message doesn’t always take (users still get tricked from time to time) but whenever I hear someone respond, “But they tell you not to share your password?” I feel a warm glow in my chest.
Unfortunately, it increasingly feels that governments and law enforcement are working against IT security best practices to advance an agenda of mass surveillance.
This year, U.S. Customs and Border Protection (CBP) has begun demanding that users hand over their device passcodes and social media passwords. This effort thus far has, somewhat predictably, focused on persons perceived as being of middle-eastern origin, as well as certain journalists. The issue came to a crescendo when a NASA scientist returning from an engineering competition abroad was forced to hand over the passcode to his work phone, potentially putting sensitive data from the Jet Propulsion Laboratory into the hands of border officials.
Of course, all of this has troubling privacy and civil liberties implications, but as a sysadmin, I’m also professionally annoyed that governments are trying to undo the user-grooming that IT professionals have worked so hard to cultivate. Users should hesitate whenever someone asks for their password, rather than naturally acquiescing to perceived authority.
Furthermore, this issue dovetails (horrifically) with law enforcement and governments’ strident campaign against encryption technologies. Law enforcement frequently complains about encryption being a barrier to lawful search. That’s a somewhat dubious claim, but the plainest fact is that encryption is the best tool IT has for keeping systems secure and users safe. As a technology, encryption either works properly or it doesn’t. The magical unicorn of “encryption that stops working when a policeman holds up a badge” simply isn’t feasible in reality.
In a world where users are increasingly the victims of hacks and scams, compromising users’ security and reinforcing bad habits is movement in the wrong direction. In the long run, cannibalizing the public’s digital security and privacy in the name of public safety will be zero-sum progress.
Jesse Schooff is a Volunteer Content Creator for OpenMedia. Born in Toronto and raised in Vancouver, Jesse studied music composition at UBC. For the past 13 years he has been the systems administrator and IT help desk for a small Canadian company. He has a lifelong passion for politics and technology, and is a vocal advocate of tech security, digital rights, and the open internet. You can read more of his stuff on his blog at GeekMan.ca
March 22, 2018
March 21, 2018
March 20, 2018