Sunday, January 15, 2012

In an Effort to "Protect Us," Big Companies are Making Us More Insecure

One of the provisions of the oft-talked about SOPA (Stop Online Piracy Act) was (until yesterday when Lamar Smith was convinced to remove it) DNS editing to prevent access by American ISP subscribers to  foreign websites. Essentially, while the US does not have authority to physically remove a foreign site (at least theoretically), they can force US-based ISPs to block their domain name in the domain name resolution system, preventing people from accessing "" and instead forcing them to use the archaic system of IP addresses. One of the biggest warnings from technology and security experts that came out of this provision was that people were going to begin using rogue DNS servers to access their content. News of how to bypass SOPA DNS restrictions would spread like wildfire, and soon, torrent-loving Americans everywhere would be using foreign-based, non-authoritative DNS servers to access content blocked under SOPA. This is a major security risk. It's something I think our elected leaders certainly failed to recognize (at least until recently). But it got make thinking of an entire market of services and applications where people are forced, because of the government or big-company regulations, to access the content they want in less-than-secure ways.

Rogue DNS servers are not a terrible problem at the moment. They certainly exist, but due to the current freedom and openness of the web, people are rarely forced to search for or even concern themselves with them. Under SOPA, this would certainly change. But today, millions of people are constantly bypassing security mechanisms elsewhere, and it is having a huge impact on the security of their devices. Think for a moment of smartphones like Android or the iPhone and the Market and App Store that accompany them. Many wireless providers like Verizon, AT&T, and T-Mobile have a fair amount of control over the applications that can be downloaded onto their phones from those app markets. This fact has been highlighted recently as tethering applications are continually yanked from the Market. It's quite clear; the carriers do not want those kinds of applications to be used on their networks. But in reality, do you think the average user looking to use a tethering app is just going to... give up when it can't be found in the Market?

Search Google for "tethering apps" and you will receive millions of hits. Almost every one of those hits includes links to APKs for tethering applications, the Android version of a .exe that allows the program to be installed on the device, bypassing the Market. These links usually include instructions on how to "side-load" the application. Side-loading is definitely a useful feature; developers use it constantly and it allows users to install applications otherwise blocked by the carriers. However, therein lies the security risk. The average consumer has no idea what side-loading is; they see it as a necessary step to get an app they want.   They have been trained to leave the protection (or quasi-protection) that the Market or App Store provides and instead search for the applications they want elsewhere. In an effort to prevent their customers from accessing blocked content, Verizon, AT&T, and other carriers have just taught their users to download the applications from a less-secure source. Anyone can upload an APK that does anything. If a consumer finds out that by simply Jailbreaking his iPhone, he can access all the Apps he wants, why wouldn't he, especially when all he has to do these days is visit a single website to auto-jailbreak the device?

This issue extends beyond just phones. People continually visit questionable, foreign-hosted sites to find TV shows, movies, music, etc. all because there is no legal, simple alternative. The RIAA and MPAA have a tight grip on the industry, but that grip is forcing people to turn to piracy and at the same time, insecure, often shady websites. The trend has become "if I can't do it legally or through my provider, search Google and blindly follow the instructions." This is bad. We have finally gotten to the point where most people are somewhat aware of banking scams, etc. But tell someone that they can watch the NFL online for free and they'll follow any steps necessary, including downloading malicious programs.

The point here is that such strict regulation by companies like Verizon, AT&T, Universal, etc., not only forces people into piracy, but also into insecure lifestyles, if you will. They are unknowingly trained by these companies to find round-about ways of getting what they want with little or no thought to the security implications involved. You may not "download a car," but I can guarantee that if you label a virus "car," someone, somewhere will download it.

No comments:

Post a Comment