iCloud passwords and security passwords can be guessed using social networking and various phishing techniques, and complex passwords and two-step verification are not as intuitive as they should be.
In a delightfully complete article over at TidBITS, author Rich Mogul lays out the facts behind the current spate of Apple security problems – most of which boil down to this: People are the weakest link in the chain.
As anyone who’s worked with technology in the past decade can tell you, the thorniest technical challenges aren’t typically those that deal directly with hardware and software. No, in most cases, the toughest things to troubleshoot and fix lie along the human spectrum. System administrators have long known this, coming up with acronyms like PEBCAK and ID-10T errors.
The same goes for security, which in Apple’s case affects an ever-increasing number of people who not be savvy to the ways of information security.
“Don’t expect human behavior to change. Ever.”
Mogul points out that hundreds of millions of people use Apple gear.
“I don’t know what the iCloud numbers are,” he writes, “but we are talking about a company that just sold 10 million iPhones in a weekend. Security complexity increases exponentially as fringe situations encompass millions of users. With Apple operating on that scale, the rules change.”
At this scale, Mogul says, Apple must tackle the problem of user behavior and malicious attacks upon it in a way that no other company has to. While he praises Messages, FaceTime and iCloud Keychain as brilliant uses of encryption behind the scenes, he also suggests that, in addition to Apple’s well-respected implementation of Touch ID and it’s equally brilliant Apple Pay system, the company needs to go even further.
Apple should tackle the authentication issue from multiple angles, making it simpler and simpler for most users. Cupertino also needs to use all available tools to boost cloud security, continually updating and adapting techniques and technologies along the way.
What Apple shouldn’t do, says Mogul, is to expect to change user behavior. The technologies around security can and should be used to make sure that us crazy monkeys don’t end up compromising our own informational security.
“My guiding principle as a security professional,” he writes, “is: ‘Don’t expect human behavior to change. Ever.’ No one, not even Apple, is about to eliminate the need for passwords or come up with a single, near-perfect way to protect accounts. Nor can we rely on education or better security habits when hundreds of millions of users are involved.”
Read the full article for some great security-themed insights.
Source: TidBITS
Rob LeFebvre is an Anchorage, Alaska-based writer and editor who has contributed to various tech, gaming and iOS sites, including 148Apps, Creative Screenwriting, Shelf-Awareness, VentureBeat, and Paste Magazine. Feel free to find Rob on Twitter @roblef, and send him a cookie once in a while; he’ll really appreciate it.
5 responses to “Apple’s biggest security threat is you”
As a Systems Admin for many years, I can agree with this article. The log of PEBCAK and ID-10T errors would be quite long….
TEN YEARS?????
I was in IT for 25 years so I saw the start of the “public” usage of technology. It still amazes me that after “TEN YEARS” people have not figured out that you don’t click on that link from someone claiming to be your bank; no one in Africa is going to send you a million dollars; and no family needs your confidential information so that you can help them escape repression.
If I walked up to you on the street and asked for your SSN, you would look at me like I was crazy, yet people click on crap that shows up in their inbox like it’s trusted friend and confidant.
We’ve been doing this long enough now that you should know at a minimum, that People suck, and will screw you given 1/2 a chance. I’m sorry, but if you are Paris Hilton and your password is the same as that dumb assed dog you carry around in a purse, YOU DESERVE WHAT YOU GET!
Its been long enough people. Stop being stupid.
I wouldn’t really fault Apple in this case. Short of making two-step authentication a requirement, they’ve done a whole lot.
Safari and it’s suggested password feature combined with iCloud Keychain goes a long way to reduce friction for their customers to be better about password creation & management. Where it falls short is when site developers don’t follow proper development protocol that breaks these types of services (think about how many forms you’ve tried to “autofill” that break or just don’t work seamlessly).
Touch ID is another great improvement that is, for the most part, unmatched. Add that layer in to a Mac and then what? Apple can’t change the entire security eco-system but their efforts shouldn’t go unnoticed or under appreciated. Mogul suggest they do MORE but it’s not as if Apple isn’t leading the charge as it is. He should focus on the rest of the industry to make improvements, too.
The same can be said for any system that relies on passwords.
Is this officially your opinion about the Iphone Users? that they are ID-10T? they are not stupid only when the pay 899 to get the device…. WOW…