Nokia is gone. So is mobile security.

The recent acquisition of Nokia by Microsoft stirred up investors and Nokia fans. But, the question goes, what does it have to do with security? (Not) Surprisingly, a lot.

Working in security makes people slightly paranoid over time, that is a fact. On the one hand, without being suspicious of everything and checking all strangeness you would not get far, so that makes you extra attentive to possible security issues. On the other hand, witnessing how everything around us turns from impenetrable walls into a Swiss cheese variety when poked makes you doubt every security statement on the planet. Looking at Microsoft buying Nokia, I cannot resist putting my security hat on.

So what does the acquisition of Nokia by Microsoft bring us on a large scale of things? You remember, of course, that some governments, and in particular USA, listen to all our conversations on the Internet and collect all possible information about us, right? Okay, for those who forgot, I will remind that Microsoft, Google and Apple are on the list of companies sharing information with NSA. Just keep in mind it is likely not limited to NSA and USA, other governments are not likely to refuse the temptation.

lock-nokia-transpNokia was not on the list. And I will hazard a guess that the Finnish company refused cooperation with NSA. That means people who have the good old Nokia phones are probably more safe from surveillance compared to people with those Microsoft, Google and Apple phones. We can probably assume that it was not exciting for NSA and the like to know that (5 years ago) half of the people with mobile phones will not be under surveillance. I can imagine they were rather disappointed. I would not be surprised if they lent a hand to Microsoft in the plan to acquire Nokia or even orchestrated the whole thing.

Now, Nokia is Microsoft. What does it mean? There is no phone any longer that is not under surveillance. Think of any mobile phone, it is going to be Microsoft, Google or Apple, committed to collaborating with NSA on surveillance. There is no alternative.

We still can use our good old mobile phones, of course (and I do). Telephone networks change though, new protocols come into play, old ones are phased out. In time, the good old phones will simply stop working. And this process can be accelerated if desired. There will be no choice.

I really wonder about Blackberry now …

On the utility of technical security

It is often said that the system is only as strong as the weakest link. When you have good security and strong passwords, the weakest link will be the human. As has always been. Think of how the system can be recovered from a breach when the problem is not technical but human.

[youtube=http://youtu.be/W50L4UPfWsg]

Quantitative analysis of faults shows that…

Not to worry, we are not going to get overly scientific here. I happened across this extremely interesting paper called “Quantitative analysis of faults and failures in a complex software system” published by Norman Fenton and Niclas Ohlsson in ye god old year 2000. The paper is very much worth a read, so if you have the patience I recommend you read it and make your own conclusions. For the impatient I present my own conclusions that I draw from reading the paper.

The gentlemen have done a pretty interesting piece of research that coincides well with my own observations of software development in various companies and countries. They worked with a large software base of a large company to investigate a couple of pretty simple theorems that most people take for granted. The research is about general software faults but the security faults are also software faults so this is all relevant anyway.

First, their object of investigation concerned the relationship between the number of faults in the modules of the software system and the size of the modules. It turns out that the software faults are concentrated in a few modules and not scattered uniformly throughout the system as one may have expected. That coincides very well with the idea that the developers are of different quality and experience and the modules written by different people will feature different levels of code quality.

Then, the finding that confirms my experience but contradicts what I hear quite often from managers and coders alike at all levels: the complexity of the code does not have any relation to the number of faults in that module. The more complex (and larger) code does not automatically beget more faults. It is again down to the people who wrote the code whether the code is going to be higher or lower in quality.

And then we come to a very interesting investigation. Apparently, there is strong evidence that (a) software written in similar environments will have similar quality and (b) the software quality does not improve with the time. You see, the developers do not become better at it. If they sucked at the beginning, they still suck ten years later. If they were brilliant to start with, you will get great code from day one. I am exaggerating but basically that is how it works. Great stuff, right?

So, the summary of the story is that if you want to have good code – get good developers. There is simply no other way. Good developers will handle high complexity and keep the good work, bad (and cheap) developers will not and will not learn. And no amount of tools will rectify that. End of the story.

Why bother?

Hmm… Good question… Well, let’s get this straightened out before we jump into other interesting subjects. Every single website and application, every single computer system gets broken into. For fun, money, fame, accidentally. This is just the way it is and I have to accept this as the current reality. I may not like it but who cares about that?

Whether you are a large corporation or a student writing the first website, your system will get broken into. If your system has been around for a while, it was already broken into. My not-so-extremely-popular website was broken into already three times (that I know of) and I am not ashamed to admit it. Denial is futile. Take it as inevitable.

There is even a line of thought nowadays with some of the security people that we should not bother to concentrate so much on trying to protect things for we can’t prevent break-ins anyway. They say we should concentrate on detecting and containing the damage from break-ins. Ah, bollocks. We have to do both. Do not give up your defenses just because you know they will be eventually breached. But be prepared.

What I really want to say is that when you make a computer system, be it a website, corporate network, smart card or anything else, you have no choice. Thinking that security is somebody else’s problem is extremely common, second only to not thinking about security at all, and usually disastrous in a not-so-distant future. Don’t be like that. Come to the good side, protect your system, think of security long and hard, apply the Hash and the Crypto the Right Way™ and your system will run happily ever after (well, at least to the next major breakthrough in cryptography or something).