Open Letter to Apple – Why Have You Forsaken Me?

Standard 6 Comments

Dear Apple,

Your new MacBook Pro’s rock… the screen alone is just like moving from black and white to colour, and with the Air-like instant on, solid state disk and all round grooviness I nearly sold a kidney there and then (thank goodness the market in kidneys crashed; this could have been a very different letter).

And then, I saw it. Or more accurately I didn’t. The lozenge shaped hole of hope, that sliver of sanity, the goddam lock lead hole… It wasn’t there; in fact I looked again and it still isn’t there!

WTF Apple? What kind of insane douchebaggery is this?

You have strived and toiled and driven to be accepted into the enterprise. You have integrated with Microsoft Exchange, AD and even licensed ActiveSync for the iPhone. You have built in full disk encryption into your OS(X), allowed corporate Microsoft into your walled garden and introduced Employee Purchase Programs. In fact, you sounded like my hip godfather; all grown up and wise and everything, and yet still somewhat cool and groovy.

I even use a MacBook Pro at work for goodness sake! You make ME look cool and hipster like, and THAT is hard work I can tell you…

I tell people about how much more stable OSX is, how much more consistent the hardware is and how much more intuitive the interface is. Sure, your enterprise hardware support isn’t as good as say HP’s and Lenovo, but it is good enough, and at a pinch I just wander up to Oxford Street and chat to a Genius and they fix it anyway.
And then you announce the retina display, and all the other coolness that goes along with the new MacBooks; everyone in the office is talking about how they need one, my work and productivity depend on it, and you know what?… I ignored them because I needed one and my productivity suddenly depended on one as well…

And when I didn’t see that hole of hope, I think I died a little inside, and not just because I couldn’t lock my laptop up now, but because I will never be able to lock it in the future. This is obviously a design decision, one that was actually thought out, not just forgotten.

I have fought and fought to get my people to understand the importance of basic DLP, that is, lock your frickin laptop up, and your data will not literally walk out of the door. And in one fell swoop, you have told all of my MacBook users that it’s OK not to have a laptop lock. “If Apple don’t think it is important, why should I listen to you?”.

Godammit.

I now have to fight for extra budget for a case that screws into the chassis of the laptop that I can lock a lead to (ugly) or pieces of metal to slip between the hinge for the lock lead to attach to (screen crunchingly efficient) to get a basic security control in place. And I bet the answer will be “no” – these new Macs are expensive enough, we have encryption, why bother? Ummm, downtime, productivity, overhead of security incident reporting, cost of hardware replacement and just generally lax security practises (or “risk homeostasis” – a topic of a forthcoming presentation).

You have two choices; either reintroduce said hole, or introduce the most amazingly designed and fabulous looking security device for these laptops that I will spill £50 of my own money to buy one.

Do you dare to “think different” in this regard…

Yours sincerely,

Thom “lockless” Langford

The Simple Things – The Screensaver Lock

Leave a comment

The principle behind the screensaver lock is that you build in a fail safe into your computer should you walk off leaving it unlocked (that is what we all do anyway, right?). The normal timing is somewhere between ten and fifteen minutes, and is more often than not enforced in organisations with an active directory policy or similar. In principle therefore, whenever your screensaver activates it requires a password to unlock the screen when you return.

It is worth noting that any mobile device such as a tablet or smartphone should also have this feature enabled, although it can also activated by switching the device off if required.

In the BYOS world of course this simply needs to be something you ensure is in place on your own computer, and the timing set to something that works for you – mine is fifteen minutes, and is harmonised into the energy saving and general computer power saving timings.

There are and will remain many objections to this kind of security control, but they can be boiled down into one of three:

1 – Presentations. I have heard on many occasions that the screensaver will kick in during a presentation, and I have some sympathy with this. I haven’t had it happen to me with a Mac (although I tend not to stay on one slide without any kind of mouse click or animation!). This can have two effects of course; either tell the audience that there are additional security controls employed by this company, or that the presenter is an amateur who can’t manage their computer during an important thing like this presentation.

This is challenging to fix – you can’t disable the lock for all who do presentations as that would expose a huge number of computers. And you can’t allow people to disable the lock themselves as it is very likely a large proportion will not reenable the lock.

The solution in my opinion is to allow by policy the disabling of the screensaver for a fixed period of time, say two hours before it gets automatically reenabled. I am not sure if this can be managed through standard AD policies or not, but it would certainly address this particular opposition.

2 – Servers and accounts. In many cases where people have sandbox environments or the like under their desks there are many requests to disable the screensaver because of batch files that run in the foreground. In every case I have observed to date this is simply because of sloppy or inexperienced implementation of the batch file. When the batch files or executables are converted to run as a service they can run very happily with the screensaver enabled.

Except in very rare circumstances this is not a reason to disable the screensaver lock.

3 – Finally there is the group of people who simply don’t like being told! This is where education, awareness and some good old fashioned face to face communication comes into its own!

Nonetheless, whatever the objection, anyone with an ounce of concern for security should consider this control on any device in a BYOD environment, and perhaps more importantly on any mobile device.

Book Review – The Cloud Security Rules

Leave a comment

I wrote a pre-emptive review on Amazon some time ago for this book based upon an advance copy I was fortunate enough to receive. Since then there has been a revision of a number of chapters, and I have therefore had a chance to read the book again, including the revisions, and decided to post another more accurate review.

(Once I work out how to update my original post on Amazon I will do so).

As one reviewer on Amazon wrote, the book is like a series of disjointed blog articles. To my mind this is both a strength and possible weakness. The weakness being just what it says; sometimes the different writing styles and approaches, as well as the chapter changes can be a little jarring as you mentally shift gears from one chapter to another.

That said, I have long realised that books like this, written for large complex subjects, are not exactly meant to be read as novels! And this is where this books strength comes out. The contributing authors (at least the ones I recognise) are well respected experts in their fields and can therefore provide best of breed advice and guidance on their relevant areas.

The ability to either dip in and out at random and learn something, or even to search for a particular topic that you need advice on is the books greatest strength. Want to know how ISO27001 can help you? Chapter/Rule 9. Is free really free in the cloud? Chapter/Rule 25. How about the effective approaches to risk management? Chapter/Rule 6.

This book is not the definitive piece on technology and security in the cloud (does that book even exist?), but it is an effective and simple approach to a large and complex subject that in many cases will stop many traditional IT and security manager in their tracks. It may not even answer all of your questions, but it will definitely ensure you know what questions to ask, and that in itself is the most important lesson.

Score: 4 out of 5

More Thoughts on BSides London 2012

Leave a comment

A very quick post to spotlight the excellent talking heads reel posted recently by Javvad. Given I will very shortly be posting the video of my presentation from there I won’t waste space going over the excellent event again, suffice to say the devilishly handsome chap at 0:35 and 2:37 sums it up nicely!

BSidesLondon – Woot Woot!

2 Comments

What a marvellous couple of days I have just had; Tuesday at InfoSec Europe in Earls Court followed by BSidesLondon in The Barbican on Wednesday. While InfoSec was good, and I enjoyed not only the wide variety of stands, prizes, swag and educational events, it is and will always be a trade show. I always feel I am one tiny eye contact away from signing up to 1000 licenses of a product I never knew I need.

BsidesLondon however was an entirely different event. This was the first BSides event I have attended anywhere, and its reputation as an edgier, grittier and slightly geekier type of conference (or at least that is what I picked up on) was entirely unjustified. What I experienced was an extremely high quality of talks, great organisation, interesting activities, engaging workshops and above all a broad, eclectic mix of information security professionals. To be honest, I was somewhat concerned that my professional background in governance, risk and compliance was going to be entirely misaligned, but I was encouraged to attend by a colleague in our Boston office. How mistaken I was!

I should have guessed really when a talk I submitted was voted for by the attendees (An Anatomy of a Risk Assessment) – I explicitly stated it wasn’t technical, or even focussed on a given standard, but rather a more social/human experience of risk assessments. Whilst I didn’t exactly fill the auditorium to the gunwales, I estimate there were about seventy people attending. I also had some great questions at the end and a stream of conversations and compliments throughout the rest of the day. I even managed a few more Twitter followers!

(On that last point, I think I really am going to have to pull my finger out now and start providing some real value on Twitter, and especially this blog!)

The “Crew”, and team of people entirely made up of volunteers who gave up their full day to support the event (and miss out on all of the great activities as well) did a phenomenal job in both setting it up and managing it. I was able to thank a few of them in the bar at the after party, but I know I missed a few; to all of you, Thank You!

If pushed to, there would be a few things I would change; please understand this is by no means a criticism of any aspect of this years event, but rather a desire to see a cycle of continual improvement!

1. Make it a two day event. I would hope this would encourage more volunteers who could do a half day stint at a time. This would mean that volunteers would not miss out on the excellent content. (I heard many times “I haven’t been able to see a single talk all day”)

2. Charge a nominal fee. By nominal I mean £50 for two days (£25 for students/concessions etc of course. That is only a night or two of beer for an average student and they will more than make up for it at the after parties!). This would ensure people actually turn up – I saw a lot of unclaimed name badges at the reception which is a massive shame given the clamour for tickets. One day tickets could be suitable priced at £30 and £15. This would also take the pressure of the organisers for the basics like T Shirts, lunch, booking fees etc and the (excellent) sponsors can focus on the value-add stuff.

3. Increase the numbers. I know smaller events have a niche value and connect with the community more effectively, but I think a third track formal could easily be accommodated next year as the reputation of this event will only improve and numbers wanting to attend will increase. There is a balance to be had, but pushing to 500 or 600 is still viable in my humble opinion.

All that said, even if everything stayed the same I will still be attending next year, and hopefully speaking again. Congratulations to all involved, what an amazing event. It’s barely been two days and I am already looking forward to next years!