Amazon just announced a new service called Amazon Key where you can install an approved electronic lock and give the Amazon delivery person a one-time use code to put your package inside your door.
Listen to the audio version of this essay.
The responses are witty, humorous, and predictable.
Amazon Key = Nope— Matt Speed (@MatttSpeed) October 25, 2017
And that’s just from the regular public. My InfoSec family has reacted with its characteristic and more visceral, “Not just no but hell no.” response, and it’s given me the opportunity to comment on something that’s bothered me for a while.
I get that security people are supposed to be cautious. I get that we’re supposed to be weary of risk. But I worry that the community as a whole enjoys saying “no” a bit too much. It’s a curmudgeon fetish.
Making fun of new internet-connected technology is a shibboleth for the infosec in-crowd.
I think the community could benefit from some perspective on this topic, which I tried to capture in Comments on Internet Security from 2076. Here a professor from the future describes the flaw in our thinking at the time.
I mean, the mid-1990s was the most transformative period in human history. We know that now. We get that now. But back then the security experts of the time just saw the technology as unfixable. And they spent all this time “online” together to complain about how dangerous everything was, and how it was all going to hell, how it was completely hopeless. (laughs)
It’s coming. All of it. And nothing we in security or anywhere else can say or do will stop that. Functionality beats security every time. Major safety incidents will slow things down, but not for long. Trying to stop the internet-connected everything is no different than trying to stop mass adoption of cars, or computers, or smartphones.
As security people we should be the ones telling everyone it’ll be ok. We should be giving the perspective of the professor in 2076. Yes, there are thousands of companies doing heroically stupid things with devices on the internet. And yes, it will cause major problems from time to time. But 30 years from now it’ll just be another revolution that changed humanity, just like the ones before it.
The panicked reaction to this rapid change should be expected by the public, but InfoSec should have more knowledge of history than that. More context. More calmness of mind.
We’re living in the Cambrian explosion of the internet, and witnessing the digitization of the everyday world through the Internet of Things.
But instead of being enthusiastic but cautious technologists—who are excited by the unbelievable possibilities that are arising—we’re joining with the masses and behaving like luddites.
The people need our help making all this insecure garbage work for them, and help making it better. They are demanding the functionality and they will get it. We have to stop being the doctor who cries when they tell us where it hurts.
Someone needs to be strong about this—to have the vision to see the other side of the chaos—and that’s going to have to be us.
Besides, as everyone in InfoSec knows, your front door isn’t secure anyway. Not even a little bit.
Common door locks are wet paper towels that disolve under the slightest scrutiny. Somebody show me a threat model where this Amazon system is used to bypass an electronic lock that doesn’t also find that it’s much easier to just break a window or pick the lock.
Door locks have not improved much past napkin-level because they haven’t needed to. The people who are supposed to stay out generally do, and the people who want to get in without invitation generally can. Amazon Key does not change this calculus.
So enough with the curmudgeonry. This shit is happening. Full speed. No stops.
Being a luddite in InfoSec is like being a germaphobe in family medicine. It prevents you from leading from the front.
Like it or not, there are a lot of sheep in this world, and there are a lot of wolves and cliffs out there.
We need to be the shepherds.
- And no, that doesn’t mean I (or anyone else) should be installing every nuclear stupid device out there. It means that, as a group, we should embrace and work to secure this change rather than displaying the same fear as the public and rejecting it. Because it’s inevitable.
- Thanks to my anonymous friend for coaxing me into writing this. I wonder if there are others who might share the opinion but be too afraid of backlash to voice it. At 20 years in I have little such fear of conversation with my colleagues.
- @netekives had a brilliant thought about the piece, which was essentially that we should be the ones saying, “Here, I’ll go first, to make sure it’s safe for you.” That’s the attitude we need.