Has it really been ten+ days since I last posted? Ugh. We are in the final few weeks of house-renovation with a target move-in date of “before March 15 or we’re homeless.” Just haven’t been able to summon the focus to write something well, so haven’t been writing at all. The house itself is coming along well – just exhausted from trying to corral all the contingencies in my usual overly-exhaustive fashion.
One thing that has me mulling over the wisdom of installing a NEST thermostat (recently acquired by Google) and 4 of their smoke detectors is the recent Target Credit Card data breach affecting 1/3 (or was it 2/3?) of Americans. What’s the connection? The thieves got in through the HVAC system.
It seems that Target used a contractor to run/monitor their HVAC systems. That contractor was pretty lax about security – apparently using the same password for multiple clients. After all, its just the heating and cooling right? Not like you have to be super paranoid?
Except that the access to the HVAC systems allowed access to Target’s broader corporate network. This is the digital equivalent of forgetting to seal off the vent ducts into your otherwise secure vault. Except you don’t get any fun “Mission Impossible” visuals of Tom Cruise wriggling around criss-crossing laser alarm beams. Just a whole lot of pain and cost visited on the American people (and Target).
There are so many ways to read this. I couldn’t decide on just one narrative path, so I am going to run a short ways down a few different of the various vectors.
- Security is almost always a human problem. not a technology problem. The security “industry” is always trying to sell you a new box that will solve all your problems. The reality is that the security gaps are almost always the wet squishy human things in the equation. Pace Edward Snowden at the NSA, Target, etc. etc. The economic problem is that there is no money in solving human problems. It is tedious, unrewarding, and prone to failure (with subsequent blame). More profoundly, individual humans don’t like to confront just how fallible humanity is. That would force us to admit our own weaknesses. Far better to keep designing systems that accept the delusion of human competence than to accept that we are incredibly prone to errors, omissions, and mis-judgement.
- Outsourcing’s false economies. I am sure Target has a VP somewhere who got a very nice bonus for proposing the outsourcing of HVAC system management. I am also sure that no-one at an executive level really thought about the possible security implications. I am EXTREMELY sure that anyone who did either didn’t mention it in a meeting, had his/her concerns promptly dismissed. or was simply laughed out of the room. When faced with a tangible near-term benefit and a long term uncertain risk we humans reliably go for the cookie.
- Should I disable my NEST’s? Watch for the same thing to happen on a small scale in “smart homes” starting to spring up among the smart set. I will confess that I haven’t yet read the manual for my brand new flock of Wi-Fi enabled NEST thermostat/smoke detectors thingies (They talk. In a very pleasant tone of voice. Its a bit eerie). I am certain that on page 4 or 5 will be instructions on how to change the default password. I am equally certain that a lot of NEST buyers will fail to actually change the password. Or will change it to something really easy to crack. Of course, those same people also usually fail to change their WiFi passwords so arguably their network was insecure in the first place. But…
- The power of inertia to sustain clearly behaviors – see “chip and PIN” credit cards: The whole Target breach wouldn’t have happened if the US had “Chip and PIN” credit cards (which have a smartcard and reader that requires a PIN code to authorize a transaction). The rest of the world already has chip and PIN. After being unable to buy gas at the pump in Iceland, I finally searched out and asked for a Chip and PIN card for travel myself. But I had to ask for it.
- The idiocy of the extreme “free marketeer’s” dogma. This is a textbook case of negative externalities and deadweight loss – collective losses caused by lack of individual incentive to act. There is no “free market” mechanism that would prevent things like the Target breach. You could make Target liable for the loss, but that would be “onerous government regulation” with the practical impact of preventing any merchant from accepting credit cards without a blood sample. You could make consumers liable for the losses. That would take us back to carrying stacks of cash and writing checks – a huge efficiency loss for the economy. If you accept that electronic payments are a good thing (gold-bugs may leave the room now), then you need some sort of coherent regulatory system to nudge everyone along toward a more functional, efficient system. The problem is that I just used the now-politically-loaded-nanny-state-word “nudge” so that is probably the end of any productive discussion on this subject.
Anyway. It has been great to get the fingers flying across the keyboard again. Now off for a 2 day oddessy of applying the second coat of interior paint before the stainless steel commercial-kitchen countertop & sink arrive on Friday. Pressure washer arrives next week and I confront the task of painting the house exterior. I’ll post some pictures as things start to gel.