Top | |
Newsletter 01/23/2022 | Back to Contents |
And the Other Branches of Government Chime In The vulnerabilities exposed by Log4j were apparently a wake up call for governments the world over. The United Kingdom has been the most aggressive in its cyber security initiatives.
The government has proposed introducing new laws to ensure that
firms who provide essential digital services follow strict
cyber-security duties, with large fines for non-compliance.
The government in the UK has discovered that unpatched software with
known vulnerabilities, and especially
open source software, is a threat to both its
economy and national security. The government proposes to expand
its regulatory scope to include "Managed
Service Providers (MSPs) which provide specialised online and digital
services. MSPs include security services, workplace services and IT
outsourcing, which often have privileged access to their clients’
networks and systems " This move against MSPs in the UK
comes in the wake of the Log4j attack on the global HR contractor
Kronos. The UK is serious about enforcement, too. "Organisations
which fail to put in place effective cyber-security measures can be
fined as much as £17m." Into the fray of software security enters the United States Congress, with the purposed Open App Markets Act (SIL21995). As the newly formed Chamber of Progress noted in a statement about SIL21995. " "I don't see any consumers marching in Washington demanding that Congress make their smartphones dumber. And Congress has better things to do than intervene in a multi-million dollar dispute between businesses."
It
should be noted that Chamber of Progress CEO, Adam Kovacevich,
was formerly a longtime Google lobbyist.
A Covered Company that controls the operating system or
operating system configuration on which its App Store operates shall
allow and provide the readily accessible means for users of that
operating system to—
The purpose of the bill is to
"tear down coercive anticompetitive walls in the app economy,
giving consumers more choices and smaller startup tech companies a
fighting chance.” Similar legislation is pending in
Europe in the
"Digital Markets Act." “The best practices identified for mitigating threats from vulnerable apps are relevant to malicious and privacy invasive apps. Additionally, users should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores.” And, channeling my best George Putnam, "And in this reporters opinion," not much as changed since DHS made the above statement in 2017; indeed the situation is now far worse. Apple uses the example of the Google Play Store, which does allow for sideloading, to make its point. Apple quoted a study made by Nokia that stated: Android smartphones are the most common mobile malware targets and have recently had between 15 and 47 times more infections from malicious software than iPhone. A study found that 98 percent of mobile malware targets Android devices. This is closely linked to sideloading: In 2018, for example, Android devices that installed apps outside Google Play, the official Android app store, were eight times more likely to be affected by potentially harmful applications than those that did not.
Furthermore, Apple points out that many Apple users prefer that Apple
continues its opposition to sideloading. Technical issues that
will inevitably arise from sideloading will have negative impacts on
those Apple customers. Apple CEO, Tim Cook, put it more
succinctly. Allowing the sideloading of apps
"would destroy the security of the iPhone" and "a lot of the privacy
initiatives that we've built into the App Store." Contributing to this openness and choice, we also give developers more ways to interact with their customers compared to other operating systems. For example, Google Play allows developers to communicate with their customers outside the app about subscription offers or a lower-cost offering on a rival app store or the developer’s website. Samsung has summarized the logical argument against sideloading with the simple statement: "Obviously, sideloading apps comes with a huge security risk, and an even bigger risk for Android 7 and earlier." Samsung furthers its position against sideloading by stating that "most users have no real need to sideload unapproved apps." Another detailed statement opposing the legislation comes from the Information Technology and Innovation Foundation. This group sees the legislation as a threat to the US and world economies. This bill aims to promote competition—namely, to “reduce gatekeeper power in the app economy, increase choice, improve quality, and reduce costs for consumers.” Yet it will achieve none of its stated objectives. On the contrary, the bill will i) damage the app economy, ii) decrease choice, iii) decrease quality, and iv) increase costs for consumers.
The problem with legislation such as that discussed herein is that the
proposals are all based on a lack of understanding of the unique power
inherent in today's computers and networks.
Laissez-faire does not apply here. Society
does not allow any weekend warrior to build a nuclear reactor in their
garage. The fallout from an "oops" could be devastating.
Likewise, because telephone access and electrical power generation have
become essential life supporting services, societies have determined
that these two industries cannot be considered mere commodities and
require regulation to the benefit to the greatness number of members of
that society. The computer industry as a whole should be
considered essential life supporting services, and thus subject to
government regulations. But until legislatures become more
enlightened about the dangers inherent in opening up application
development to any Tom's Hairy Dick, and show some understanding of the
concept of there IS ONLY ONE NETWORK, it is to the
greater good that we leave application development and distribution to
the vendors and their experts. It is in the interest of Google and Apple and their
customers to keep their applications and websites free of malware.
A man found guilty of using the Coinhive cryptojacking script to
mine Monero on users' PCs while they browsed the web has been cleared by
Japan's Supreme Court on the grounds that crypto mining software is not
malware.
In 2018,
Brian Krebs reported, "Multiple security
firms recently identified cryptocurrency mining service Coinhive as the
top malicious threat to Web users, thanks to the tendency for Coinhive’s
computer code to be used on hacked Web sites to steal the processing
power of its visitors’ devices."
¯\_(ツ)_/¯ |
Back to Top | ← previous post | next post → |