Who do you trust?

Another week, another high-profile hack. This week it was (checks notes) Reddit. What makes this one marginally more interesting is that the victims were using two-factor authentication, i.e. SMS codes texted to them to verify their identities when their accounts were accessed — which turned out to be little more than a speed bump for the attackers.

This surprised exactly zero (good) security people. It has long been known that your phone service can be hacked either via SS7, the ancient and insecure system used to interconnect the planet’s phone networks, or by the more old-fashioned but even more effective method of walking into a store and talking a callow undertrained clerk into transferring your number to the attacker’s phone. Phone companies are trying to remediate both of these attack vectors, but you can’t trust them to protect you; not yet, and possibly not ever.

But you have to trust someone to protect all the things you hide behind passwords. You have no real choice but to implicitly trust your network, and your phone’s manufacturer, and the manufacturer of its baseband chip, and the whole basic stack from your BIOS to your browser.

You can choose Apple over Android, or Pixel over third-party Androids. But whichever choice you make, you are basically pledging your trust in all that you hold dear to Apple or Google. It’s sad to say, in an era when the tech giants are already too powerful and growing moreso every day, but from a security perspective, that is, for most people, probably currently the right thing to do.

Google’s security team is probably the best on the block, and its Pixel phones are more secure than other Androids, partly because they get the latest updates first, partly because they’re free of possibly vulnerable or even malicious pre-installed bloatware. I don’t like Apple’s hegemonic attitude towards software, philosophically; but its security people know what they are doing, and its strict gatekeeping of its App Store has very real security benefits.

But wait: this trust in those twin giants probably needs to extend beyond your phones to your computers and your emails, too. We’ve all been told again and again: don’t open email attachments. They’re not safe. And we are all told again and again, probably on a daily basis, by our family and/or co-workers, who may or may not have just been hacked themselves: open this email attachment, it’s something important you need to deal with right now. How to deal with this conundrum? The answer is, essentially: GMail, Google Docs, and Google Drive, on an Apple device or a Chromebook.

The new new security message is: “don’t use SMS authentication.” (Mind you, most Americans have never even heard of two-factor authentication full stop, and SMS two-factor is still better than one-factor, modulo the false sense of security it may instill.) What to do instead? Well, you could buy a Yubikey or a SecurID token, which is insanely, ludicrously, non-starter inconvenient for most people. Or you could use a phone app, such as, most commonly — yep, you guessed it; Google Authenticator.

Over the last few decades the tech industry has built systems so fundamentally insecure, so rotten to their core, that we now have no real choice but to trust its largest and most powerful companies to protect us. I’m all too aware of the grim irony. (Though in fairness the telecom industry has much to answer for too.) Things weren’t supposed to be this way; things didn’t have to be this way; but here we are.