Or maybe “Should Be A Critical Element…” Because American business by and large doesn’t really care about security very much.

Thanks to Bruce Schneier we learn that the Indians are pushing to get the encryption keys to RIM’s BlackBerry system. What this means is that the messages sent to BlackBerrys in the field could be decrypted by the Indian government. Strangely, only non-corporate users are at risk for now.

How long do you think it will be before other governments get the keys in exactly the same way as the Indians did? How long do you think it will be before a corporate user is thought to be enough of a security concern that even corporate users must turn over keys?

The reason why this is significant for the BlackBerry vs iPhone situation is that the iPhone works differently. It doesn’t pass all messages through a server. It behaves like a computer connected to the internet, with a regular email client. So, as soon as someone is allowed to create an email client with encryption capabilities we will have secure mobile email. Apple has released the iPhone SDK, and is expected to unveil applications along with an improved version of the iPhone in June. It might even happen that Apple builds encryption into the mail client themselves.

The problem for RIM is that there is no way to do full decryption on the BlackBerry without doing it on their server, at least with their current software. Creating this after making deals with governments to provide access will be impossible.

So, if you believe in having privacy, and you conduct business overseas, it looks like BlackBerry isn’t the best choice.

Why do companies insist on making our accounts less secure?

I just tried to log in to Lowes, and got the password wrong and they then asked me the stupid questions that they build into the system to try to avoid having to deal with lost passwords. Idiotic questions like “What was the name of your first pet?” and “Where did you go to high school?” When I’m forced to provide answers to these security risks I usually just enter 30 to 60 characters of gibberish. I figure if for some reason I cannot recover the password I can talk to a human being at the company and regain access that way.

The normal and professional way to handle lost passwords is:

1. Send the lost password to the person’s registered email address. This is the most sensible way, as long as you give the password loser the chance to back out if they know their email account is compromised.
2. Make them call and talk to a human being.
3. Email them a new randomly-generated password.

Not at Lowes - if you don’t remember what you put down as your high school (I went to two) then you’re screwed. The idiots at Lowes make you re-register. Re-registering is bad enough, but my old account is still out there somewhere.

So, I guess the only sensible thing to do is just treat these stupid questions like a password prompt, and come up with a 20 character answer to give all of them. I’m sure as hell not going to tell the truth. Seriously - how hard would be to get anyone to give up the name of their high school or their first pet? If I wanted to break in to, say, a coworker’s account, all I’d do is try to get to find the questions, and then ask the coworker. Do you think anyone’s going to balk at talking about their first pet or their high school days?

While I was at the SCIP conference I was able to meet several folks from Strategy Software, who make several products I use. We talked about their products and their features, and we also ended up talking about creating a user’s group.

There were a few of us “power users” there, and everyone seemed to think it was a good idea. It was one of those discussions where everyone’s nodding, but no one is talking about what they’re going to do, so I volunteered to put it together.

So on the way home in the airport I found a spot with free wi-fi and set to work. One of the things I really love about the internet is how quickly things can be done. In less than an hour I had found software (PHPBB) and had uploaded it to my web servers, defined the forums, thought up a name (poorly chosen and later changed), written posts, and emailed the others about it.

That was Friday, and Saturday I registered a domain, cleaned up the site, set up security on the Strategy Software forums (they’re for licensees only) and wrote more posts. Since then the domain as changed to www.speakstrategy.com. The folks from Strategy Software have been participating, and now we have 48 articles and 10 users.

But that’s not enough!

So, please come and have a look when you can!

www.speakstrategy.com is a place where CI professionals and others involved in research or information security can network and discuss issues that are important to them, as well as their experience with Strategy Software products. It’s still in it’s infancy, so now’s the time to get in on the ground floor!