Stop hiding behind Terms and Conditions

It was revealed two months ago that toy company VTech was hacked. The criminals broke in and stole information including the birth dates and addresses of millions of children and their parents. It was quickly found out that VTech had employed abysmal security practices and made no notable efforts to keep their clients’ information safe. Lesson learned, one would suppose.

Unfortunately not so. Troy Hunt discovered last week that VTech made some changes – to their terms of service. The change, which happened in December, stated that parents were responsible for the security of their childrens’ data even though that had already been handed to VTech. Rather than accept responsibility for their egregious previous failure, VTech chose to absolve themselves with words of text.

The following words were added to the terms and conditions for VTech’s Learning Lodge website: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties… Recognizing such, you understand and agree that…neither VTech nor [its partners] or employees will be liable to you for any…damages of any kind.”

The BBC got a comment from UK’s Information Commissioner’s Office that VTech indeed was responsible for such information. “The law is clear that it is organisations handling people’s personal data that are responsible for keeping that data secure,” said a spokeswoman. This should also be the case for the rest of the EU. Local laws will apply to Asian countries.

Having to deal with pages and pages of small-printed legal text on contracts and emails that end in statements disclaiming responsibility for the email content are very disappointing aspects of modern society. Not only do people quickly learn to ignore such text as the noise that it is, it gives service providers the false sense of security that they may not be held accountable. For the sense of everyone’s sanity, please stop doing this! Keep your disclaimers brief and to the point. Take a look at this old Google page about how to actually tell someone about relevant terms and conditions.

In other news, Amazon has told its customers that its Lumberyard game development tools are not to be used for life-critical or safety-critical systems… unless the zombie apocalypse is going on, in which case this particular condition is nullified! See clause 57.10.

The horror of the security product presentation

“Attackers can get in within seconds.” “Data can be extracted within minutes.”

If you are in IT (especially if you manage IT), chances are that you have sat through a security product sales presentation. It contains scare stories of vulnerabilities and attackers and tells you about just the product to solve the problem.

It starts with a few recent headlines. There will typically be one about a security breach that lost a company many credit card numbers belonging to its clients. This might be followed by another headline that talks about lost social security numbers or other personal information. (5 minutes)

Step 2 is the scariness of the task of the IT team. There are plenty of vulnerabilities that any IT infrastructure may have. The ante is quickly upped to introduce “zero-day” – vulnerabilities that are only known to the attacker and not even to the vendor who created the security products that are in use. The scares are further escalated to show how quickly data can be extracted and for how long the attackers can remain in your network before they are typically detected. (5 – 10 minutes)

Then comes the question. What can we do about this? The answer immediately follows. “We need something that … does A, B, C and D!” (1 minute, typically just one slide)

The big reveal that we have been waiting for! Introducing PRODUCT!!!  (5 minutes)

An explanation follows as to how A, B, C and D are done by the product. There is an additional explanation as to why no other product compares (20 – 30 minutes).

What is shameful about the aforementioned presentations is the amount of time that they waste in an attempt to scare people into buying a product. Not only that, the security product is presented as the necessary solution that will fix the problems that none of your existing products could fix.

No security product will secure your IT infrastructure by itself. See this previous post that I made for more information. There are plenty of situations where the existing products in one’s infrastructure, effectively used, can provide the level of security that is required by management. A direct question to the salesperson as to the measurable effectiveness of the product will always be met with caution. One would just not expect it, coming so soon after the wonders of the newly introduced product.

Security devices need to keep one-upping each other. So do security sales pitches. Perhaps a good way to improve them would be to not waste the customer’s time and patience attempting to scare them.