Security error messages need improvement

Today, I had to ask a helpful technical support person how to access the secured wireless network at my local university. Even though I’d successfully logged into the system many times before and have been using it for months, somehow the device I was using had managed to forget the password that enabled the certificate that allowed the wireless network to recognise and authenticate it. As a result, I couldn’t use the network, which is locked down by both encryption and an authentication system.

Faintly embarrassed, it turns out I could have fixed it had I known I needed to dive into the deepest depths of the security settings of my HTC Desire HD phone — which runs Google’s Android operating system — and then reset the password manually.

The problem was two-fold. It wasn’t clear from the input box that popped up that the password being requested was a local one — in other words, the request came from inside the phone, not from the remote wireless network.

Additionally, it asked for a storage credential password and, you know what? I had no idea which password it was asking for, or that I needed credentials to access storage on any remote or local system. I suppose must have typed it in once, months ago, and then forgotten it almost immediately. It seemed out of place too, since I was trying to access a network, not storage.

So what’s the lesson here? As I was waiting for the IT systems person to figure out what the problem was, it occurred to me to wonder how much time is wasted around the world by poor error messages and unhelpful, over-zealous security systems and their obscure or misleading error messages.

If you’re in the IT business you might of course take a different view: it keeps you in a job. Even so, this kind of user support is useful but not massively productive work when you consider that the human being who designed the error message could, with a little more thought, have saved the time of thousands of other humans.

Security is an important part of our lives as it stops the right stuff going to the wrong people. As ever, the implementation usually involves a trade-off between security and convenience: more of one usually means less of the other.

While there’s a still long way to go before we get to the point where much security technology manages to both avoid inconvenience and improve security, thus making our lives easier, I’d suggest that some anti-virus packages get pretty close to that ideal…

Just how paranoid do you have to be?

The problem with security and technology is that it can make you paranoid. Don’t be! Most things aren’t out to get you. But you do have to be careful and you do have to be aware of the risks, as this helps when you encounter a piece of software (or hardware) that really is out to get you.

Take digital signatures. A system has evolved over time that aims to help ensure that signed software is safe. Digital signatures are intended as a form of guarantee that a piece of software has been examined for malware and doesn’t contain any. But sometimes it does. Or, at least, in one case a piece of signed software contains malware. It’s unlikely to be alone.

Avast’s Michal Krejd reports in his blog that many users asserted that some instances of Avast detecting Win32:Injected-AZ were false positives. A Google search for Win32:Injected-AZ shows up plenty of forum entries by users about the malware.

In practice, what seems to have happened is that a version of a package named Aventura in fact contained Win32:Injected-AZ, even though the developer had signed off the software as clean, using a digital signature. This can arise because developers, rather than re-inventing the wheel, will routinely re-use software from third parties to perform specific functions.

So in this case, even though the package’s container was malware-free and was signed, some of the contents were not — and were not signed. The issue is, how can you tell? If you run a signed installer, for example, you expect it to be malware-free if its signed. Yet Avast picked up the fact that the software contained malware, even though it was signed.

The moral of the story is that a signature does not necessarily guarantee that all the contents of a package are clean. Fortunately, as Krejd notes in his blog, “the malcode inside seems to have never been executed, therefore this specific case is not a critical issue”.

Krejd’s approach for the future? “If you encounter this detection on your PC, replace the infected binaries with original ones. And if the original binaries are also infected, ask their vendor to provide you with clean binaries.”

Going mobile
Do you know where you are? Probably, but do you want everyone else to know where you are too? There’s a new game out for the Android operating system for smartphones. It’s called TapSnake, and it’s a spin on the classic snake game, which used to be found on Nokia phones.

It turns out that the game contains a Trojan. The new rev of the game plays fine — but while it’s running, the game turns on the GPS location device and uploads data to a remote server so that your location is made public. All you need to find out where players of this game are is to download and run a package called GPS Spy on another Android device. It means you can see where players of the game have been and when.

Effectively, mobile software can compromise you in ways that personal computer software does not. Be aware – check the provenance of those fun little games…