Citizen Lab at the University of Toronto has always done good research, especially things China related that show how deep intelligence can get when it is applied through applications, but this time they focused on Korea and their apps for kids’ cellphones.
We all know that kids and cells are what we might call a “dynamic mix” that is capable of producing more than either one could. Only the apps they looked at left them vulnerable to outsiders who might also like to have some of the data these teen generate. This is a lesson in the difficulty of getting changes to flaws in software identified and fixed by the people who produce it.
Citizen Lab, et al, found vulnerabilities in government funded software developed under a 2015 law “requires all South Korean telecommunications operators that enter into service contracts with children under the age of 19 to provide a means to block content deemed “harmful” on their mobile phones and ensure parents receive notifications whenever the blocking mechanism becomes inoperative.” Those apps were reviewed and the flaws indentified to the developers and government.
The response by the vendors was predictable, but not satisfactory. In one case the original software was taken off the market and replaced by a rebranded version of the same software with a reduced subset of the same flaws. We should also note the second versions passed a government security review. In another instance the same software was rereleased saying the vulnerabilities had been fixed, when they hadn’t. The government reviewers were obviously focused on functionality and not security.
This points to an obvious conclusion that identification of flaws in software does not motivate the developers or government to reduce the risk. They may discount the risks to children who may not have as many credit cards or on-line banking apps as their parents - but the kids around this neighborhood are using on-line apps to pay for almost everything.
I wish this kind of behavior was limited to a few developers in South Korea, but it isn’t. Vendors are not liable for the software they produce and the impact of that is widespread. They don’t fix flaws because there is no penalty for leaving them in, or rebranding a product that is seriously deficient. When can we have liability laws that hold a vendor to reasonable standards for software they produce?
No comments:
Post a Comment