In the first post in this series, we talked a little about product security in AutoCAD and why having a JavaScript API doesn’t make AutoCAD less secure. We also took the chance to talk about the SECURELOAD mechanism, mainly saying that it’s a good thing.
Today we’re going to talk about why it’s such a good thing.
The various product teams at Autodesk have been very focused on improving security in our products over the last couple of years. We’ve hired a number of key security-focused architects and engineers who are working to improve the level of security we have in our desktop, mobile and cloud-based technology. Individual product teams have also become much more focused on security: I attended a “security summit” along with a number of colleagues during my last visit to San Francisco, for instance, and lots of us are attending security-related training.
Why are we doing this? The world is a very different place than it was just a few years ago. Malware is no longer about teenagers in their bedrooms modifying macro viruses and experimenting with rootkits: it’s about professional cybercriminals and corporate/governmental espionage. Organisations such as Autodesk have a duty to their customers to reduce the risk of attack and to increase their ability to respond when they happen.
Let’s take a few recent examples…
This blog is hosted by Typepad, which over the last few months has been a major target for DDoS attacks. Much to readers’ (and my own) frustration, the hosting of this blog was seriously flakey during a number of weeks, a few months ago. It turns out the reason was that – along with a number of other sites – Typepad was being held to ransom: unless they paid an undisclosed sum, the attacks would continue. And the fact the service was impacted consistently over such a long period was just a testament to the amount of damage it was possible to inflict, despite the best efforts of those involved.
Another example is the recent “Oleg Pliss” ransomware attack on Antipodean iOS devices: unless users paid $100 to a certain PayPal account, they were locked out of their iPhones (etc.). It seems the perpetrators have since been arrested in Russia.
According to Verizon’s Data Breach Investigations (DBI) report:
“2013 may be remembered as the “year of the retailer breach,” but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems.”
In other words there has been a shift from cyber-espionage to cyber-crime (although both are very much happening, have no doubt). It seems that as it becomes clear there’s significant (and easy) money to be made, criminals move in.
But this is just affecting websites and hosted services, right? Not necessarily: consider how valuable your IP is to you, and what you would pay either to get it back or stop it from falling into the wrong hands. If that’s a significant amount, there’s clearly opportunity there for criminal gain.
Storing data on internal, corporate networks is no guarantee of data security: all it takes is a targeted spear-phishing attack, getting someone to click on an innocent-looking link or attachment, and the network is compromised. And while it all seems like the kind of thing that only happens to other people, as the tools become more readily available and the barrier of entry lowers, we all have to be vigilant.
Autodesk’s responsibility, when it comes to our desktop software, is to do our best to make sure it isn’t an attack vector for malware. We’re clearly not going to be able to do anything about someone running a dodgy executable they downloaded from the web, but we need to make sure that users of our software are informed appropriately when they do something risky (such as loading an application from a location their IT administrators or CAD managers do not consider trustworthy). We can also do our best to make sure that when people download DWGs that opening them doesn’t cause problems, of course.
Please consider this when you disable the SECURELOAD mechanism rather than looking at options for AutoCAD to consider your applications to be trusted.
I don’t mean to be alarmist, but it is important for people to take cyber-security seriously. To get some additional context on issues that relate to security – and, particularly, individual privacy – then I really recommend reading anything you can find by Cory Doctorow, blogger, journalist, sci-fi author and co-editor of Boing Boing.
When I say Cory writes sci-fi, it’s mostly near-future science fiction based on today’s technology (or where it’s likely to go in the foreseeable future). That said, he also writes stuff that’s a bit more “out there”, such as his recent collaboration with Charles Stross (another favourite author of mine).
Before I get to my “Cory Doctorow summer reading list”, the main reason I wanted to mention this author is a speech he gave a couple of years ago for The Long Now Foundation. The speech is still available for subscribers – I watched it when it was still freely viewable – but it’s now only freely available in audio form (listen to it below).
It mainly focuses on issues related to individual property rights and the desire/need for control of devices that we’re increasingly attached to and surrounded by. But security is definitely a significant theme, and it had me thinking hard about the meaning of “trustworthiness”. While you’re at it, his recent TEDxOxbridge talk – which covers many of the same themes – is also well worth a watch.
Thought-provoking stuff. If you have the time to listen through to the Q&A session, at the end, you’ll learn about some of the books Cory has written. Here are a few that I’ve read and recommend. Most are released under a Creative Commons license, so you don’t even need to pay for them (although you may end up wanting to, as I did).
Cory’s clearly a visionary and political commentator but what I like about his work is that it’s infused with humanity. These are important topics told in a way that resonates strongly and leaves you thinking about the future.
Set in San Francisco, this is all about a technically astute young adult (the book’s target audience, by the way) who, while playing a Alternate Reality Game, ends up getting caught up in the wake of a terrorist attack on US soil.
The sequel to Little Brother, the protagonist ends up in a job at a local politician’s office. Once again the victim of circumstance, he ends up in possession of some controversial data that he feels obliged to find a way to make public. [Includes a powerful afterword by Aaron Swartz.]
How “gold farmers” – online gamers working in virtual sweatshops – end up forming a trade union to protect their interests and those of other workers around the world.
The US economy collapses, but out of its ashes a phoenix is born: a creative revolution blossoms as people remake a collapsed industrial nation with 3D printers and soldering irons.
The Rapture of the Nerds (with Charles Stross)
In an interesting twist on the traditional story where “believers” get to transcend, this time it’s the geeks who get to upload to the cloud, leaving technological luddites behind to make do with the Earth’s crumbling infrastructure. Great for sci-fi buffs with a sense of humour, it’s The Hitchhiker’s Guide to the Galaxy meets The Light Fantastic.
photo credit (padlock): Anonymous Account via photopin cc
photo credit (portrait of Cory Doctorow): Jonathan Worth, cc
