Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing.
I love listening to my friend Andy Müller-Maguhn, for instance. He's one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there.
Andy is one of the good guys, of course, or so he says. And yeah, you can hire him as a security consultant, just in case. Which sort of reminds me of the young men in Naples who wash your windshield while you wait at a stoplight and rip your wiper blades off if you don’t tip them.
Which brings us in a very roundabout way to a security risk I somehow never thought of before, but now it worries me no end. The guy who stirred me up is David Ting, a charming IT professional who founded a small company a few years back called Imprivata that has been generating a lot of publicity recently for a product called “OneSIgn Secure Walk-Away”. In fact, just last week they won the UK IT Industry’s prestigious “Security Innovation of the Year” award for it. Seems like folks in Britain were as disturbed as I was to find that there had been a serious security risk lurking under their very noses they had somehow overlooked.
As the name implies, Secure Walk-Away is about what happens when you’re working at your computer and suddenly feel Nature calling or for some other reason decide to stand up and leave. What if someone else enters your office a few minutes later? Right – they find your machine up and running, all logged in and proudly displaying whatever it was you happened to be working on when you left.
Anecdote time: As a young journalist working for “auto motor und sport”, the world’s second-largest car magazine, my friend Norbert Haug and I once wandered into the office of a colleague and found him missing. There was a sheet of paper tucked into his typewriter (we’re talking a long, long time ago here!) containing a half-written piece about a Japanese motorcycle he had been testing.
Norbert and I knew the article was due by evening, so we helpfully decided to finish it for him. In fact we spent a hilarious half hour creating a wonderful spoof on a real magazine article. I distinctly remember the praise we lavished on a fictitious hole in the exhaust pipe the engineers had allegedly left there so that condensation moisture could escape, drop by drop.
When we were finished we took the manuscript and left it on the editor’s table (he was out to lunch, too). When our colleague got back in the evening, his deadline had completely dropped his mind and he was just getting ready to go home when the editor rang and said: “I don’t like the headline on your piece.” “What piece?”, he asked. I wonder what would have happened if nobody had noticed and the article has been published. Presumably, it would have been the end of a promising career for both Norbert and me, which would have been too bad, because he is now in charge of Merecdes-Benz’s successful racing team. If things had turned out differently, maybe neither he nor the “Silver Arrows” would have every gotten off to a decent start.
Anyway, I guess I should have been well primed for what David had to say when I visited him a few days ago in his office in Lexington. He has a history as the technical manager of Kodak's Boston Technology Center and as a serial entrepreneur, besides being extremely well founded in software and systems for high security. He is also a very soft-spoken guy, and possibly that’s what made it so scary to hear him talking about the horrible things that can happen because somebody left their computer on and left.
Imprivata’s customers are mostly health care companies, and so a lot of the data they shovel around consists of patient records. You don’t want strangers looking at this stuff, much less or possibly copying it or sending it out somewhere. That’s why security standards in this industry are so strict.
Yet somehow, nobody appears to have thought about what David calls the “walk-away problem” before. In fact, the only other company I could find that deals with this issue makes a product called “Phoenix Freeze” which uses Bluetooth to shut down your computer when you walk out of range, which generally means about 30 feet. If the can is close to your cubicle that could mean you’re computer will still be on. Talk about getting caught with one’s pants down!
David takes a more sophisticated approach to the problem: He uses video images captured by the built-in camera on your laptop or by the webcam most people have sitting on their computer screens for videoconferencing. The software he and his team dreamed up can remember your face, and it will shut the computer down the second the camera loses sight of you. This could be annoying if it meant having to type in your user name and password all over again every time, but Imprivata happens to specialize in extremely simple user access systems as well as SSO (Single Sign-On), so they made sure your computer starts again the minute you sit down.
This is an elegant solution for a difficult problem, and as such I hope it will be a huge success for Imprivata. However, I can’t shake off this feeling that I should have thought about it before. And more disturbingly, I worry: What else didn’t I think about? This of course gives me yet another reason to lie awake nights.
Perhaps blissful ignorance isn’t that bad, after all…