Sea Change: Security is Your Job Also, the Writing is on the Wall
With the recent and ongoing security breaches at Sony Pictures, a chilling new level of risk has emerged that is pummeling Sony*, but applies to any entity, including Apple and Google. No company has perfect security nor will it ever, period.
Sony Pictures Hacked: Do You Really Want to Update your Camera Firmware with a Sony Updater that Runs as 'root'?
Sony Firmware Updater: a Security Risk
* Reportedly, Sony has shut down filming because hackers have rendered its payment systems inoperable!
See also A concise history of recent Sony hacks (MPG takes no position on the material at that link).
Security is YOUR job too
This is a general discussion, and while specifics are used, the issues span a much larger space than detailed here.
This has always been true, but the risks have never been harder to understand or more concerning, nor has there every been more inter-connected. Then think bank and brokerage accounts, which in MPG’s view, should not be used via the web, though admittedly that is a huge hassle these days. A system compromise of any kind potentially delivers the juiciest prize: draining money from your account to a hacker somewhere.
Risk for which you by law have no choice and no control: MPG vehemently objects to electronic medical and tax records. For reasons that should be obvious given the Sony fiasco, e.g. the government is incompetent to protect those records from determined hackers. Edward Snowden showed that even our “spooks” with the most highly classified information and strictest procedures can be compromised.
MPG advises readers to disavow cameras that require software updaters or USB transfers or charging (USB also has exploits when connected to the computer):
Computer code that can turn almost any device that connects via USB into a cyber-attack platform has been shared online.
You camera and your computer
Sony and certain other camera vendors provide software updaters that run on the computer in order to upgrade camera firmware. Moreover, the Sony updater (and some other brands) must be run as 'root' (no security restrictions). A software updater that must be run on the computer with root access is a fundamentally flawed design; it is a potential “root kit” vector. Other vendors like Nikon and Canon provide downloadable firmware that the camera itself can load**.
Patient: “Doctor, it hurts when I do that”.
Doctor: “Don’t do that!”.
It cannot be fixed except by doing it properly: no software updater at all. The camera itself should accept a firmware file, taking the computer out of the loop, at least in the sense of running 'root' capable software. Because either the updater or the firmware could compromise (hack into) the system, and the user would have no way to tell (well written malware is invisible).
The writing is on the wall. Meaning that all Sony software of any kind must now be suspect as potentially harboring malware, either now or some time down the line. There can be no assumption that it is “only Sony Pictures” or similar naive ostriches.
As this was written, it appears that Sony had not revoked the certificates for the compromised PFX (private key) files. If true, that a (non) act of gross negligence that in MPG’s view carries the prospect of awesome financial and legal liabilities, should the private keys be cracked and used for unsavory purposes.
** There are no zero risk approaches to updating camera firmware, but a binary file that the computer does not execute carries a much lower level of risk than having to run software, especially software that executes as “root”.