Forced Features: Why Unwanted Upgrades Are Bad Security

The Telephonic Treatment

Like most people who own one, I love my smartphone.  I love that I can use Activator to keep my phone from automatically playing music, even over Bluetooth.  I love that I can select text and move the cursor without leaving the keyboard.  I love having five icons on the dock, speeding up the OS’s animations, and running a terminal session on my phone.

What I don’t love is running an old version of the OS so I don’t lose my jailbreak, and thus, all the above features.

As my phone’s manufacturer rolls out the latest OS and new phone after new phone, I’m running hardware and software that are now five and three full generations behind, respectively.  My phone is still vulnerable to Heartbleed, and every attack since.  I take risks with my digital security every time I browse the Internet.

And I hate it.

So why not fill those gaping holes, you ask?  It’s because they, like so many other companies, have decided that in order for me to patch bugs and vulnerabilities on my systems – the systems I own, mind you – I must also accept their new “features”, whether or not I want them.

For example, it has recently been shown that the new “flat” heuristic design interfaces so popular of late slow down user productivity by 22%.  And since certain manufacturers only allows upgrading devices to the most recent OS, I can’t get patched without robbing myself of more than 1/5th of my time.  How is that an improvement?

Some Simple Solutions

As Fornetix’ Product Manager, it falls to me to decide what features and fixes make it into each of the releases of our products.  And given the negative experiences I’ve had over the past decade – with PCs, gaming consoles, phones, tablets, and even televisions – inextricably conflating bug fixes and features, I knew we needed a different approach.

The Fornetix Key Orchestration Appliance is, at its heart, a security device.  KO can manage millions of keys per day without breaking a sweat, providing first-class cryptographic infrastructure services for an immense range of enterprises: from small shops to massively-distributed IoT networks.  It was built on four pillars of security: Confidentiality, Integrity, Availability, and Accountability, and makes the once-time-sucking task of cryptographic management an automated and policy-based breeze.

But we’re not perfect – like all developers, we can always make our product better.  We think of new features we’d like to see.  We find ways to improve the features we have.  And yes, we even sometimes find bugs that have somehow made it past our incredible QA team.  We stay busy (and paid) by making our products better than they were yesterday.

The problem comes in knowing how to deliver those improvements to our customers… can we really say that a product design is “better” if it interrupts our customers’ workflow, forcing them to re-learn a product they’re already proficient in, costing them time and money?  Of course not.

What’s more, just like with a phone, requiring an “upgrade” to fix vulnerabilities and bugs will discourage some customers from applying them, reducing their security profile and exposing them unnecessarily to malicious attacks.

Free From Forced Frustration

So instead, we at Fornetix have decided to de-couple feature releases and bug fixes.  It is one of our basic development principles to ensure consistency in feature and function of each given release, even while maintaining security, through its end-of-life.  As long as a product is supported, we will provide bugfix and vulnerability patches without affecting the features of the release, even after new versions are released.

Combined with our perpetual licensing, this method ensures that once you’ve purchased a Fornetix product, you are assured consistent, stable, predictable performance for as long as you own it, with the peace of mind of knowing that you will always have the latest fixes and security updates without affecting the core features of the product.  And when you are ready to add in the amazing new features we’ve created for the next version, you can upgrade on your schedule.  So you’ll always have the best of all worlds – up-to-date security, consistent operational performance, and new features when (and only when) you decide you’re ready.

Now, if I can only figure out how to convince a certain smartphone company to follow our lead…

Data Breach Hits HBO: How Do We End This?

Today, HBO announced publicly that they have experienced a “cyber incident which resulted in the compromise of proprietary information.” Like many other companies, HBO also stated that “data protection is a top priority” and yet we have seen a common theme that has become more prevalent in recent years. Large companies have trouble protecting their data. Read more

RackTop Teams with Fornetix to Create FIPS 140-2 Level 2 Compliant Encrypted Data Storage Solution

FULTON, Maryland, July 25, 2017 Today, RackTop Systems announced the immediate availability of its advanced secure encryption service with support for external cryptographic key management powered by Fornetix® Key Orchestration™. The enhancement enables organizations to meet strict data-at-rest encryption requirements while providing effortless, unified management of encryption keys. RackTop’s advanced encryption service maintains the highest level of protection by eliminating any human interaction or knowledge of keys, pins, or passwords. Read more

Amazon S3: Don’t Kick the Bucket, Do Something About It

Over the past several weeks we’ve seen three newsworthy stories where sensitive information finds its way onto Amazon’s S3 cloud storage service: NGA, WWE, and Verizon. Read more

Pivoting From Cyber Security to Cyber Defense

I recently had the chance to respond to a LinkedIn post from Larry Cole about terminology for Cyber Security vs Cyber Defense. The conversation with Larry really hits home regarding what we are all doing with technology and services: defending what we consider valuable. I think we have all been wrong in calling it Cyber Security. It’s time to start saying Cyber Defense and act accordingly. Read more

The Strong Case for Interoperability, Part 1

What is interoperability and how did it get started? The idea of interoperability was born in the world of manufacturing. If you think back to before the industrial revolution, machines and inventions were created as one-off systems. Read more

Poor Information Security Practices Lead to Massive Data Leak

A Republican National Committee data analytics firm, Deep Root Analytics, disclosed that as many as 198 million U.S. citizens’ names, dates of birth, home addresses, phone numbers, and other identifiable information were exposed to the internet due to a database misconfiguration. Many firms are hastily moving to the cloud without fully understanding the security implications of doing so. By rolling new cloud implementations, data collection and analysis problems become simpler tasks. However, without a proper security framework around it, data is accessible to the internet and more likely to be retrieved. Read more

Guest Post: The Whos and Whats of WannaCry

Perry Holdsworth, our Sales & Marketing intern at Fornetix, gives us a primer on the recent WannaCry ransomware attack that has wreaked havoc on global networks. Read more

Fornetix Joins the VMware Technology Alliance Partner Program

Fornetix® today announced it has joined the VMware Technology Alliance Partner (TAP) program as an Elite level partner. Members of the TAP program collaborate with VMware to deliver innovative solutions for virtualization and cloud computing. The diversity and depth of the TAP ecosystem provides customers with the flexibility to choose a partner with the right expertise to satisfy their unique needs. Read more

The Critical Need for Key Management Beyond Storage

The need for Key Management beyond storage is effectively the need to provide security controls that reduce risk when authority is separated from responsibility. The published leak of National Geospatial Agency data onto Amazon S3 by a defense contractor shines a spotlight on both the problem and the solution. Read more