Radio ads are now being heard in my area touting something called "Xfinity Home Security" from Comcast cable. The idea is that it would be really great to be able to control a home security system from your smart phone. I'm afraid this indicates that online convenience will soon prove more popular than security, even within the security products market - truly a new irony. If Comcast saw a potential market for such a thing, consider the possibilities...
Assume that the application security issues are solved (the code is secure). That leaves out any problems with the remote interface and the installed app at home. Let's also assume that the Internet Service Provider's servers are properly maintained and in secure configuration. And since this is an extension of ADT home security, we'll assume that there are no problems on their end (any and all physical and software interfaces). What does that leave? Well, at home, it leaves the thing that the (secure in this example) stuff is installed TO, namely the home computer. This is a computer not maintained by Comcast or by ADT or by the ISP (although their systems are possibly impeachable in other examples). This computer's Administrator Of Record is Joe Sixpack, probably with a few wife/kid computers on a $79 router. The last such computer that I looked at for somebody was as secure as a screen door on a submarine.
[Observe: To get into secure app XYZ on user's computer, obtain access to the base Operating System. Since this machine is running a series of security devices, assume 24/7 online stance. This gives you lots of time to run a... "password recovery program". Or to look for cached login info from OS to app. Bingo. You get into the secure app from the OS that the home user failed to configure correctly or patch regularly. This resembles the MANY examples of an outfit getting invaded through a telecommuter workstation left up and online.]
{Another aside: If you replaced the user machine in the above scheme with an appliance, that would eliminate my main objection. Not that appliances haven't had updating and hardening problems, though...}
The larger point? We from the Unix/open source side would not immediately have these problems since all the linking apps aren't available for Linux, Solaris or such. But the problem that remote access for home security poses is that it's not the systems that pose the biggest chance for failure. It's the judgment of the user. It's what the user has authorized to run locally. It's whether or not one should have remote access to things like history logs that record when a door was opened/closed over the last 60 days. Or streaming video in the garage or kitchen. Linux or OpenWhatever can solve lots of problems when replacing systems less secure, but it can't make the user smarter. This is our Limitation as open source advocates: open source can't fix everything. Not only must we evangelize about some system choice where possible; we must warn against giving out one's email address too much, or clicking on a strange web link, or opening that attachment. Those are problems in any system configuration, use or policy stance.
