At the end of last year, the VW data has gone through the scandal media scenario: the VW group collects and stores the movement data from many of its cars. Due to a misunderstanding of the spring boot, you can make a pile of an application through a specific link. This application has access to cloud memory with movement data. The heip dump included the key to access the data – and so the attackers were able to download the data.
(Picture: Eberhard wolf ,
Aberhard Wolf is the head of architecture in Swaglab and has been working as an architect and advisor for more than twenty years, often in the interface between business and technology. He is the author of several articles and books, including microorvis and performs regular international conferences as a speaker. Its technical focus is modern architecture and development approaches such as clouds, domain-powered designs and microsarvis.
What do we learn from this? Apparently the result is obvious: you should publicly secure accessible applications in public. That’s right, but i have Caos Communication through presentation on Congress Learned something else: If you know the previous places of a car, you can draw interesting conclusions from it. For example, let us assume that a car is regularly in the parking of secret service like BND, then regularly at a certain parking lot in a residential area and every now and then in a brothel parking. This is valuable knowledge. You can probably blackmail an easy -to -secret service employee. The scam affected a total of 800,000 cars and had a terabyte data. There are enough opportunities to find valuable data treasures.
Such problems are chronic compared to digital computers: Netherlands captured the religious affiliation of their citizens as part of a census. The Nazis then used it to deport all the Jews after the attack.
Protection of data is not just a problem
These data records are so interesting that secret services will try to catch them. The IT system against such opponents cannot be secured. An example: Staxnet There was an attack on the Iranian ultra -centric rifles for creative uranium. Among other things, many unknown security intervals (“zero-day exploitation”) were used in windows. You cannot protect yourself from such attacks because security problems are unknown and therefore there are no counselor. This also applies to the systems of nuclear systems that are probably not accessible through a network like Internet and in which physical access is likely to be examined.
They are also proven Our Parliament’s data is not safe from Russian hackers,
VW has insufficiently insured the data, but even if it has done this: this means that the data becomes more difficult to reach. But if a secret service really wants this data, it will be successful.
Important: It is unlikely that VW is the only company that stores such data. For example, Tesla collects telemetry data and videos and can also open the doors of cars. This data is then accessible to those who have something Right -Wing extremist Catch. In other manufacturers, data is stored in the totalitarian countries – certainly not even optimal.
You can’t protect the data completely!
But assume that the data is not already in problematic hands, but “only” should be secured. How difficult it is to secure data, show cryptocurrency. If you have a private crypto key for a wallet, you can use similar funds, despite whether the person is right or stealing money. Therefore, these keys must be really safely secured. But one is WebsiteWhich continuously reports that cryptocurrency funds are lost again – usually many millions, in a case also $ 1.5 billionSo when it comes to cash, the data cannot be secured adequately. And secret services are also active in this field. For example, North Korea funds its crypto theft Dictatorship And be among other things Nuclear weapon,
Data economy
Therefore, securing data is not a solution. This means that only a solution remains: not to collect and save this data. Set here Data avoidance and data economy To: When storing data, you have to ask yourself the question of what functionality you need and only save the required data. If you want to search for your car, for example, you only need the current location where the car is located. You do not need to store historical data for this. If necessary, you can only contact the car while requesting and then determine the current location of the car. In this way, the application does not need to save any data. At first glance, it cannot be seen that a company wants to store the historical movement data of the car.
In addition, the users may ask whether some functionalities should be activated. This may prefer BND without car comfort tasks to simplify its employees’ agreement. This may be different for others. But if you never ask clearly, but save the data by defaulting and hide the opt-out, it becomes difficult to complete such trade-off and integration.
Above these, the idea should be that data is new oil. Otherwise, savings are completely logical for later analysis and VW data causes problems such as scandal.
There are such incidents in other places as well: do you really want to collect all German health data and make it accessible through a process? How valuable are these data? Can you then protect them enough?
But there are also positive examples: the Corona Warne app “only” belonged to “only” contact details, and there you have applied a concept with a decentralized storage that even the Caus Computer Club “Very good” found.
And now?
Software developers and software architects will have to deal with what they can do with data from their software. Before VW Hack, I did not feel clear how valuable this data could be for interested parties. And that, though first Smartwatch reveals the status of military bases To pass Therefore, development teams always have to ask themselves whether you want to collect data.
In the United States, Elon Musk meets Dogs (So -“Government’s Efficiency Department”) Access to large amounts of dataThe public is confident of the fact that it was only about reading data. This testifies to huge naivete about the value of the data. Dogs own website is completely insecureEmployees fail To secure your own dataSo you have to doubt whether the data is safe from dog. It is definitely a good idea to ask yourself what happens when the data saved is freely accessible on the internet or you come into the hands of the right -traditional or an undemocratic government.
TL; Dr.
Data is only certain when you save it and do not collect it. Therefore, developer teams should only store the data that should be saved.
(RME)
