The images and sounds that you see and hear in movies and on the television are carefully crafted, constructed, produced... and more. Clothes might be 'product placement', but they might also be custom made so that they 'look' of kind of like famous brands, but aren't - which means that showing them on screen isn't advertising, and it isn't trademark, logo or brand infringement. Music might be re-recorded so that it sounds very similar to the real thing, but again, is merely very close - the BBC's Top Gear 'classic 'theme tune is just one example. It might sound like 'Jessica' by the Allman Brothers, but actually it is a cover version, or a re-recording, and as it turns out, there are several versions that all sound like it.
Then there are Search Engines on computer screens, which again, look 'almost familiar'... And URLs... And Operating Systems... This 'nothing you see or hear is real' extends to a whole set of logos, brands, advertising and all sorts of other things which can be covered by copyrights, trademarks, etc. It's a complicated business, and there are people whose job it is to make sure that all of these are thought about - in advance. (Which is, of course, also what Security people do!)
Then there are things that you might be surprised about, like..: Numbers.
Photo by Claudio Schwarz on Unsplash |
Telephone Numbers
Whenever a movie or a television programme uses a telephone number, there will inevitably be some people in the audience who will dial that number. 'Just to see what happens!' is the usual thing that people say when they do this. So, for a popular programme, even a small percentage of 'Let's see...' people trying to dial the number could potentially cause a large shift in the use of the telephone network, or the Internet, or the Mobile/Cell telephone network, and could potentially cause something broadly similar to a Denial Of Service (DOS) Attack...
So, broadcasting numbers in movies and television can be considered to be a security issue. DOS attacks are just one facet of the problem, though. Can you imagine the legal problems if the telephone number happened to be the actual number of a real person or company? Suddenly it has become a privacy problem, or a data breach... But how do you find a number that is guaranteed not to ring someone's phone? Just making up a number at random could easily be a real 'live' number - someone's number!
As it happens, such numbers do exist. In the UK, OFCOM, the telecommunications regulator, maintains and publishes a list of numbers that can be used in movies, television, radio, etc. Here is one set.
One security-related application of numbers like this is when you are required to give a telephone number as part of a registration process. If you don't want to give your real telephone number, perhaps because of privacy concerns, then using a number that doesn't exist (and is more or less guaranteed to stay like that) seems like a good alternative.
Photo by Ryan Born on Unsplash |
Test Numbers and Letters
Another number that you might see on screen (or in photographs for advertising) is the credit card, and this time, the reasoning behind not using someone's real number is kind of obvious - and once again, it is a security concern. But how do you test computer systems that use credit cards for making purchases? Do developers use their own personal credit card numbers? Maybe there are special 'test' credit card numbers as well? There are! Here are just some.
Credit card numbers include a check digit that indicates if they are correct, for example. This is so that when quoted over the telephone, or online, they can be immediately validated. Many other similar numbers (or lists of numbers and letters) also have built-in checks.
Once you get into this mind-set, then all sorts of other numbers pop up. How about street numbers that don't actually exist for a road? How about non-existent Post Codes, Zip Codes, or other postal coding systems? UK Post Codes are interesting, because there's an online way of checking if they are valid, so you cannot use a 'test' or 'unissued' one, because they are invalid. UK Post Codes can be quite specific about the addresses they cover, and so they give away lots of information about the location. Once you start mixing numbers and letters, then just about every method of providing a 'unique' identifier probably has an in-built (and online) way of verifying if it exists, and this may deliberately prevent any generic, test, or anonymous identifiers.
Predefined List
UK Post Codes lead to another interesting aspect of validation of numbers or letters by software. One of the security-driven responses to web-forms that have text fields in them is to restrict what can be entered: (A-Z, a-z, 0-9), for example. But another approach is to pre-define the contents to a list. So for Post Codes, you might have a pop-up menu that requires the selection of the first letter at the start of the Post Code. There are a limited number of possible entries (A to Z...), so selection is relatively easy/quick, and so if you live in Manchester, you would select 'M'. But you can't enter anything else, other than those that are shown. (Some letters are not used to start UK Post Codes: X and Q are two examples...). So this forces you to enter a real letter for a real location - there is no way to enter a generic or non-existent location.
So a security fix (stopping people type any text into a field) turns into a privacy problem where only a specific entry can be made. This can happen with telephone numbers, where the number is checked and rejected if it is found to be 'invalid'. This sounds okay, until you try to enter international numbers... If the text field is limited to just 0 to 9 'numbers, then how do you add the International Dialing Prefix? ('44' for the UK, for example) The usual convention is to add a + symbol, then the prefix, 44, and then the number, but omitting any leading zero. Except that if you can't enter the '+', then the number starts with 44, and this is going to be automatically rejected by any validation code that knows that telephone numbers always start with '0' (zero).
The Security/Privacy/Validation Dilemma
Which leads to a difficult area of software design. How do you make software that can interact with people, but which is security-conscious (choosing from a pre-defined list is preferred to a text field that will accept a limited set of characters), which allows anonymity or privacy (not filling in your middle name, your age, your gender...), but which can also be validated to check that you have not put in an incorrect response by accident/mistake/deliberately? This is not an easy triangle to navigate...
Just one emerging example. Before the pandemic, cash was a way of paying for something anonymously. Post-Covid, cash has become much less acceptable, and 'electronic' or 'contactless' payment methods have become much more the 'norm'. But are the payment then anonymous?
Is the future a world where the need for security and validation of data outweighs personal privacy? Has privacy always been an illusion anyway?
(And why do some people spell 'dilemma' as 'dilemna', and insist that they were taught that way at school?)
---
If you find my writing helpful, informative or entertaining, then please consider visiting the following link for my Synthesizerwriter alias (I write several blogs, but it makes sense to only have one 'Coffee' donation link!):
No comments:
Post a Comment
Note: only a member of this blog may post a comment.