phones: don’t be complacent with your trust

We trust our phones to connect us to the world, and they allow us to prove our identity.
They are an authentication factor in themselves – proving we have the phone, is one measure of proving we are the owner of an account (via Email, SMS, Google Authenticator, etc).
Proving we can unlock the phone is itself another measure. (Mostly just to prove we didn’t recently steal the phone.)

So why do so many of us who also use our phones for work, agree to trust our employers with complete control over our phones?

I recently wanted to access my work email on my phone, so I installed the email app, and it told me I must have an administrator allow the connection.
So I contacted my friendly local sysadmin, and they said:

You need to install the policy tool on your phone before we can allow you to access work email on your phone.

Fine. So let’s look at the permissions this “policy” tool is requesting:


Notably, the app wants these permissions:

  • Erase all data on the phone by performing a factory reset.
  • Change the screen lock.
  • Lock the screen.
  • Enforce storage encryption.

I understand these requirements from a security perspective; they are all administrative functions I would want to have control over, if I owned the phone – which I do. The problem is that the company who I work for does not own my phone. I will never trust them to the same degree that I trust myself.

When I spoke to my colleagues about this, they all said the same thing to me:

But the company will never actually _use_ any of these permissions. – They just want to be able to delete your email from your phone if it’s lost or stolen.

This completely misses the point.

I refused to place my trust in this app for two reasons:

  1. Apps should not be granted more permissions than they need to fulfil their purpose.
    If I agree to these permissions, then it has the power to use them, regardless of any good intentions.
  2. Whether I trust the SysAdmins of my company is irrelevant.
    If a SysAdmin in my company can control my phone – then I’m also entrusting this control to a string of black-box processes and procedures that I have no control over.
    I treat my phone security very seriously – *Nobody else* has the same motives to protect my phone, as I do.

If my company gets hacked – or if any one of the SysAdmin’s accounts gets hacked (and there are probably multiple Sysadmins that have the same access to control my phone) – then a malicious actor now has the ability to lock out my phone, or wipe it with no warning.

This may have the following side-effects:

  • Loss of personal files/photos stored on the device (assuming they aren’t all backed up to the cloud somewhere)
  • Loss of 2-factor login codes (because you don’t have a U2F device)
  • Loss of 2-factor backup codes (unless you keep them stored somewhere safe, and not in a text file on your phone)
  • Loss of other account passwords that you keep in an encrypted text file that you keep on the encrypted SD card in your phone (which isn’t in the cloud, for “security”…)
  • Inability to contact anyone (because you don’t actually remember anyones phone number anymore)
  • Inability to buy things (because you rely on Apply|Android Pay and no longer carry cash or cards)
  • Inability to use public transport (because you use an App for that)
  • Inability to control your house heating/lighting/door-locks (because you can’t get enough of those IoT devices)

But these issues aren’t limited to you. This policy is something that everyone in the company who wants access to their email on their phone, has to agree with and accept.

So if I’m a hacker and I’ve compromised just one SysAdmin account – I have the ability to wipe the phone of everyone in the company who has placed their trust in this app.

Does this include the CEO or board of directors?
Does this include all of the security staff?

Desired Outcomes

A malicious actor might choose to disable these devices for the following reasons:

  • To destabilise a company during a critical period of business, causing financial harm.
  • As part of a campaign to cause as much damage to the company as possible.
  • To inhibit security personnel from countering the actions of the malicious actor.
  • To restrict the short-term management of company stocks and shares.

General Motives

  • Individual victimisation.
  • Retribution against the company.
  • Competitor motivated or financed.
  • Foreign government de-stabilisation.

Victim / Target

The intended victim in this attack can vary a lot. As a user, I might intentionally be the only victim in a directed attack, but I could also just be one of billions of victims.

  • Single targeted user.
  • A group of users within a company who share a common function. (eg. Security Personnel)
  • The company itself (All users of the app in the company)
  • All users of the app (If the app or app company is targeted)
  • All users in a specific country (In a state-sponsored attack on a foreign government, as part of a de-stabilisation process)

Mitigation

  • Any app you require your users to install on their devices, should only have the permissions required to serve its purpose.
  • The ability to perform actions on users’ personal devices must be restricted to those who absolutely need it.
  • Multiple SysAdmins should be required to act as a “group action” to carry out a non-reversible process such as ‘wiping a device’.

Summary

As a company, we need to be less cavalier about what we ask our users to trust us with.

As an employee, we need to be more protective of our own devices, our data, and our privacy.

As system designers, we need to allow for multi-admin safeguards, to ensure any action that results in any action against a user’s device can only be carried out as the collective actions of an authorised group of administrators.

As system engineers, we need to ensure any actions that are carried out are recorded and audited, so that misuse of the system can be identified, reported, and investigated thoroughly.

my etsy shop

My Etsy Shop is currently closed while I focus my time on my new business.


I have recently started an Etsy shop, so I can start selling some of the woodwork pieces I create.

Visit my shop here: StampyCraft on Etsy.

I also take custom orders, so if you see anything you fancy, send me a message!

Here is a gallery of some of my work, which I plan to update over time.

[supsystic-gallery id=’9′]

my new workshop

For years I’ve wanted a decent-sized workshop in which to do my woodworking, electronics, and general tinkering, as well as preferably having a desk from which I can ‘do code’ in away from the distractions of the house.

When I moved into my new house in 2015, I purposefully bought a place with enough garden space in which I could have a good sized workshop, and in early 2016, this became a reality.

I spent weeks reviewing different sites offering sheds, log cabins, converted shipping containers, etc. and eventually decided to go with Tuin, because of the high number of quality instructional resources they supply on their products. These range from preparation, building foundations, log cabin assembly, roofing types, guttering and drainage, troubleshooting and common problems, and a thorough Q&A section.

Planning ✏️

So that part done, I had to figure out what size cabin I wanted, so I mapped out the area available, and started looking at available designs.

I figured 3m width was probably a good bet, as this seemed to be a fairly common width for cabin sizes, and this meant I could go between 3m and about 6m for cabin length while maintaining a good sized gateway/path area between the cabin and the house.

Eventually I settled on the ‘Julia’ cabin, at 3m x 5m was a decent size, with only one side window and central double-doors would give me plenty of wall space. The design of the log cabins on Tuin means opposite walls can be swapped, and flipped to either end of the cabin, so I could move the window from the position shown on the website.

So here’s the new map of the workshop area with the Julia cabin in-situ.

[supsystic-gallery id=’2′]

So then it came down to getting the specification right for my cabin – and I had some requirements.

  • The foundations must not be concrete – as I know that concrete is not environmentally friendly, nor cheap.
  • I wanted to build the log cabin myself.
  • I will get an extra layer of logs, so the height will be increased a little.
  • It needs to be properly weatherproof, so I can have computer equipment and such inside, and so my tools don’t rust.
  • The cabin must be pre-treated, as once built, I wouldn’t be able to access the outside far-side very easily because it would be up against the garden fence.
  • The cabin must have guttering, so I could collect it and use it on the garden.

Once I’d decided on these options, I put the spec together on the website, and placed my order. ?

Now the waiting.

Delivery ?

I received a good level of communication from the nice folks at Tuin, and the cabin was delivered about 10 weeks after I placed the order. This was mainly because the ‘painted logs’ pre-treatment option I wanted had an 8 week turnaround. It was worth waiting for though.

As my road is a cul-de-sac, I was hoping the delivery fork-lift would be able to come up the curb and deliver onto my front lawn, but this didn’t quite work out. The driver was concerned he’d damage the drains up the footpath if he tried, so we agreed to have the delivery left on the side of the road and I’d have to transport the pieces one by one up to my garden, a distance of about 40 yards.

sigh ?

So I got to work moving the pieces by hand. After about 10 minutes, the neighbours (who had been watching), started emerging from their houses to see what was going on. And one by one, they offered to help, and joined in the procession of collecting and migrating these pieces from the roadside, onto my lawn. In the end, we had about 10 people, even some of the youngest children on the street, all chipping in to help me get this giant jigsaw puzzle onto my front lawn… I’m very thankful for having wonderful neighbours 🙂

[supsystic-gallery id=’3′]

Foundations ?

I decided on environmentally-friendly reinforced plastic grids called ‘Probase’, made of 100% recycled materials. You can find out more on their Facebook page: ShedBaseUK.

This stuff turned out to be brilliant, and I won’t hesitate to use these again in the future. I’m not recommending the site I bought them from because they also supplied what they called “weed membrane”, and within a week there were weeds growing straight through it… ???

I used a straight piece of 2″x2″, a paving slab, and a spirit level, to make sure the base for my workshop was as level as possible.

[supsystic-gallery id=’4′]

The Build

Top Tip: Watch all the instructional videos from Tuin on how to build the cabin, they were very helpful in giving me hints and tips on how to go about building my workshop, and also the music in their videos is quite relaxing ?. One word of advice though, watch the videos on a PC or laptop – they use a lot of the YouTube ‘overlay text’ to describe whats going on in the videos, but these overlay text features aren’t even visible on mobile devices. (Tuin guys, if you’re reading this, please consider editing the videos and putting the comments directly into the videos themselves!)

I did learn that the door and window frames are difficult to put in late – I should’ve put the door frame in after about 5 layers, not 15 ?…

Also, don’t try to put the larger glazed window units in by yourself.. you need to hold it up in the air at a strange angle to hook it onto the hinge points – and it’s heavy…

[supsystic-gallery id=’8′]

Roofing ?

I had to trim the edges of my cabin roof, to prevent it overhanging the boundary of my property, so I lost about 4″ of roof on each side. This didn’t really have any negative effect on the build as far as I can see.

Top Tip: If you’re going to do this, cut all of the roof planks before putting them on the roof. I decided to nail them all in place before I cut them, and it would have been much easier to cut them beforehand.

Working with the felt shingle was probably the most difficult part of the build, unexpectedly so. The reason for this is basically because it involves lots of kneeling or sitting down, shuffling about constantly, in the wind, in the rain, in the sun, with no shelter, for hours.

I got sunburnt at least once doing this.

If doing this yourself, I would recommend taking regular breaks, don’t spend more than an hour at a time on it. The workshop won’t be affected in the long term by a little bit of rain.

[supsystic-gallery id=’7′]

Flooring ⛏

I didn’t manage to take any pictures of me installing the flooring, partly because I was rushing to get it finished so I could put stuff inside it out of the coming rainstorm, but mostly because I forgot.

I chose the 27mm flooring option as an upgrade, as I wanted a nice strong floor for my woodworking and potentially for any heavier equipment I might buy in the future ?

Guttering ?

Here’s some photos of my guttering, along with a 1000L IBC Water container I bought to collect rainwater – because those 200L green water butts are just not good enough ?.

I wanted to filter the roof-debris from the water going into the tank, and keep it as sealed as possible to prevent nasties from breeding in there – I’m going to use it for watering the plants, and possibly flushing the toilet at a later date.

So I set up the guttering, and directed the down-pipes into buckets that I’d hung up, although one of the buckets can just sit on the water tank, which is simpler. From each bucket, there is a pipe connecting to the top of the tank – and I have used a glue-gun to seal the tube into the base of each bucket.

The tank will be gravity-fed, so the buckets only have to be as high as the top of the tank.

Into each bucket, I have put some thick aquatic-grade filter foam (this is the same stuff I use in my cats’ drinking fountain – because they’re spoilt beasts).

[supsystic-gallery id=’1′]

Electrics

I’d recommend anyone who wants to put electrics in their cabin to get a qualified electrician to do it – Luckily for me the guy who used to live in this house was a qualified electrician, and he’d put electrics into the shed that was here before I tore it down ? So I just re-used that connection, fed it into the cabin, and hooked it up to a distribution box I wired up myself.

In order to meet building regulations for the electrical safety aspect, I fed the house feed directly into a wall-mounted socket – so everything that I plug into the socket isn’t actually counted as part of the house wiring, which means I can wire my distribution box and everything else attached to it to my hearts content, so long as it all plugs into the house via a 13A socket ?.

**Disclaimer: I do have a fair amount of experience in electrical wiring though, and I have the relevant equipment to test the stuff I wired up – I will always recommend anyone else get an electrician to do their wiring, and I’m not going to do yours for you either ?

[supsystic-gallery id=’6′]

Internal Setup ?

Inside my workshop, I have a main workbench, which I built using scaffolding, key-clamps, 9″x2″ structural beams left over from an earlier project, and topped with 18mm plywood.

This is the best workbench I’ve ever had, it’s solid as a rock, and cheaper than most workbenches I’ve seen, especially for the size.

Into the bench, I mounted my router table (router fence is a future project), a mean looking bench-vice with mini-anvil (I mounted this above a corner so as to direct any impacts directly into the floor), and my faithful Axminster scroll-saw, which is undoubtedly my favourite piece of equipment.

Opposite this bench, I have an older bench made from a dresser unit topped with more 18mm plywood, on which sits my trusty DeWalt bandsaw.

At the far end of the workshop I have my computer setup, which I will describe in depth in a future post.

[supsystic-gallery id=’5′]

Workshop Review ✅

I love my workshop – and wouldn’t hesitate recommending Tuin to everyone – they are a friendly and helpful bunch that even sent me free guttering when I didn’t buy enough because I can’t read properly ?.

They always quickly replied to my questions via email, and have even responded outside of normal working hours.

Their products are brilliant – and are sourced from FSC sustainable sources, which is something everyone should be looking for when buying wooden buildings.