Mandated Lack of Security for Security’s Sake

/ Brian Jones

I needed a QuickBooks Desktop license to access a company file for a lawsuit, so I bought one. Being paranoid, of course I put it on a machine not on the internet so that nothing I did could expose it (it’s not my data, of course I wouldn’t want it accessible online).

Since I did have the new QB Desktop (QB Premier 2021) I fired it up to experiment with importing transactions.

And discovered that in order to use QB Desktop I had to be online and logged into Intuit.

For my security I had to expose my accounting data to the internet …

What?

The Intuit Rationale

To be reasonable, I want to explain their rational by citing their site:

Improved user experience and security protocols are being introduced for the QuickBooks® Desktop software user by requiring the Company owner to log in to an Intuit® account when opening the Company file. Having an Intuit account provides a secure, single source login for access to all of Intuit’s powerful offerings, including owned QuickBooks Desktop software and connected services.

Intuit Site

So, this is introducing security protocols. Great, let’s see what features I need to be logged in to access?

Requirement: Currently, QuickBooks Desktop users will find an Intuit account is mandated for the following scenarios:

When a new QuickBooks Company file is created.

For QuickBooks Desktop users with the following connected services: Payments, Payroll direct deposit, TSheets time tracking, Payroll Workforce, Receipt Management (new for QuickBooks 2021), and more to come.

ACT QUICKLY! When an existing QuickBooks Desktop Company file is opened using the Admin credentials, and no Intuit account is associated with the file, the QuickBooks user will be prompted to login or create an Intuit account. Pro and Premier users may choose to delay this action for up to 28 days and QuickBooks Enterprise users up to 42.

Intuit Site

So, to be clear, it’s crucial that my offline computer be connected to the internet (with any risks associated) in order to protect me by requiring me to create an account with an external company (Intuit) that identifies me … this is to make me safer. Because, being completely disconnected isn’t safe?

And, if I wished to track timesheets or manage receipts (both of which can be done locally) I must also be online.

And, if you don’t connect your new company file to an Intuit account (the one that they said was needed to create it, in fact, it’s not) within 28 days — then what? It doesn’t say, but I’m hoping not “You’re locked out,” though that wouldn’t surprise me.

Why would I want QB Desktop instead of QB Online? Perhaps, so that my accounting data was kept secure without being embedded inside an external corporate honeypot?

Analysis Failure

This is an example of failing to understand the customer’s needs. I understand the rationale that Intuit is offering, but let me re-state it in straight language and not market-speak: Intuit doesn’t believe that their customers have sufficient discipline when using the product and therefore are enforcing Intuit server-driven control for access and operation even on a Desktop product.

Are there some people who use QuickBooks that are in fact going to screw things up? Of course there are. But are you one of them? Am I?

If the product asked when setting up the company “Do you want to enable the Intuit Security Protocol and Intuit Account Integration?” and then explained what the linked page quoted above said, and people chose it that would be Intuit leading with courage by enabling (!!!) their customers who need the support to have it instead of punishing those who don’t need it by mandate.

Why Mandates Are Generally Unwise

The problem with a mandate is that it becomes inescapably enforced. There are some mandates that are reasonable. I am generally glad that it’s illegal to murder, for instance.

But almost all mandates that aren’t domain based are a mistake. Mandates are the opposite of choice.

For an accounting program, such as QuickBooks, a domain mandate is that for each transaction the sum of debits and credits match. That’s a key factor of double entry book keeping. Violating that would be to fail the constraints of an accounting program.

A choice is to connect to the bank online to pull records or to go to the bank’s website and request a QBO file, which can then be imported from the local drive later. QB has that choice, and that’s a powerful choice, better than forcing the computer to connect to the bank.

Of course, QB Desktop mandates that you be connected to the Intuit account online in order to import the QBO file that was copied over via sneakernet (a USB stick). Oops. They crippled their choice by allowing you to only import a local file if connected to the online Intuit account.

This is the other problem with mandates. They infect everything else. Once the assumption that there’s always the internet then even features which do not need the internet will be unable without it. Because it’s always there, it’s suddenly required for everything.

A Recurring Problem

This assumption is really common in many things today. For instance, everyone is expected to be able to use their phone to scan a QR code to show a restaurant’s menu. Except — not everyone actually has a cell phone that does that. For instance, I use a flip phone still.

And of course, if you have a device, it’s always got the internet available. Always, eh? Even when a mile or two offshore on a sailing catamaran? When making a passage over an ocean, I’m not allowed to do book keeping while belowdecks, on a program installed on my computer, because it can’t reach the internet to authenticate?

Assumptions are horrible things. Assuming an internet connection doesn’t even work when ashore. Drive between Las Vegas, NV and Phoenix, AZ. There are many stretches where there are zero bars of cell coverage. Hope nothing you sought to do on your 3G iPad needed to be online…and given how many installed apps (such as The Economist app) requests you login with your Apple ID if you aren’t (I never leave the iPad connected with my apple ID live) you’d be surprised what sometimes you can’t do when in airplane mode.

In fact, an iPad can’t even be _used_ until it’s connected to Apple — because of course you connect with an Apple ID and register your device. Apple has many good reasons for why that’s useful, but in fact, if you then flip the device to airplane mode and never use it online again it will work, so why mandate having linked it to an Apple ID?

Am I Just Paranoid?

At some point, most of my friends think I’m paranoid. I run web browsers with no-script and I run Little Snitch on the Mac — and required everything to be whitelisted. On my machine, I can’t hit anything without pre-approving it when it tries.

But I have a few issues, which are painfully real:

  1. I worked in cybersecurity for nuclear power plants and actually learned what’s out there and how dangerous it is.
  2. I do cruise in a sailing catamaran that has no internet.
  3. I do use detached computers because if you run Microsoft Windows without an internet connection it’s stable and never needs updating.

Most people don’t go the extremes that I go, but should it be hard or impossible to buy a device, not hook it to some mega-corporation, and use it?

It’s very hard to attack my offline computers. It’s possible to attack my Mac, albeit very difficult.

I understand the argument, “We have to do the things that protect our less savvy customers and if you’re that special a case you’re not important enough to us and go elsewhere.” And that’s fine — except that their protections weaken the very “unsavvy” users they seek to protect, by teaching them to use centralized ID (such as an Apple ID or mobile phone number) across multiple services and then to respond to requests to authenticate anytime they pop up…

These are the very behaviors that let all of your online actions be tracked and tied to you, and why when a mistake is inevitably made, identity theft is so powerful. All those things tied to that single ID fall like dominoes.

And in security, it only take one thread to pull and you’ve got them. Attackers have that edge. That’s what it means for them to be an adversary.

Security theater (as Bruce Shneier calls it) is actually bad for being secure.

So yes, I’m paranoid — because we all know that no major companies or national agencies have ever been hacked and we’ll never have what we’ve been forced to share and inter-connect used to harm us. I mean, that would never happen, right?

And I’ve got a wonderful Golden Gate Bridge for sale, get it cheap. Just send me your credit card, expiration date, and three digit security code …

(EDITED TO ADD — WSJ had an article on the problems of everything being networked and smart published right after I wrote this: Stressed by Smart Tech? Consider These ‘Dumb’ Devices. They address failure and privacy more than just security.)

Keep the Light,
Brian Jones

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s