Wednesday, July 24, 2013

Truth, Trust and Inference

Many of Canada's largest companies are running into a large problem.... Nobody trusts them.

This issue is often rooted in policy, misleading advertisements, handling of issues and now social media.  

Yesterday, in light of the SIM card hacking scandal, I asked Rogers how many 56 bit DES cards they expected to recall due to this.  This is a question that normally prompts a numerical response, but they answered "we are confident that our customers and our systems are not at risk and we'll continue to monitor the issue closely."

So what, like 100 cards? 10,000 cards?

I asked them to clarify how close to zero the number is... They gave the exact same answer.

Abstaining from answering a question is usually a form of defence - but you can infer answers from abstinence.  For instance a politician who doesn't vote for a bill can be inferred to disagree with all possible choices, or not wanting to be seen to help or hinder....

So when Rogers refuses to answer a serious safety question, what can be inferred?  
Two possible answers come immediately to mind:
1. They don't have a handle on it and really don't know the number.
2. They do know the number, and think the answer will scare us.

Obviously, if they knew the answer was zero, they'd earn trust and transparency by saying it...which they haven't.

The problem only affects people with older SIM cards, so new SIMs are fine (for now) as it's not practical yet to brute-force crack the cryptography.  But, ask yourself how many people are inclined to be "proud" of running the same sim card for ten years or more?  Yes, it's lots.

Taking all that into account, I personally believe the number can is to be inferred as definitely not zero, and likely in the 4-figure range.  I just hope nobody is using those cards in a smartphone running the Rogers/CIBC mobile payment app.