IT Buyers Need New Purchasing Model

The hacking of Paris Hilton's T-Mobile phone records may prove a watershed moment in promoting IT buyers' security awareness and elevating their information security expectations.

The IT industry has spawned more than its share of celebrity executives. Now IT has borrowed a celebrity from the world of entertainment, heiress and socialite Paris Hilton, for marquee value in the battle to secure online systems.

Most of the world knows that Hiltons smart-phone address book contents were posted on the Internet. As yet, no one has determined whether the leak came from cracking a smart phones device-resident storage, perhaps by exploiting its Bluetooth capabilities, or from accessing Hiltons records in the T-Mobile database. To Hilton and her inconvenienced coterie of contacts, it hardly matters.

Indeed, in a service-based model of IT, there should be no distinction between the vulnerability of an endpoint device—a product—and the vulnerability of a server—that is, the nexus of a service. The PC industry has set an unfortunate precedent with the notion that anti-virus, firewall and connection-monitoring utilities are aftermarket products to be chosen, installed and configured by the user. Its high time that this precedent be overturned. ISPs and other interested parties should accept and even promote their role in end-to-end assurance. AOL has set a good example with its promotion of anti-virus and anti-spyware technology, but theres room for much more: The utility computing advocates at IBM and Sun, and the transaction-oriented powers of eBay,, Charles Schwab and the like, should change their terms of service to take responsibility for security.

This is not a whiny request or totalitarian proposal that users be protected from themselves. Its a rational expectation that users be protected from the ignorance or carelessness of other users. Hilton is not unusual in toting a dangerously powerful combination of radio receiver, confidential database, general-purpose computing engine and wireless access point to the global infrastructure in a battery-powered fashion accessory.

For example, a team from the wireless R&D consultancy Flexilis staked out the red carpet at last months Academy Awards ceremony with a backpack containing scanning apparatus and detected that 50 to 100 attendees had smart cell phones the contents of which, like those of Hiltons T-Mobile phone, could be electronically siphoned.

The problem is pervasive, and the response must be a change in the model of what we buy—not just a piece of hardware presented as a little chunk of as-is functionality but an entry point to a service whose provider takes substantial responsibility for the customers total experience.

The Hilton incident, unfortunate as it may have been for those involved, may prove a watershed moment in promoting IT buyers security awareness and elevating their information security expectations. We urge service providers to meet those expectations by delivering robust service provision agreements that will someday make the Hilton incident a bittersweet memory.

What do you think? Send your comments to

To read more from the eWEEK Editorial Board, subscribe to eWEEK magazine.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.