Security Without Idiocy, Part 2.7

Tuesday, 2007-July-17 at 15:27 1 comment

This is part of a series.  You may see earlier entries in this series:
»Part 1
»Part 2
»Part 2.5

Personal Responsibility

The message of part two was that users need to understand what is happening and take personal responsibility for their actions and the effects of their actions.  A good way to picture this is to imagine if people behind the wheel (that is, drivers of automobiles) could say "The security guy did not tell me that ignoring traffic signals could cause me to collide with a school bus!  They should make cars automatically stop when a school bus is coming."  Sounds stupid, doesn't it?  Most people understand that (1) actions have consequences, and (2) that ignoring traffic signals can cost someone's life.  Since computer networks can be just as powerful (and therefore dangerous) as motor vehicles, the same idea applies.

Today's Application

Have you ever seen that commercial for Southwest Airlines where someone opens an e-mail attachment and infects the entire company network?  That illustrates a potential effect of opening files that come from another computer.  Of course, reading this site is nothing more than reading files that come from another computer, so you have to make some decisions about which ones to trust.  Most of us have an uncle or friend that has never thought about restricting what kinds of messages he forwards.  We then have some people that seem to be over-paranoid about what they'll send or forward or even open, and the vast majority of people, who fall somewhere in the middle.

It does not make it easy, and that is the point.  There is no "quick and easy guide to computer security", just as there is no such guide for securing your home.  You have to use common sense to modify the suggestions of local law enforcement so that the result fits well with your lifestyle.  It is the same with the computer and the network.

You may have installed a front door that automatically locks when you leave. (If they do not already have those, I’ll file a patent on it–it is only a matter of time before they come out.)  If you frequently walk outside without your key, then that door does not fit your lifestyle.  You have two choices: modify your lifestyle by carrying your key with you at all times, or replace that lock with one that requires you to intentionally lock it.  Online security is no different.

One place where we can improve is on these automatic password remembering systems.  Note to the I.T. community: requiring thirty different passwords in order for users to do their daily business is idiotic.  It pretty well guarantees that the users will have to devise some way to reuse passwords across sites as well as encouraging the use of software password memory systems.

I was at the local library one day, using one of the public-access Internet computers.  I navigated over to one of the popular Web-based e-mail services, where a previous user had forgotten to uncheck the "remember logon info" box.  Taking that computer to the mail site immediately logged me into that user's account.  The purpose of a password is to restrict use of an account to someone who knows the password.  As soon as you start using this kind of checkbox (or the corresponding software, often built into your browser), you have defeated the purpose.  You will notice, however, that it is checked by default in at least one of the major services(*cough* Hotmail *cough*).  If you use this functionality in a public-access facility, you have signed up to have your account hijacked or taken over.  Fortunately for the user in question, I was able to log him / her out and turn off the memory function.

Apply Common Sense To Software Licensing

No one reads the legalese of software EULAs and service agreements, but we have to use some common sense.  If the price seems to be out of line with competitors, find out why that is.  Are you agreeing to accept spyware and adware?  Is it a trial that will require a full-price purchase later?  Is this an ISP that will hijack your connection to infest the pages you download with ads (in addition to or instead of the ads that support the content provider whose site you are visiting)?  Is this a limited-bandwidth or limited-use offer?

Does the legal agreement seem to be longer than usual?  Who are the parties to the agreement?  (This should be in the first few paragraphs.)  What legal system does it fall under?  Nearly all such agreements are designed to give all rights to the provider / vendor and take all rights from the purchaser / consumer, so if you get any feeling that the other party is malicious, refuse to agree or to use their product or service.  Otherwise, you may find that you are legally obliged to continue paying for the privilege of using something that you can not or will not use.

Does the product contain TUR (technological usage restrictions, often euphemized as "digital rights management"), removing control of your equipment from your hands and giving that control to a content provider whose interests are opposed to yours?  Have you had to purchase multiple copies of the same song because you listen on different devices?  The unskippable previews and warnings at the beginning of DVDs and things like region-coding are only the beginning of what is possible with TUR techniques, while the Sony rootkit scandal of a few years ago is an example of the security risks associated with TUR.ౘ If I was a bad guy in Russia or China, for example, I would be working on misusing the TUR of HD-DVD and BlueRay so that users would have to e-mail credit card info in order to watch a movie.  Of course, I would claim to be Microsoft, since their "activation" process appears to be much the same thing anyway.

Health Risks

We know from surveys that a significant number of people do not wash their hands after visiting the "facilities".  We also know that this can pass disease organisms from person to person.  You may be the one who does your business and gets up and leaves, while someone else may wash vigorously under painfully hot water for a minute or more, followed by putting on latex gloves before he or she opens the door.  It is all about what level of risk is acceptable to you and how much contact you have with other people.  Please, if you do have much contact with other people, go ahead and wash your hands.  The gloves are unnecessary, but I recommend a good thirty-second wash as a courtesy to others.

Wrap Up

Ultimately, there is no such thing as perfect security or safety.  Instead, we have a range of perceptions of riskiness and different people perceive riskiness differently.  The key is for each user and each organization to decide on the acceptable amount of risk and act to contain riskiness within that level.

Mandatory disclaimer: I am not a security guru, nor a lawyer.  This is not security advice.  This is not legal advice.  This is not medical advice.  This is not accounting or bookkeeping advice.  Your mileage may vary.  Consult dealer for details.  Taxes, registration fees, and dealer preparation fees extra.  Consult a doctor before beginning any diet or exercise program.  On approved credit.  Not all buyers will qualify. 

Entry filed under: Society, Software.

Security Without Idiocy, Part 2.5 The Emerging Conflict: Corporate Interests Vs. Your Interests

1 Comment

RSS Slingshot

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Owner Managed Business

  • An error has occurred; the feed is probably down. Try again later.


Recent Posts

Blog Stats

  • 598,611 hits

Top Clicks

  • None


%d bloggers like this: