http://www.kuro5hin.org/story/2002/10/29/184031/40
The Great Security Panic (Op-Ed) By mingofmongo Thu Oct 31st, 2002 at 07:07:22 AM EST After a good solid 40+ years of handing our credit card info to minimum-wage workers at stores that don't shred anything and often throw out this info in dumpsters in the alley - we are now taking a rather inexplicable interest in the security of information that is strongly encrypted from end to end. Do we really need more security in home computers, and on the net in general, or is this just a bunch of greedy nerds trying to flex their geek-muscles in public? Is this a legitimate concern, or just sheep being fattened up for the slaughter? Is my sarcasm coming through, or are you really unsure of my stance on the issue? Observe two criminals. Each one wants your stuff. Criminal A is sitting at home in his underwear staring at a computer monitor. Criminal B is sitting in a van across the street from your house. A has to gain access to the network your computer is often on. This may or may not be easy. Best case (for A) is that he is on the same 'last mile' as you and is simply there with you. Worst case is that he has to hack his way across several networks to a machine on your network. B just waits until you aren't home. A's options at this point are to try to get into your machine, or just sniff your network traffic. Breaking into your machine requires either guessing authentication info from things A knows about you or by analyzing network traffic in hopes of getting some info, or by making use of a security hole (bug) that may or may not exist on your system, and may or may not have been fixed. If A is really sneaky, he may try to trick you into installing something that makes his job easier, but you need to be really stupid for this. B's options are: pick a lock, break a window or break a door with a big hammer. A must take care to clean all logs on each machine he has used in this process, and any logging routers he passes through if he wants to cover his trail adequately. B should wear gloves, and keep his visit short. A will learn the contents of your grocery list, the love letters you wrote to your bosses wife, all those digital camera photos of your cat and if you are really dumb, he may get a credit card number. He may or may not get the expiration date, which makes it useful. If A just sniffs the network, he will get those love letters again, the cat photos you sent to your cousin, and a big garbled mess of encrypted data from your last Internet purchase. If A is skilled, and has a fast machine, he might crack this encryption over a period of 10-20 months if at all, and then you may be out the $50 you are responsible for in case of fraud. Meanwhile, B has just stolen your computer, your jewelry, the mad-money in the soup can, your DVD collection and your favorite velvet Elvis painting. Not surprisingly, more people have more stuff stolen from them in real life than on-line, by a very wide margin. The fact is, if you aren't a complete schmuck, you have very little to loose to a hacker as long as you don't keep important data on your machine, and you don't send it insecurely. You have absolutely no need for "palladium" or any other heavy metals to protect data you are not being careless with. The fact is, you are not even a target. You, as a normal computer user, are the most un-interesting person on earth to a hacker. You don't have anything they want. There is not likely anything they can use or learn from on your machine. You do not likely have any porn that they can't get for free on Usenet. They don't want your financial info, when they can go dumpster diving for 20 or 30 cardz in a night. The answer is not draconian security measures that you will not benefit from at all. The answer is to use the same logic that keeps you from eating food you find laying in the street. At some point, you were probably taught that it is bad to eat candy-bars you find laying on the ground. At some slightly later point, you realized that this was good advice. I'm betting that the vast majority of my gentle readers do not on a regular basis, eat food they find laying in the street. You just don't do it. There is no intestinal security device that keeps you from putting trash in your mouth - you just don't do it. It should be obvious to most people now that information is like food, and there are things that you don't want to do with it if you want to stay healthy. And if occasionally someone doesn't get it, it is no bigger tragedy than when people buy gold from strangers on the telephone. There is no good way to keep fools from parting with their money and info. Think of it as a corrolary to Barnum. Security that people don't have to think about at all, is bound to fail. Security has to be a conscious thing. You make an effort to lock the door of your house. You have a pretty good idea what will happen if you leave the keys in your car enough times. Why should computer security be any different from ordinary real world security. The basic law of the universe is: don't do anything dumb. If you follow the law, you will be secure at home and on-line, among other benefits. If you break the law, you will have lots of problems anyway. Tell everyone you know that you don't need help to avoid stupidity. Have big conversations about how you are not mentally deficient, and don't need a "mom" in your computer to watch over you. Learn something rather than just believing every piece of FUD that rains down on you from on high. If people start talking about this enough, someone in marketing at Intel or M$ might start to fear for their bottom line, and stop this foolishness. Or maybe we are really that stupid, and need our hands held all the time. _______________________________________________ http://www.mccmedia.com/mailman/listinfo/brin-l