Lazy Security, Part 2

Well, so here is the rest of my story. About 8 years ago I got together with Chris Doyle and Charles Johnston, some great Linux IT guys, and started working on linux dynamic site hosting. Security was a big concern for us, and so I stared reading books about cryptography, security, etc. I would definitely recommend “The Code Book” by Simon Singh. It’s a good introduction to security and encryption.

I directed the software development, and I let Charles and Chris run the IT. But I always felt that the two should work together, and that you should have a team approach to building and designing the network, so we brought in our programmers and even our office manager as well. My thought on this is that if you make the security overbearing, people will go around it. For example, if you give people 30 digit random passwords, they will generally write them down and tape them to the monitor. I had read all of these books about social engineering and hacking, and I had learned a lot of those lessons as a kid growing up with phone-phreakers and hackers as friends. Many dangerous security attacks are more of a confidence game than a virus.

For example, the type of security attack called “Phishing” is far from a novel idea. It was the easiest way to get a password from somebody. Just pop up a dialogue or prompt on their terminal and ask for it! These types of attacks are nothing new. As long as we have economic disparity and the internet, there will be some person in a poorer region who decides it’s worth his time to try to steal your credit card data. This is not new at all. The Nigerian Scam has been around for many years. It’s just convenient to use the internet to help perpetrate the scam.

My conclusion is that the best kind of security is the kind that is understood and embraced by the people who use it. And it’s still not foolproof. People make mistakes and often have poor judgement. Every book I have read on security and crime recites the same set of simple rules: Put locks on your doors, have a well-lit entry way, lock your car when you leave it parked, don’t walk down a dark street alone at night. If only internet security advice were as practical and simple! A lot of the “security measures” offered for computers are scams themselves that don’t protect you at all. A lot of security measures are real, but still fail to address the core security problems.

Here’s an example: paypal. Paypal’s web site uses SSL encryption. Most of their customers have browsers that support really great encryption. BUT thousands of people have the paypal credentials stolen from them every single day, and in the theft process (Phishing) the paypal web site and servers are never even accessed. The only solution is to educate the users. And how exactly do you do that? More on this in my next post.

The hidden beauty of laziness

Years ago I read this book by Stephen Gerber called “The E-Myth Revisited”. It was all about how to streamline a business and make it into a real money machine. He explains that most small businesses are like a performance concert (my analogy, not his) where the virtuoso (the owner) has to perform constantly, playing all the songs himself, from memory, just to keep things running. He says that instead you could take your business process and write it up into a book and simplify it until you can teach drones how to do it, and that you than have a real repeatable business model. Kind of like a player piano.

In fact, it’s sort of like what happens to the USA in the book “The Player Piano” by Kurt Vonnegut. To be fair, I liked both books. Vonnegut’s book was a lot funnier, and in a way a little less sad. I think Gerber’s view of the world illustrated a sort of sad reality. Because what his idea teaches is the need to remove the personal touch from your business to make it really grow. Which is fine, but I would rather have robots. If the drones at the drive-through are going to have a blank stare, they could at least be mechanical and be programmed never to forget to give me a straw with my drink.

The business model Gerber is talkign about (without coming right out and saying it) is McDonalds. I think he was actually a consultant for McDonalds. Someone look that up, please. And I don’t hate McDonalds, either, except when they forget my straw. Now Neal Stephenson’s book “SnowCrash” really had a way more incisive take on Gerber’s idea of franchises–it’s a tongue-in-cheek near future sci-fi book that predicts everything will go the way of Stephen Gerber and turn into a franchise with plodding workers and managers consulting the “Corporate Manual” to make every single decision. Even neighborhoods and the Federal Government have become franchises with 3-ring binders explaining every piddling step in the business process. For the record, I think the SnowCrash world is a lot more like our future than The Player Piano is.

Now back to McDonalds. I love little one-off restaurants. I love street tacos. I love dirty little places with amazing food and beers and sodas you have never heard of before. Most of the chains just don’t measure up. I sometime go to McDonalds, though, because it’s quick and cheap and I don’t even have to get out of my car. And THIS is a critical and important lesson that I have learned. I value quality a LOT, but everybody is busy, and in our busy lives we have to make sacrifices. Like eating a chicken-like pseudo sandwich served by sad McClones instead of a piping hot plate of fresh, homemade manicotti served by that awesome, fat, loud, italian guy at the family-run restaurant downtown. It will probably be gone in 5 years.

And the lesson here is that people will make sacrifices. We will settle for less than what we want because we are all running out of time, every single minute of our lives. We take risks and cut corners and settle for crappy sandwiches because we are all slowly running out of life and breath, so we have to. And also, we’re lazy. So we have to plan for our laziness or things will never, ever work out for us.

How does this apply to Site Security? Well, it’s something I have discussed with my Admins and IT staff for many years. there’s only so much time available to deal with security. And even if you have vast resources to apply to the problem, there is still a limit to what you can do without ruining the party for your customers and employees–the ones you are trying to protect in the first place. So you have to cut corners. When it comes to security, I think you have to develop an “A List” of security principles and steps so convenient that you never skip them.

Think of seatbelts in cars. They only offer a moderate amount of protection. Race car drivers have much fancier protection, like helmets and roll cages and five-point safety belts and even fire-extinguishers right in the car. But we everyday passengers have to cut corners so we don’t mess up our hair or have a higher car payment. And statistically, it works. Fewer of us die in car crashes. My “A-List” is basically a guide to putting on my seat-belt when I create a web site or web app–and it has to be things I can do quickly and easily… or I’m liable to skip it when I get in a hurry.

That’s it today–I’ll write more about this later this week.