Well, so here is the rest of my story. About 8 years ago I got together with Chris Doyle and Charles Johnston, some great Linux IT guys, and started working on linux dynamic site hosting. Security was a big concern for us, and so I stared reading books about cryptography, security, etc. I would definitely recommend “The Code Book” by Simon Singh. It’s a good introduction to security and encryption.
I directed the software development, and I let Charles and Chris run the IT. But I always felt that the two should work together, and that you should have a team approach to building and designing the network, so we brought in our programmers and even our office manager as well. My thought on this is that if you make the security overbearing, people will go around it. For example, if you give people 30 digit random passwords, they will generally write them down and tape them to the monitor. I had read all of these books about social engineering and hacking, and I had learned a lot of those lessons as a kid growing up with phone-phreakers and hackers as friends. Many dangerous security attacks are more of a confidence game than a virus.
For example, the type of security attack called “Phishing” is far from a novel idea. It was the easiest way to get a password from somebody. Just pop up a dialogue or prompt on their terminal and ask for it! These types of attacks are nothing new. As long as we have economic disparity and the internet, there will be some person in a poorer region who decides it’s worth his time to try to steal your credit card data. This is not new at all. The Nigerian Scam has been around for many years. It’s just convenient to use the internet to help perpetrate the scam.
My conclusion is that the best kind of security is the kind that is understood and embraced by the people who use it. And it’s still not foolproof. People make mistakes and often have poor judgement. Every book I have read on security and crime recites the same set of simple rules: Put locks on your doors, have a well-lit entry way, lock your car when you leave it parked, don’t walk down a dark street alone at night. If only internet security advice were as practical and simple! A lot of the “security measures” offered for computers are scams themselves that don’t protect you at all. A lot of security measures are real, but still fail to address the core security problems.
Here’s an example: paypal. Paypal’s web site uses SSL encryption. Most of their customers have browsers that support really great encryption. BUT thousands of people have the paypal credentials stolen from them every single day, and in the theft process (Phishing) the paypal web site and servers are never even accessed. The only solution is to educate the users. And how exactly do you do that? More on this in my next post.
