A Silver Lining in a Gloomy Outlook

By Zam Karim
The Star
June 5, 2008

We recently sat down with security guru Bruce Schneier to talk about Internet security and, boy, did we get more than what we bargained for.

WITH the advance of new and better cybersecurity technologies, you'd expect the Internet to be a lot safer place for average users.

However, the world-renowned security expert Bruce Schneier paints an entirely different picture — in fact, a pretty gloomy one where no matter what you do to beef up security, it will not be enough. And in the future, things will even get a lot worse.

People tend to think that just because it's technology, there is some magical solution to solve all the security concerns, Schneier said.

"It is not. It is just the same as everything else," he said.

"Take crime as an example. We have been a civilisation for more than 5,000 years but till today we have never got rid of murders, burglaries and assaults."

Internet security is not likely to improve in the future because, "the bad guys are getting better at attacking us while, we are not getting better in defending ourselves," he said.

Complexity remains the focal reason for this.

In his essay published a few years back, Schneier wrote that complexity is the worst enemy of security; as systems gets more complex, it gets less secure.

And the Internet can be regarded as the most complex machine mankind has ever built.

"We barely understand how it works, let alone how to secure it," he said.

And humans remain the weakest link in security — either being the criminals themselves or the victims being duped into giving out passwords for unauthorised purposes.

As such, Schneier believes we should take security matters out of the user's hand and put them into the computer's.

"Let it automate the process such as updating the security patches religiously and others," he said.

But, surely there is a limit to all the automation?

Schneier agreed. He said that there must be a parameter because if there is too much automation, it would no be fun anymore.

"But where is the sweet spot ... the balance between human intervention and computer automation? We don't know yet."

More threats to come

The primary threat on the Net is crime, which includes stealing somebody's else identity and hacking into a bank's system to gain easy money.

"Criminals go where the action (money) is," Schneier said.

In identity theft, a criminal only needs to collect enough data about a victim and use that to impersonate him when conducting business with banks, credit card companies and other financial institutions.

While financial institutions absorb some of the losses, the credit-rating damage is still borne by the victim. And it can take years for the victim to completely clear his name.

When criminal "cyber" robs a bank, victims are essentially powerless to do anything.

While you can protect your computer with antiviruses, firewalls and other security measures at home, there is nothing you can do when cyber criminals hack into your bank's system to steal your money as the system is owned by the merchant.

"You could even be asleep or off holidaying somewhere and you have no control over the situation," he said.

A balance trade-off

Despite the gloomy outlook, Schneier said that people still feel safe when using the Internet.

In the United States and Europe, e-commerce is doing fine — people still buy and trade as well as do their banking online.

The reason is because people are willing to take the acceptable risks — a risk within certain levels that they are comfortable with.

"Security is always a trade-off between taking necessary risks and fully protect yourself from the outside world," he said.

For instance, there are people who rarely lock their front door, who drive in the rain while using a cellphone and those who talk to strangers.

In a rather morbid twist, Schneier used the rate of road deaths in the United States to prove a point.

"There is a ‘number' that we all think is acceptable as a society — if it is too high we will spend more to beef up the police force but if we think it is too low we will spend less," he said.

As an example, about 42,000 people die in automobile accidents in the United States every year.

"It is an enormous number but we can cut it in half by lowering the speed limit or make drunk driving a more serious crime," he said.

Similarly, the death toll can even be doubled by increasing the speed limit or turn drunk driving into a lesser crime.

"But our society feels that 42,000 ‘feels' just about right so that's why people aren't agitating for one or the other," he said.

"However if suddenly your relatives start getting killed at a rate of one every two years, you will stop feeling safe and say, ‘Hey, there is something wrong here and we need to do something about it.' "

Similarly, if a friend becomes a victim of an identity theft and keeps losing money every month, you would also want to do something about it.

That's how crime or threats work, Schneier said, where there are always levels which are deemed acceptable.

Thus, despite the increasing number of security problems, people will still continue to do their business online as long the cybercrime rate is acceptable, he said.

All is not lost

So is there anything you can do to protect yourself on the Internet?

Schneier said his first response to that question is usually "Nothing, you're screwed."

But that's not entirely true, and the reality is more complicated.

He said the best barrier against security threats is prevention.

Security products are still important just like seatbelts to keep fatalities in automobiles low, he said.

Schneier listed more than a dozen of things that home users can do to improve security:

1. Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

2. Keep your laptop and PDA with you at all times when you go outside — treat it as you would a wallet or purse.

3. Back up data regularly.

4. Set up automatic updates so that you automatically receive security patches.

5. Limit the number of applications installed on your machine.

6. Limit the use of cookies and applets.

7. Keep in mind that Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

8. Think before you do business with a website. Limit the financial and personal data you send to it.

9. Never reuse a password for something you care about. It's fine to have a single password for low-security sites, such as for newspaper archive access.

10. Assume that all PINs (personal identification numbers) can be easily broken and plan accordingly.

11. Never type a password for a service that you care about, such as a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

12. Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address. Also delete spam without reading it.

13. Use either a combination or separate antivirus and antispyware software. Always update them.

14. Use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

15. Install an e-mail and file encryptor. Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

Schneier admits that none of the measures are foolproof.

But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door.

And even if you only follow a few basic measures, you're unlikely to face many problems.

earlier story: Bruce Schneier Q&A: The Endless Broadening of Security
later story: Net Value: Combat Cyber Threats
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..