A Security State of Mind
It’s not encryption. It’s not a password. It’s not connecting through a VPN or an anonymizing service. Security means vastly different things to a national government, an e-commerce site, or a home user.
Governments are rightly paranoid about little things like their military preparedness, new weapons systems, communications codes, and sensitive information about other governments. E-commerce sites amass records for millions of consumers; a break-in could net huge numbers of credit cards. Businesses are constantly evolving, and your chief competitor would love to know what you’re up to.
On the personal level, most of us don’t have anything quite so vital as state secrets to protect, but theft of numbers and information that we use every day can make our lives a living hell. You only have to talk to one victim of identity theft to understand the excruciating agony of suddenly being victimized by technology, as computers reject your bank and credit cards, and credit reports repeatedly reflect some crook’s misadventures with your name and money.
Security expert Bruce Schneier’s new book, Secrets and Lies, details the challenges of maintaining security in a networked world. Time and again, he makes the depressing point that security ultimately depends on human nature. The person who doesn’t follow procedure, the careless user who leaves a password on a sticky note, and the one who attaches a modem connected to an outside line to a machine behind the firewall are all committing security breaches. And those are the ones without malfeasance.
Schneier’s book is an excellent read. Although he’s a mathematician and security expert, the book is largely nontechnical—and even amusing, once you get past some of the horror stories. Unlike some other nontechnical security resources, Schneier’s book is authoritative because he’s been there and done that, having invented—and cracked—a couple of equally important algorithms. He understands the issues and the issues behind the issues.
If you’re not a hacker, or if you’re new to the scene, you’ll gain an appreciation for why designers of security systems and inventors of encryption algorithms put their documentation into public view and invite attacks. Basically, if someone can point out a flaw in your logic or a vulnerability in the system, then you can eliminate the weakness. And if attackers can’t break in with full knowledge of the mechanism you’re using to keep them out, that’s good security.
The book also shows you why formerly secure algorithms are no longer secure. In many cases it’s simply that machines have gotten so fast that previously impossible numbers of calculations are now possible. Or that hundreds or thousands of machines working in concert over a network can outperform some of the largest supercomputers in decryption.
But in his introduction, Schneier says, “I have written this book…to correct a mistake.” The mistake was his earlier contention that cryptography would keep all our information safe and be the key to a sophisticated digital world. As things have turned out, cryptography is a small but necessary ingredient in the much more complex recipe for security and privacy.
For Your Eyes Only?
I regard privacy as a special instance of security. It’s information security on the personal level: Your phone number. Your purchasing habits. Your bookmarked Web sites. Your credit card numbers. Your e-mail address. Your bank account number. Your vices. Your IP address.
We have different levels of sensitivity. My phone number is listed; perhaps yours isn’t. I shop online with credit cards; maybe you don’t. You browse without much thought to where you’ve been; I purge cookies and anonymize.
Schneier’s book will give you a firm foundation in what it takes to establish and maintain network security, but you should also think afresh about personal security. I recently found an uncharacteristically useful government-issued document in the form of a booklet, “Know the Rules; Use the Tools,” from Senator Orrin Hatch’s Judiciary Committee. Download it. Read it. Use it.