The Active Network

Amazon.com

Stop Foolish Paranoia! (Know what you SHOULD be paranoid about!)

December 28th, 1999

Information Security is certainly a big issue for the e-Development community.  I'd never want to play down something so essential.  Unfortunately, the e-Media seems to think there is nothing better to improve ratings than to hype bogus stories related to security on the Internet.  Let's take some time to regain some perspective and composure.

Remember the flap about NSA having a trap door into Microsoft's CryptoAPI modules.  Wrong!  Remember a years long series of panic attacks about the risks of browsers that keep and web sites that use "cookies".  Sorry Charlie, the only real Cookie Monster out there is on Sesame Street (and that's using the term "real" generously.)  There are regular TV and newspaper articles about personal identities being stolen.... and these are real horror stories for the people involved!  But seldom is the culprit a weakness which is properly addressed by the Information Security profiteers generating all the hype about personal security on the Internet.

Consider the Weakest Link Principle:  No security solution is stronger than the weakest component of that solution.

Just like a chain always breaks at the weakest link, the "chain of logic" supporting any security for us on the Internet is no stronger than the weakest link.... and most likely that "weak link" is sitting in front of this screen right now.  That's right!  It's you! ...and me.

Do you shred your bank and credit card statements?  Do you read closely what you sign?  Do you check your credit card statements against receipts and look over your shoulder when you type in your PIN at the ATM?  When the phone rings and the person on the other end says they're from magazine XYZ and asks if you want to renew your subscription, do you give them your credit card number without even looking at your phone's Caller ID display?   ....what?!  You don't even subscribe to Caller ID?   ....yet you're paranoid about what the PC and the Internet may do to you.  Bless you, child.  Your guardian angel must be working overtime.

Why do people (especially my children) seem to display such blind trust!  My kids tell me "they don't have time" to balance their bank statements and check their credit card statements.  They and their friends act like credit card receipts are as important as bubble gum wrappers....  IF they don't simply throw them down on the ground, it's because they are too "environmentally conscious" to litter!

They, and many on the Internet, do foolish things simply because they believe in the "school of fish" security policy:  "There are so many cars in the parking lot, it's not really necessary for me to lock mine!"

And generally, you and my kids get by year after year making fun of the "old man" and his 15 years as a so called "security guru".  The reality is, there are far more honest folk out there than crooks and it takes a significant fraction of a lifetime for the crooks to get around to seriously burning someone we know.  So we act foolishly and then complain that Microsoft or WorldNet or AOL didn't protect us from ourselves!

So what's the bottom line?  Act responsibility!  Do what you're suppose to do AND demand accountability from the industry and the government.  Here are some thoughts for your consideration:

  1. Have you updated your software recently?  Windows 98 comes with "Windows Update" under Start > Settings (and under the Internet Explorer "Tools" menu.)  If you've never used this feature, you're on the Internet with dozens of known security holes exposed and waiting for hackers.  And if you've never bothered to update to Windows 98, you can be assured there are even more holes... the hackers just got tired of bragging about the old ones.  Ditto about Sun, Apple, AOL, Netscape and all other systems.  NO ONE writes perfect software.  Any vendor that fails to provide timely fixes "because we don't have flaws in our software" is either telling you an outright lie or is ignorantly serving a market too small and narrow for hackers to bother attacking.
  2. When have you last changed your passwords or taken backups?  I need not say more about this.  We all live with these "personal" failures but should resolve to do better.  (Keep an eye out for a future Tuesday postings about new solutions to these old problems.)
  3. When it comes to downloading, who do you trust?  Do you refuse to download software that is not digitally signed by a trustworthy company?  Do you pick up and chew gum you find on the street?

There are too many aspects of "acting responsibility" to enumerate, but let's end with this last thought:

We will not have serious security in our information technology until we start demanding accountability from our vendors, employees and ourselves.  We cannot hide behind "personal privacy" as an excuse for living "unaccountably" in the e-World.  Likewise, vendors must eventually take responsibility for their software products.  Just like car and baby-seat manufacturers are held responsible for their defects, software vendors cannot be allowed to continue disclaiming all responsibility for defects in their software.  And for our employees, we must begin to provide the tools, training, rules and laws necessary to make honest and just assurance part of daily work-life in the e-World. 

Copyright 2000 Information Security Analysis LLC. All Rights Reserved.
 
http://www.infosecana.com/flinkink


Return To The Flink Ink Section

 

This site is not related to the Microsoft Corporation in any way. Windows and the Windows logo are trademarks of the Microsoft Corporation. ActiveWindows is an independent site. The information and sources here are obtained from series of hard work & research.