1. Why security is a problem that will, unfortunately, always be with us.
2. Why we can’t expect technology to solve all of our security problems.
3. How to think about security problems as a compromise between security and effort spent getting it.

The phone call begins with the cries of an anguished child calling for a parent: “Mama! Papa!” The youngster’s sobs are quickly replaced by a husky male voice that means business.

“We’ve got your child,” he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.

The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.

[...]

Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.

A technical glitch gave the F.B.I. access to the e-mail messages from an entire computer network — perhaps hundreds of accounts or more — instead of simply the lone e-mail address that was approved by a secret intelligence court as part of a national security investigation, according to an internal report of the 2006 episode.

[...]

The episode is an unusual example of what has become a regular if little-noticed occurrence, as American officials have expanded their technological tools: government officials, or the private companies they rely on for surveillance operations, sometimes foul up their instructions about what they can and cannot collect.

Going through old Bruce Schneier essays, I came across one that downplays the danger of cyberterrorism:

The worry is that a terrorist would cause a problem more serious than a natural disaster, but this kind of thing is surprisingly hard to do. Worms and viruses have caused all sorts of network disruptions, but it happened by accident. In January 2003, the SQL Slammer worm disrupted 13,000 ATMs on the Bank of America’s network. But before it happened, you couldn’t have found a security expert who understood that those systems were dependent on that vulnerability. We simply don’t understand the interactions well enough to predict which kinds of attacks could cause catastrophic results, and terrorist organizations don’t have that sort of knowledge either — even if they tried to hire experts.

But Schneier says that worrying about cyberterrorism can have useful side-effects:

Luckily, the same countermeasures aimed at cyberterrorists will also prevent hackers and criminals. If organizations secure their computer networks for the wrong reasons, it will still be the right thing to do.

Spam

Your chances: 1 in 2

Viruses

Your chances: 1 in 5, with a typical cost of $100.

Spyware

Your chances: 1 in 11, with a typical cost of $100.

Phishing

Your chances of losing money from an account: 1 in 81, with a typical cost of $200.

Encouragingly, the odds of getting nicked by each one of these threats fell since 2006, except in the case of phishing (formerly 1 in 115, meaning phishing attacks are becoming cleverer and more widespread). The cost for each malady stayed roughly the same, with phishing the exception once again. Last year, phishing victims typically lost $850, so the number has fallen considerably.

The report is based on a national survey (of America, I believe), and lists the 4 biggest threats on the internet along with their rates of incidence. If you want to know just how likely you are to suffer monetary damages from internet threats, this is a great resource. Here are the findings from survey respondents:

Viruses

1 in 4 had a major, often costly problem. The cost per incident was $109

Spyware

1 in 8 had a major, often costly problem. The cost per incident was $100

Phishing

1 in 115 had a major, often costly problem. The cost per incident was $850

Spam

1 in 2 experienced high levels of spam. Consumer Reports doesn’t mention the costliness of spam, probably because it’s too hard to measure. But it’s still a major nuisance that soaks up valuable time and computer resources for almost everyone who uses the internet.

I hope the readers of this blog are slightly less prone to suffer damages as a result of the advice I give. Best of luck to all of you!

Security is a matter of degrees, and it involves tradeoffs. Perfect security doesn’t exist, but you can almost always be more secure than you are now. And once you’ve made yourself more secure, you could choose to become more secure still. That’s the matter of degrees.

Wherever you stand on the security spectrum, then, you can spend more time and more money in an effort to gain greater security. That’s why the level of security you eventually decide on involves tradeoffs. Ideally, your chosen level of security should correspond to the value of what you want to protect. For example, you should put more time and effort into protecting your bank account password than into protecting an average hotmail account (unless the account contains some really valuable information!).

How secure do you need to be?

So, if you need to make tradeoffs and can never be perfectly secure, how far should you go? How much should you spend in terms of time and money to protect yourself?

In coming to an answer, I’m reminded of an old joke that starts with two friends running from a hungry bear. The bear is closing the gap quickly. One friend turns to the other and screams, “We’ll never outrun him! What should we do?” The other shouts back, “I don’t have to outrun the bear. I only need to outrun you!”

The advice on this website follows a similar strategy (with respect to security, not bears). It provides you with the techniques you need to be more secure than average without overdoing it. As long as you are protecting the same things most other people are protecting – say, a bank account, email account, and private data on a personal computer – you need only make yourself more secure than the average person to be fairly well protected.

The reason is straightforward: Criminals trying to steal information are (usually) perfectly content to dine on the easiest prey. It turns out that you don’t need to spend an incredible amount of money and effort to be secure, because the average person spends almost none of either thinking about or acting on security issues.

That’s good news (for you, not those other hapless souls), and it should help guide your thinking about the degree of security you want and the tradeoffs you’re willing to make to get it.

Because I’ve been travelling for the last 3 months in Asia, I have had access only to public computer terminals, mostly internet cafes. The majority of the computers I get to use are sputtering and coughing from infection, so I’m sure some are indeed logging my keystrokes. I’ve been using the Vesik Method to minimize the danger, so far with good results. None of my passwords appear to be compromised, despite entering them onto some of the most spyware-polluted computers I’ve seen.

Give it a try the next time you’re in the same situation.

Bruce Schneier easily disarms the argument that says security and civil liberties must always be traded one for one. That’s only true if security is an afterthought for whatever process or project is in question.

Security and privacy are not two sides of a teeter-totter. This association is simplistic and largely fallacious. It’s easy and fast, but less effective, to increase security by taking away liberty. However, the best ways to increase security are not at the expense of privacy and liberty.

It’s easy to refute the notion that all security comes at the expense of liberty. Arming pilots, reinforcing cockpit doors, and teaching flight attendants karate are all examples of security measures that have no effect on individual privacy or liberties. So are better authentication of airport maintenance workers, or dead-man switches that force planes to automatically land at the closest airport, or armed air marshals traveling on flights.

Liberty-depriving security measures are most often found when system designers failed to take security into account from the beginning. They’re Band-aids, and evidence of bad security planning. When security is designed into a system, it can work without forcing people to give up their freedoms.

Here’s an example: securing a room. Option one: convert the room into an impregnable vault. Option two: put locks on the door, bars on the windows, and alarm everything. Option three: don’t bother securing the room; instead, post a guard in the room who records the ID of everyone entering and makes sure they should be allowed in.

Option one is the best, but is unrealistic. Impregnable vaults just don’t exist, getting close is prohibitively expensive, and turning a room into a vault greatly lessens its usefulness as a room. Option two is the realistic best; combine the strengths of prevention, detection, and response to achieve resilient security. Option three is the worst. It’s far more expensive than option two, and the most invasive and easiest to defeat of all three options. It’s also a sure sign of bad planning; designers built the room, and only then realized that they needed security. Rather then spend the effort installing door locks and alarms, they took the easy way out and invaded people’s privacy.

Samsung Electronics’ U.S. Web site is hosting a Trojan horse that logs keystrokes, disables antivirus applications and steals online banking access codes, according to Internet security company Websense.

This actually has very little to do with Samsung, and more to do with the state of internet security. I wouldn’t recommend halting your visits to Samsung’s website or any other website that shows up in the news for something like this. There will be many more of these stories to come.

Your strategy

Keeping records of companies that screw up is a losing proposition. Having said that, a public record is necessary because companies should be held accountable for their complacency, as this is probably the only way the situation will improve, but it’s not a useful strategy for you to combat security risks.

A more useful strategy is to stay level-headed (there’s no need to panic every time a news article exposes a new virus), act to prevent compromises instead of just reacting to them, and maintain a general awareness of the threats that exist.

If you don’t think you’re prepared, see this article I posted late last month that will help you get up to speed.