December 01, 2012 at 09:00 AM EST
Security Is Hard, But That Doesn’t Mean You Should Ignore It
Six weeks ago I was out drinking in a Kipling-themed bar in Rangoon, Myanmar--as you do--and happened to find myself next to a table of high-powered international telecommunications consultants, overhearing juicy lines like "Skype and Viber are going to kill us." Needless to say I told Twitter right away. Then an old friend who's also a genuine International Man Of Mystery got in touch and asked if we could chat about Myanmar's proposed ban on VOIP . Securely . He has his very good reasons to insist on secure communications. But to my embarrassment and dismay, given that I'm a software pro with scads of hacker friends, I was largely unprepared for that request.
no-trespassing

Six weeks ago I was out drinking in a Kipling-themed bar in Rangoon, Myanmar — as you do — and happened to find myself next to a table of high-powered international telecommunications consultants, overhearing juicy lines like “Skype and Viber are going to kill us.” Needless to say I told Twitter right away. Then an old friend who’s also a genuine International Man Of Mystery got in touch and asked if we could chat about Myanmar’s proposed ban on VOIP. Securely.

He has his very good reasons to insist on secure communications. But to my embarrassment and dismay, given that I’m a software pro with scads of hacker friends, I was largely unprepared for that request. The sad truth is that real online security has never seemed worth the hassle to me. Oh, I switched my Facebook connections to HTTPS-only as soon as I could; I select/Control-C/Control-V a portion of every password I enter when in Internet cafes; and I disabled Java when its huge security hole was revealed earlier this year. But truly secure communications? That’s always seemed like more trouble than it’s worth.

I felt foolish and credulous and unprepared — until earlier this month. So I’d just like to thank David Petraeus for making me feel a whole lot better about the situation:

You'd think the head of the CIA would be better at keeping secrets.—
Aaron Levie (@levie) November 10, 2012

The sad truth is that real online security, while possible — ignore the conspiracy theorists who claim that hackers can break into absolutely anything — is hard to do right and easy to screw up. This is a big deal and a big problem. Not just for Syrian activists today; as the panopticon society grows up around us, soon online privacy will be just about the only kind of privacy we’ll have at all.

Alas, right now it seems that many-to-most people value conformity more than privacy. What’s more, instead of worrying about security ourselves, we trust others — Amazon, Apple, Facebook, Google — to take care of it for us. As the great Bruce Schneier points out, in some ways we’ve regressed to a feudal notion of security.

The problem is, you can’t trust a feudal lord. For instance, Andrew Auernheimer, aka “weev,” was recently found guilty of hacking in a case which has been analogized — correctly, in my view — to finding someone guilty of trespassing because they looked past the sign on a shop window to see what goods were on sale within. This is, well, insane.

Being an ass is not a crime. Running a script is not a crime. Exceeding authorized access is, but the AT&T site was coded to spill data.—
jennifer granick (@granick) November 21, 2012

Can we start a list of exposés of security vulnerabilities that will become illegal based on the precedent set by @rabite's case?—
Asher Wolf (@Asher_Wolf) November 21, 2012

Companies like AT&T who shoot the messenger when they are at fault risk their customers even more in the future.—
  (@skry) November 21, 2012

The CFAA continues to be a terrifying broad law that's getting interpreted as "if you do something tricky with computers, it's illegal."—
DJ Capelis (@djcapelis) November 21, 2012

You know who your masters are when they can jail you over their embarrassment. #FREEWEEV
Josh (@midnite_runr) November 20, 2012

If the government wanted to drive vulnerability research/disclosure underground they just accomplished that swimmingly.—
TacticalIntelligence (@Tactical_Intel) November 20, 2012

.@rabite found guilty. so i guess we just shouldnt bother disclosing any vulns anymore.—
Tom (@semiboganman) November 20, 2012

@maradydd @graydon_moz Does this mean that if I write a web spider, it may commit a crime? Do these same rules apply to Google? Bing? Yahoo?—
Adam (@AdamOfDc949) November 20, 2012

@maradydd @graydon2 The implication is that the powerful can interpret the law arbitrarily to punish those who challenge them.—
Robert David Graham (@ErrataRob) November 20, 2012

(All tweets above via Meredith Patterson.)

Even worse, it will have a deadly chilling effect on security researchers everywhere. We need people like weev to find security flaws, and disclose them in a (relatively) responsible manner before serious black-hat bad guys do. Security through obscurity is no security at all, and feudal security isn’t much better. Ask David Petraeus.

Security is, by its very nature, something most people generally hardly worry about at all – until and unless that one awful day comes when it’s the only thing they worry about. By then it’s usually too late to start taking it seriously. But even if/when people realize this, and start taking responsibility for their own online privacy and security, if security tools aren’t dead-easy to use, they’ll be used incorrectly or not at all.

What can you do? Well, the EFF recently posted “Don’t Be Petraeus: A Tutorial On Anonymous Email Accounts,” which everyone should read. And next week I’m going to post a brief overview of some other security tools out there now. Be advised in advance that I’ll probably get some things wrong: I’m a good software developer but no security expert. Let’s hope that in a few years’ time the tools are easy enough that even non-techies can use them without fear — because increasingly, if you don’t have privacy and security online, you won’t have it at all.

Image credit: yours truly, Flickr.



Stock Market XML and JSON Data API provided by FinancialContent Services, Inc.
Nasdaq quotes delayed at least 15 minutes, all others at least 20 minutes.
Markets are closed on certain holidays. Stock Market Holiday List
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.
Press Release Service provided by PRConnect.
Stock quotes supplied by Six Financial
Postage Rates Bots go here