I’ve recently attended some security meetups where I live to provide solidarity and support to my friends presenting. One common thread among all of the meetings I’ve been to is the frustration with user’s security. More plainly: “What should I be doing to ensure that my user base is secure using X?” There are always multiple propositions in response to this problem, generally under a mantra of educating the populous on security.
The most frustrating of the recommendations speakers had raised was with the prospect of child upbringing. That parents needed to teach their children to be secure in their online dealings. This always comes across as a how rather than a why. Which means regardless of your intentions, you will come across as patronizing or suspicious.
To explain this in a more tangible way:
Despite hearing messages like this from everyone around me, and even seeing it seep in media intended for younger viewers, I feel like these messages are approaching information security in all the wrong ways. Firstly, because parents are generally less likely to practice proper operational security than their children. Secondly, telling others to watch what they post online is ineffective because humans already have an innate sense of privacy. People generally are aware what they are posting online. What they are not aware of is the nature of computers.
Yes, there are creepy people that are worth spending time obfuscating yourself from. Yes, you have no agency in removing your online presence after you’ve put your information online. I get it, your kids probably get it, they just don’t care. It takes a lot of time and effort to be secure online, and most people don’t really care enough to do so. How many of your passwords on various sites are the same? Why? Because it’s inconvenient for most people to remember things. They don’t know that there are easier alternatives. They don’t know not because their parents never told them to be safe online, but because security is hard.
Here is a video that I came across that perfectly exemplifies this. This video is categorically wrong on multiple levels, and people that watch it might be inconveniencing themselves for no good reason under the guise that they are more secure. When in reality, they are just wasting time and effort.
Warning: wrongness and swears ahead.
That video is sitting ~3.5 million views and a very high approval rating, and I can’t help but get frustrated knowing that even when people are trying to help they just make everyone else’s life harder for no good reason.
If you are interested in security online, great! You already know everything that is wrong with that.
If however, you could care less, here is my explanation about why you might want to look into it yourself. If I have made an engaging enough post, try to find out for yourself why storing your passwords in folder hell only wastes your time.
I don’t recall a single point where my parents told me that the internet was a place where I should be hesitant to post personal information. Yet, I make my living as an information security engineer. My day to day is filled with mental exercises in retaining sensitive information as well as routes to exfiltrate information from others. And although I am certainly not an expert, (I wouldn’t be comfortable calling myself par at this point.) I have never needed to be told: “Don’t post things you don’t want to be public on the internet!”
This nature of withholding things we deem personal is somewhat innate. This is really basic stuff, but hear me out. Once we become of age, and we cover our bodies with clothing with some expectation that others might react in ways we don’t desire. In the same way, we don’t tell everyone everything we are ashamed of in our first encounters. Providing personal things to others places you at a higher risk of being physically or emotionally hurt. It takes an underlying trust with others before we are willing to open up.
This is not to say that I don’t see my friends and peers struggle with trust online. Regardless of the nature of the latest security leak, or the near constant news coverage showing us that we are being surveyed by our own governments, people seem to forget and regress to their regular routines within a few weeks. Worse yet, people seem to be arriving at the conclusion that our security no longer exists and we must face the inevitable fate that all our information will be public eventually.
The more I discuss information security to others, I find people are operating under some false assumptions:
- What I do online is largely irrelevant. Therefore, I need not bother with the security of my interactions online.
- There are other people that malicious agents would target before me.
- Because I am posting information on a site that assures me it’s not public, (Facebook messenger, SMS, etc.) my information will not be divulged to others.
- Companies have a vested interest in ensuring their user’s information is secure.
- There is legal precedence for companies to secure user information.
Computers are inhuman
Computer systems do not treat users as individuals as we do. This is merely the nature of the computers. They are unfeeling. Your information is no different to them than any other byte on the system. Apart from maintaining an operational state, computers will allow their owners to do most anything. Anything you present to your computer can be indexed, categorized and searched.
The assumption that nobody is sitting around watching everything you do is absolutely correct.
Computers however, well they don’t really have anything better to do. Computer storage is cheap. This post thus far is ~4.6KB, and it contains a lot of information. It contains a lot of data about me, how I write, what my thoughts are, when I wrote it, where I wrote it, etc. That information is so cheap to store, that it is absolutely trivial for a computer to store.
Most people treat surveillance as a logical extension of being surveilled outside of their digital computer use. If I am being watched, there is someone investing the time to do so. And I am not that special that my information is worth the effort. Right?
Your information is important.
Information you provide to any computer or network can be duplicated, archived, and correlated with any other set of data: Your pictures, your videos, the times you use your computer, the locations you have your computer, the things you hover your mouse over, what you erase before you press send, etc. Literally any data presented to a computer can and realistically will be saved and correlated.
This correlation information is powerful. It’s how Google and Apple can extrapolate where you live and work, what time you start working, what mode of transport you use to commute, and what time you need to leave your home to arrive at your work on time. This data is used to determine what things in life provide you happiness, and what products others provide that coincide with your pleasures. It’s what determines how much your employer pays you, how successful you will be as an individual. You might not see that as valuable, but consider for a moment the two companies that I have mentioned previously. Google and Apple are some of the wealthiest corporations on the planet.
Those extrapolations from your data can produce significant value to the right people. This information is powerful, and not always malicious. If I produce something, I want to make sure that word of it gets to those who are interested. This is how Google became what it is today. All the products and services they create today are from the money they make targeting advertisements to users that might be interested. If they know you well enough to accurately predict what you want, they can show it to you first. Advertisers love that.
Computers are obedient.
Computers under all the GUIs and even UIs are just machines. Machines that do what we program them to do. Once people realize how to provide tasks for computers, It’s not a far step to realize that they can interact with computers they don’t own in a similar way. Attempts to prevent others from providing and executing code is to go against the very nature of computers. If one knows the right way to request information from a system, they can get it.
People that have some expectation that computers they don’t own will retain their private information are operating under a misapprehension. This expectation is exploited by hackers and other malicious agents all the time.
“But most of the places I post to are companies. And there are a lot of things that make them want to remain secure.”
If corporations are people, they are not ethical people.
Non-Shitty corporations are also not perfect.
Every application you use either on your physical machine or the net is made of many other systems that you have no control over. Any of these smaller programs are just as capable of being broken into, or subverted, making the entire system insecure. Companies make technical mistakes all the time that unintentionally release information despite their legitimate efforts to secure your information.
Perfect Non-Shitty are not safe.
What I am about to say is purely hypothetical and has never existed. Imagine a company that built all of it’s own hardware, software, and controlled every single bit along the way from your computer through their network, to their servers and back. This system they architected is entirely and perfectly secure on a technical level. Your information is still not secure.
Humans are always the weakest link in any process. Someone can always convince someone at the company capable of divulging information to do something they are not supposed to do. These attacks are the most deadly because they almost always work.
Muli-factor authentication on your phone might not help, if someone can convince your phone carrier that they are you you might be out of luck, as this post explains.
So what should I do?
Use the internet as you see fit. Just know that the internet is now a very public place. Conduct yourself like you would in public. Operate under the expectation that what you do online might be viewed by others. If anything in this post made you consider your security posture, spend a minute or two looking up what advice professionals have to offer. Most importantly, enjoy the content you post and the content posted by others. Eat Trash; Be free; Death is coming.