The New Landscape of Personal Internet Security

This is the second in a three part series on a highly revised approach to keeping yourself safe and sound when you’re on the Internet.  (If you missed it, the first part is here).  This is an entirely new approach, because the whole threat profile we face has been changing, and most of the recommendations passed out by presumed security gurus (including yours truly) are no longer appropriate or effective.  This post is going to describe the current threat landscape so that my recommendations on protecting yourself will make a little more sense; those will be in Part 3.

OK then, what does it look like out there?  There are lots of pressing threats, seemingly an infinite number and growing (if that’s possible!).  But as we try to identify how we might best protect ourselves when we’re connected to the Internet, the actual number turns out to be much more manageable.  Here’s a breakdown of the overall threat landscape, from the planetary to you, as I see it now.  It includes:

Infrastructure threats, which target the basic routing and transport of content throughout the globe.  This is not our problem, at least for this discussion, although it is an extremely serious problem for our government and the Internet’s managers.

Organization threats, those that aim at businesses, governments, or other entities, and which are mainly focused on network intrusion, data theft, site defacement, and operational disruption.  I’m not dealing with those here, either.

Personal threats, what we care about here.  These threats, at least the ones that you should worry about, can all be clumped into two main categories:

• Attempts to steal money from you via account break-in, unauthorized credit-card charges, or (occasionally) malicious transactions aimed at disrupting your life, e.g. as caused by an errant ex-spouse;

• Attempts to steal account numbers, passwords, and other personal or family data from  you by loading malicious hidden software onto your computer.  In addition to enabling financial theft, this data might allow someone to impersonate you on the Internet and do things like post obscene messages in Facebook or put porn in your Flickr albums.  Malicious software can also take your computer and make it a spam-spewing robot, or a participant in various kinds of attacks against organizations or even against the Internet’s infrastructure itself, and you don’t want to be a part of this, either.

Now, these are significant threats, of course, and you don’t want to be the one caught standing when the music stops.  Just because these are high-order threats doesn’t mean that you can be excused to do nothing.  On the contrary, you need to take some steps to avoid being victimized, but these steps can — surprisingly — be simpler than you might be thinking, or than what you’ve been told in the past.  What is it that has changed over the last increment of time that modifies our approach to personal Internet security?  Lots of things.

What’s Changed

First of all, the bad news is that the attacks are becoming vastly more sophisticated and therefore vastly more difficult to defend against.  When I look at the technical dissection of typical first-line malware, I’m really impressed: these people really know what they’re doing.  If you let one of these things into your machine, you’re gone.  Attack software is exploiting vulnerabilities that the honest software vendors are hard-pressed to patch by the time the attacks start occurring.  And once something gets into your computer, it’s essentially impossible to remove so your only recovery is a down-to-the-metal system restore.  It’s really nasty.

However, at the same time we’ve learned how to cope with it, just as our immune system learns to cope with an infection, and just as (as a species) we and the infectious agents tend to co-evolve in ways that reduce the impact of a given infection, so that not all the hosts die!  When national credit cards became popular, certain kinds of fraud became possible that weren’t possible when the merchant knew every customer face-to-face.  So our financial system developed ways to deal iwth it — transaction limits, anti-fraud software triggers, merchant interventions, and most importantly, consistent rules for managing disputes and apportioning fraud liabilities.  Thus, the worst of the threats are blunted, coping mechanisms are created, the losses are contained, and the benefits are achieved.

Lets consider for a moment identity theft.  Five years ago this was almost unheard of.  People who claimed identity theft were generally not believed, their credit was ruined, they were threatened with arrest, their assets were attached, and they worked for sometimes years to clear things up, all the time being abused by attorneys, police, and everyone else who just couldn’t believe this was real.  What happens now?  It’s a known and accepted risk, kind of like a fender-bender: nobody wants one, but they happen, and we all know what to do.

Now, if you are an identity theft victim, you call the police, fill out a form, send out the form to your banks and other merchants, get new credit cards, and so on.  The average time to resolve an identity theft incident now is about 10 hours of your time, spread out over a couple of weeks.  Like a fender-bender, not fun and worth avoiding, but fixable.

Same principle applies to electronic account access and transfers.  Banks want people to use electronic transfers, it’s much cheaper than teller-assisted transactions or paper checks.  So to standardize everything, the Federal Reserve Board issued Regulation E, which specifically states that it was issued “to protect consumers using electronic funds transfers.”    Under the provisions of Reg E, it’s almost impossible for a consumer to be held responsible for the consequences of unauthorized electronic access to their accounts, the bank absorbs any unrecoverable losses.  Based on the cost savings and customer satisfaction, they come out ahead even with these losses from time to time.

So . . .

So the net of all this is, although the direct attacks are increasingly cunning and vicious, even when they succeed they don’t impact the individual consumer as much as they used to.  “We,” the society, have learned to cope with the resulting losses, keep the unlucky victims from being unduly penalized, and move on.  And given this, the rules for keeping safe and sound on the Internet have changed, too, and actually simplified quite a bit.  I’ll cover them in Part 3.

The User Cost of Internet Security

We hear constantly of the cost of online security failures — of bank accounts vacuumed, of credit card numbers and passwords stolen, or of medical records compromised, a veritable drumbeat of disaster.  But we seldom hear about the cost side of implementing security measures, especially the cost borne individuals like you and me who are exhorted to carry out these procedures.  Even with the threat of all the losses, compromises, and penetrations, the Average User still has a pretty dismal record of taking even the most basic precautions to protect themselves.  But why?  Are we all just that stupid and lazy?

As a security-oriented systems guy, I have tried to figure this out, and I was just starting to deal with it as a basic economic cost-benefit analysis when I discovered a great paper presented this at this year’s New Security Paradigms Workshop by Cormac Herley of Microsoft.  It’s entitled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.  If you’re not up to reading it, I’ll be summarizing it below as a context for my own recommendations.

Herley summarizes the situation thus:

In this paper we argue for a third view, which is that users’ rejection of the security advice they receive is entirely rational from an economic viewpoint. The advice offers to shield them from the direct costs of attacks, but burdens them with increased indirect costs, or externalities. Since the direct costs are generally small relative to the indirect ones they reject this bargain. Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.

So then, as he points out, Average Users aren’t stupid, they are pretty good intuitive cost-benefit analysts.  The paper points out that “user effort is not free” although it is treated as such on virtually all analyses. In other words, most analysts look only at the loss side of the equation — what is being stolen — but not at the time and effort required of users taking steps to prevent these losses.  This failure to account for the costs of implementing security procedures leads to lots of users (rationally) ignoring most of what various security gurus prescribe for them — instead of adopting reasonably-effective safeguards, then end up adopting almost none.

Just for example, with respect to the standard litany of “choose longer passwords, don’t re-use them across sites” and so on, Herley demonstrates that for an average user with about 25 distinct passworded accounts the actual benefit to the user disappears if the user has to spend more than a few minutes per year making up, remembering, and forgetting all their passwords.  Of course, in reality most of us spend more than that per day dealing with passwords.  He also points out that if the user falls victim to a phisher or has a trojan keylogger in his machine, all the standard password protections are rendered useless anyway.

And yet, financial institutions continue to insist on longer passwords with composition-complexity rules and have implemented various other schemes such as “security questions” or “secret pictures” and the like.  None of these are very effective and do NOT per se reduce the likelihood of man-in-the-middle attacks, although it seems like they would.  They mainly irritate users who forget what they answered for their first car’s horsepower, fail the test, and have to have the bank reset their password.

And even this incurs a significant cost: using Wells-Fargo data, a password reset costs the bank $10 in personnel time, and if 10% of their users do a reset every year, that would be a $48,000,000 cost to Wells, which is vastly higher than Wells’ share of the annual $60,00,000 phishing losses.  Clearly in this case, the medicine is worse than the disease!

In addition to the security-related costs users are asked to absorb, they are also overwhelmed by the volume of advice dispensed by various security gurus (including yours truly, in retrospect).  Naive users lack the technical expertise to carry these suggestions out, and their best efforts can often be readily subverted by evil-doers anyway.  Herley points out that the US-CERT CyberSecurity Tips publication has 51 “tips,” each one backed up with a page or more of detailed instructions.  No wonder they bail on security.  Not only is it expensive, it’s incomprehensible.

Does this dismal state of affairs free us to give up and just ignore Internet security?  Not at all! We still face threats that we CAN do something about, and we should.  See my next post on What This Means.

Opening the Campaign Money Hydrant?

Before I say anything else, let me first note that in the last presidential election, political spending in the US was roughly equivalent to the amount Americans spend annually on chewing gum.  That is an important level-set for this discussion.

So, the Supreme Court (which doesn’t have to run for re-election) has decided that corporations and unions, which are legal entities created in order to make money and carry out other functions, are equivalent for campaign spending to real people, and so should be able to spend directly in unlimited amounts of money to promote causes or candidates.  This decision is a pretty heroic leap from the constitution or from any existing case law precedent; after all, corporations can’t vote in the election, so they aren’t all that equivalent to biological people, but the court decided 5-4 along conservative – liberal lines (whatever they are) and so for now it’s the law.

Don’t get me wrong, I think this is bad law.  Corporations are not actual people, they are organizations with vast resources in money and talent and they never blink, 24-7, as they pursue their self-serving objectives.  Because of these resources, they should be subject to limitations on the extent to which they can directly enter into the political process.  Not prevented from participating, mind you, but limited.  But however unfortunate this ruling is, it isn’t the end of the world, for a couple of reasons.

Corporate spending on campaigns or issues is at least to some extent self-limited by the corporation’s desire not to take a politically-unpopular position and risk alienating both customers and employees who disagree with it.  Unpopular positions can of course be heavily spun to the public and delivered with day-and-night pounding advertisements, but having worked inside large corporations most of my career I can just say that this is more difficult to successfully execute than you might think.  And of course, political spending competes with product advertising, machinery investment, and other pressing demands for capital and hence is going to be viewed with a jaundiced eye by stockholders.

The second reason is more interesting, and it comes from the actual human people who head these corporations.  A few days after the Court issued their ruling, a group called Fair Elections Now sent a letter to congressional leaders on both sides of the aisle complaining that this new ruling will cause congressmen to hammer them even more than they do now, for contributions to counter the likely flood of corporate advertising.  About 40 executives from the likes of Hasbro, Delta Airlines, Seagrams, Crate and Barrel, Ben & Jerry’s, Men’s Wearhouse, and Playboy Enterprises said in the letter,

Members of Congress already spend too much time raising money from large contributors . . . and often, many of us individually are on the receiving end of solicitation phone calls from Members of Congress.  With additional money flowing into the system, due to the court’s decision, the fundraising pressure on Members of Congress will only increase . . .

This is actually a very healthy development — people who are in a position to make corporate policy but who are impacted personally in other ways, are saying, “stop this right now.”  So maybe, just maybe, we will see some actual legislation passed that will undercut the Court’s ruling.

But ultimate it falls back to the electorate.  We, as a nation, need to increase our attention span and actually study these issues and make up our minds about them, and not be swayed by week-before-the-election advertising.  We need to stop being swayed by partisans screaming “death panels!” and other patent lies.  We need to belly up to our responsibilities, personally, and make the things we want happen.

Why Haiti, and Now What?

Of all the poor places on the planet, perhaps no place would be as poorly prepared to weather an earthquake, or any other natural disaster, or even disruption, as is Haiti.  Haiti is without question the most absolutely impoverished country in the Western Hemisphere, seemingly a sinkhole of boundless misery and misfortune.  And now, this: a magnitude 7++ earthquake centered almost directly under a fantastically-overcrowded capital city.  The destruction is almost impossible to quantify, and there is virtually no surviving infrastructure.

This earthquake happening is, of course, predictable and inevitable, for Haiti lies directly over a major strike-slip fault zone that is moving at millimeters per year.  Sooner or later, it’s going to give.  If you’d like more details, here is a good explanation from Woods Hole.  The same thing is going to happen to California, sometime, perhaps sometime soon (geologically speaking).  I guess everybody thinks that it won’t happen to them, that they will be dead or away in England or something, so they don’t need to worry about it.  But these things DO come, eventually.  And the reality is, build substandard structures in an active fault zone and this is what happens.  I ask: why is anyone surprised?

To answer my own question, they apparently were surprised by New Orleans, too, in spite of 30 years of warnings by geologists, meteorologists, and engineers.

But the catastrophe of this earthquake is compounded by the thing that is Haiti, by it’s culture and it’s history of misery.  The core of why Haiti is what it is was summarized by Tracy Kidder in the New York Times on January 13th:

Haiti is a country created by former slaves, kidnapped West Africans, who, in 1804, when slavery still flourished in the United States and the Caribbean, threw off their cruel French masters and created their own republic. Haitians have been punished ever since for claiming their freedom: by the French who, in the 1820s, demanded and received payment from the Haitians for the slave colony, impoverishing the country for years to come; by an often brutal American occupation from 1915 to 1934; by indigenous misrule that the American government aided and abetted. (In more recent years American administrations fell into a pattern of promoting and then undermining Haitian constitutional democracy.)

Full text of this is here.    A more comprehensive discussion of Haiti’s beyond-unfortunate history is here.)

The essence is this: slaves gloriously threw off their slavemasters, but never having lived under their own hand, soon fell into slavery again, now to one of their own.  It is beyond sad, they could have been a beacon of liberty in the Caribbean.

So now what?  The history of aid to Haiti is pathetic: for billions, almost nothing to show for it.  This isn’t all their own fault, much of the US aid to Haiti was tied to spending it with American companies, a perfect recipe for fraud and ineffectiveness.  Even before this disaster, providing aid to Haiti was an established growth industry.

Much as I am not a fan of US intervention in the world, if we’re going to intervene, this is the place, and now is the time.  I would suggest these steps:

• Send in the Marines, stabilize the situation on the ground, prevent total chaos;
• Haul in food, and be prepared to feed much of the population for several years (yes, years);
• Develop a 20-year plan that emphasizes infrastructure, for example build roads, build natural gas distribution so that towns, then villages, then individual houses, can get cooking heat, so they can stop destroying their environment by stripping every single twig to make charcoal;
• Implement this plan with whatever resources are available, and as part of it start — immediately — turning responsibility over to Haitians in bite-sized pieces, to learn to manage as their own;
• Bring in businesses to employ Haitians doing what is now so often done exclusively in China — give these people a head start, give them hope, give them jobs;
• Follow the 20-year plan to have us — and other Western democracies — out of there completely by then.

Many will decry this as paternalistic and disrespectful of Haitian culture.  Sorry, but there is so very much of Haitian culture that is so deleterious to them: graft, corruption, voodoo, etc., and it just needs to go.  I would say: where do you want Haiti to be in 20 years?  Step on the road to go there.  Remember, another earthquake is coming, sooner or later.

We Can Never Win a War on Terror

I was very distressed the other day to hear President Obama continuing the use of the term, “War on Terror.”  Probably nothing hampers our ability to deal with the Middle East and the rise of Neo-Islamist extremists more than talking about it as a “war.”  Are we at war?  Against “terror?”  Terror is just a tactical or strategic decision about using a weapon in a certain way.  Was Hitler at war with “strategic daylight bombing?”  No, he was at war with most of the rest of the world.  If we’re going to be at war against terror, we might as well be at war against howitzers.  Neither concept makes much sense.

Whatever it’s against, are we in fact “at war?”  I’m sure as  a paean to the (mainly) Republican saber-rattlers in Congress, Obama stated “we are surely at war . . . “  But a war should be against some tangible objective, over a limited amount of time, and it should require the mobilization of massive resources and the will of the population to persecute it.  In this case, we are (by the Bush Administration’s calculus) really at war with Islamic populations world-wide.  Do we mean to do this?  Do we want to, if we can help it?

No, I submit we are NOT at war, not in any meaningful sense of the word.  We are not out to defeat Islam, or Pakistan, or whatever.  What would our objective be, then, defeat Osama bin Laden?  That’s pretty pathetic, and probably pretty unlikely, too.  It may sound stirring, I guess, to talk about being “at war,” but thinking that this business will resolve itself the way World War II did, with the utter defeat of the enemies, is just delusional.  Remember, the Japanese populations were eating the bark off of trees to live near the end of that war.  Are we willing to do this to the Islamic population of Pakistan?  Or Indonesia?  Are we really?  If we are, believe me our current strategies won’t take us there, not by a long shot.

No, I think we’re really trying to deal with mainly extra-governmental entities (think: al Qaeda) who are religious fanatics with an agenda against the West, and specifically the US as a proxy for the whole West.  They infest places with weak or minimal governments, and reach out to strike at their presumed enemies.  They are going to be plotting against us for a long time and we’re going to have to devise ways to restrict their actions and blunt their blows, but they’re always, like cells waiting to become cancerous, sitting there looking for an opening.  And unless we’re willing to utterly destroy the countries that harbor them, really destroy them and much of their civilian populations, military action is the wrong tool.

I don’t have a perfect solution to this, but I do know that stopping maniacs from carrying out terroristic actions will require something much more like police work than anything military.  It will require tracking people and their behavior, using little clues to home in on individuals before they make it to the airport with their bomb or their gun.  This isn’t as glamorous as sending in the Marines, but it will be, in the long run, much more effective against these guys.

And of course we could figure out what we’re doing to create all these Islamic terrorists and stop doing that at least for a while.

OK, a Systemic Failure, but Now What?

Maureen Dowd in the Times said it the best in a recent editorial:

If we can’t catch a Nigerian with a powerful explosive powder in his oddly feminine-looking underpants and a syringe full of acid, a man whose own father had alerted the U.S. Embassy in Nigeria, a traveler whose ticket was paid for in cash and who didn’t check bags, whose visa renewal had been denied by the British, who had studied Arabic in Al Qaeda sanctuary Yemen, whose name was on a counterterrorism watch list, who can we catch?

Seems oddly like the recent White House Party Crashers, when in spite of the mission of protecting our President, the Secret Service failed, and no one has been held accountable — i.e. fired.  I suspect that in this case, no one will either, because the charge of “systemic failure” spreads the responsibility around too far and too thin, so in the end, we just keep right on rolling along.

Except of course for the usual “locking the barn door” reaction by TSA.  Just as post-Richard-Reed, we all dutifully take off our shoes at the security checkpoints, 60 million people a year uselessly inconvenienced because of one failed terrorist attempt, now will we be taking off our pants for them?  And so, international travelers (only) will not be able to use the rest room in the last hour, or have a book or magazine in their laps?  This stuff doesn’t protect us, it just costs us.

And then, the next idea is millimeter-wavelength or backscatter x-ray machines to do full-body scans.  Just for the record, the potential for these images to be captured and disseminated to perverts and voyeurs is virtually 100%.  Please — the images that have been released to the press to show how these machines don’t really invade your privacy have had the genitals blocked out, which, folks, they won’t be when the machines are actually in use.

This reminds me of my time as a systems consultant to manufacturers.  One of the mantras we preached was “you can’t inspect-in quality, you have to build it in” and that’s the case here.  Trying to catch terrorists at an airport checkpoint, or worse yet at the gate, is just trying to inspect-in quality.  Per the quote above, you need to find them before they get to the gate.

Party Crashers vs. the US Government

I can only hope beyond hope that there will be some severe accountability for these verminiferous party crashers getting f2f with the President.  Hopefully the entire crew at the gate that let them in will get sacked, followed by Mark J. Sullivan, the head of the Secret Service, submitting his own resignation.  This may seem to be a funny incident, but in the light of Ft. Hood, and of the execution of the four police officers in Tacoma, it’s not at all funny.

And what lowlifes these crashers are!  Read their life histories — they are complete and utter frauds, liars, duckspitters, and societal leeches whose lives revolve around pretending to be everything they’re not.  I guess if you have no self-respect, nothing is too outrageous for you.  And people like this were able to talk their way in, regardless of no invitation.

Which gets us back to the concept of removing the incompetents who let them in.  Please, folks, there needs to be some accountability going down here.  They could have had sarin.  If the President and the Veep aren’t enough exposure, how about a foreign head of state?  Sheesh.

Truth about Hybrid Cars, Part about-5

Just an update for those who have assured me that the Prius “would never last” or “would blow up” or whatever.

138,000 miles and counting, doubters, and finally I have had to put on new brakes.  Remember the regenerative braking?  All that stopping power has just gone into the generator.  Hence, the pads don’t get used until about 15 MPH.  also, some people have told me that the battery would start failing long before now and my mileage would tank.  Right now, in 70-degree Minnesota weather (what’s passing for summer this year), I’m showing 52.4 MPG pretty consistently in my normal driving cycle.  That’s even better than my motorcycle.

So, as the sticker in my back window shows, “Eat My Voltage.”

Building a Network for your Home, Introduction

Several people have asked me to describe how I would go about building a sensible home network that would be highly functional, inexpensive, and teach them a bunch about networking technologies while they did it.  Since this is a very do-able project and has several real benefits, I’ve decided to take it on.  So I’ll be writing a few posts to walk you through the process; it’s easier than you might think but of course it can always be made easier, and I’ll try to do that.

What I’ll describe is modular — you can do all of it, or a part of it, depending on your interests.  This isn’t the easiest way to bring the Internet into your home, because I’m assuming that you’ld like to learn how things really work.  But follow this through, and you’ll end up with an industrial-strength bastioned netowrk that looks like it belongs in a company.  And, it’ll be (relatively) cheap.  And I promise, (relatively) easy.

We’ll be using almost exclusively open-source software, relatively generic PCs of whatever vintage you can afford, and some cheap networking components like switches from Best Buy or whoever.  You’ll be running things like Ubuntu Linux, an Astaro firewall, the famous Apache web server (which powers over half the websites on the Internet), the Postfix mail server, and the Bind DNS server.  Cool stuff!

Why do this?  Here’s what the typical “home network” looks like, out of the box:

Not very exciting, nor capable, and actually not very secure as the “firewall” generally blocks incoming traffic but allows rather promiscuous outgoing connections, thus restricting almost nothing, and has no attack detection and prevention beyond blocking “ping of death” and the like attacks.  Plus, of course, the router / AP / firewall is also handling DHCP, DNS caching, and all manner of other things, so if it gets penetrated, everything’s there, you’re toast.

What things will look like when we’re through with our efforts will be like this:

The key here is that the Serious Firewall Gateway will really let you get granuar about which machines in your network get to do what, and to mount some industrial-strength penetration-protection, and by having a DMZ port on that machine you can separate the Internet-facing machine, your web server and mail server, from your internal network.

And on the logical inside, you can have a small server supporting shared files, a caching DNS server, DHCP, shared printing, and whatever else suits your fancy.

Hardware

You will have to buy a few things.  There are three PCs, plus one or two little Linksys or whatever 4-port switches, and some wire.  The switch might also be your access point (AP) for the wireless access.  The modem will be furnished by your ISP.

The PCs need not be particularly powerful or have double-oodles of disk space, necessarily.  Relatively generic grey boxes will do, I’ve used Compaq Penium 3s and Dell Pentium 4s with clock speeds ranging from 700 MHz to 2.8 GHz.  The biggest disks should go on the shared-file server, the fastest machine should be the firewall machine, and hte web / mail server can be surprisingly light.  All this stuff is available on eBay or from the Dell factory store.  Newer desktop PCs in the $500 price range work just fine.  If you can spring for a real server with RAID-5 and so on, how much the better.  But they’re not all that necessary.

A Domain Name

Before you do anything else, get yourself a domain name, like joedoaks.com or the like.  Register it through GoDaddy, very straightforward and $10 / year.  For a setup like this, you deserve your own domain!

What you should already know and have

I’m kind of assuming you already know a little about TCP/IP, DNS, and the rudiments of Internet technology.  But part of this exercise is to help you learn more, so just brief yourself on the basics and you’ll be ready to go.  So, you probably have your personal PC and some way to connect to the Internet.  The first thing we’ll do is build a better firewall, so go shopping for that machine first.  This machine needs to be fairly fast, have as much memory as you can afford, but probably doesn’t need more than 30 GB of disk space.  AND, importantly, it needs to have expansion slots where you can put in two more LAN cards, this is a must.

More in the next installment, where we’ll build the firewall on this machine.

Is the Internet Really Dangerous for Kids?

I’ve written a series on Internet malware (see the tags), during which I’ve gotten progressively more pessimistic about the state of the Internet as regards increasingly aggressive malware infections. I’m concluding that people aren’t worried enough about what their computer is up to behind their back. But now I want to spend a moment debunking at the other end of the scale — the currently received wisdom that our kids are at the mercy of Internet-based pedophiles, molesters, rapists, and kidnappers. If you have a short attention span, here’s the answer: they aren’t in any such danger, and they’re skillful enough to defend themselves from these vermin with no difficulty.

Now, part of the reason for this is that today’s younger generation, and I’m talking about kids from 10 to young adults of 25 or so, have an Internet-mediated life that is unbelievably rich and varied, and which they control and manage with considerable skill. If you’re a parent, and you email, fine, but they are light-years ahead of you. They consider email rather dull and lifeless; they text-message with their camera cell phones, they user services like Twitter to broadcast what they’re up to, they forward pictures back and forth from computer to cell phone and back, they have websites and (more importantly) FaceBook sites, they instant message with each other from a variety of devices . . . the list goes on and is actually evolving and expanding as we sit here. And you, who think email is pretty exciting, are going to be able to assess risk for them, and control the situation? Do you Tweet? Come back and see me when you do.

Are they going to be willing to give this rich social environment up because there are a few creeps out there? They are not. At the upper end of this age spectrum, these facilities help kids keep in touch when they go off to college, and then when they graduate, as they again disperse to go find jobs. These kids are keeping in touch on a daily basis, around the world, around the clock, and they love it. At the bottom end, 10 and 11-year-olds far from retreating into their computers, are richening their social environment via the Internet as we used to do, in the days of the ancients, by telephone after school. But they keep it up at their brother’s sports practices, while shopping with their parents, and even right in movies.  They’re glued into multiple social contexts and they shift back and forth instantly.

And at all ages, they experiment with their “selves.”  Here in meatspace, where we are only who we are, we can’t escape ourselves.  But online, kids can, if they’re clever, reinvent themselves — kids make themselves older, or boys try being girls and vice-versa, or pretend to be very much cooler than they are, convince others that they’re really braniacs interested in chess . . .  without having to really be that, or carry it off in real life.  What’s so bad about that?  Just another kind of growing up, I would say.

I think most studies have shown that kids who run off and meet unknown people they’ve come in contact with over the Internet are kids who are already engaging in risky or even self-destructive behavior in real life — the real world drives their Internet bahavior, not the other way around.

So buck up.  Basically, until you are enrolled in Twitter, it’s your kids who are going to be protecting YOU online.